Avast WEBforum
Other => Viruses and worms => Topic started by: cupladays on October 09, 2007, 02:25:47 PM
-
Hi all,
I am a Avast user for years - now using 4.7 Home. It's done fine all that time till now. I have the above files repeatingly being detected on each new start up despite moving them to chest / deleting (etc). I cant seem to find too much on the net on these files.
From the log viewer:
4/10/2007 9:22:17 PM P & J Harmen 760 Sign of "Win32:Dialer-gen. [trj]" has been found in "C:\DOCUME~1\P&JHAR~1\LOCALS~1\Temp\pa_0105.exe" file.
and:
4/10/2007 9:19:51 PM P & J Harmen 760 Sign of "Win32:Small-HTC [trj]" has been found in "C:\WINDOWS\SYSHOST.DLL" file.
One last thing - I have been trying quite a few detection programs to kill this, and they are either not detected or it wont remove it - however when I ran Adaware 2007 I got a blue screen of death quite early into the scan, it re-booted and seems OK. This also happens when I run Regseeker.
And its definitely slowing up in most Op's.
I have run Hijack this and Combofix - the logs Ill split up and post them below to fit them on here.
Thanks in advance for any help or tips here!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:03 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\sist32.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
-
Please don't post information across three topics, keep it in the same one so those trying to help don't have to search, keep all the information together in the same topic. It will probably be necessary to split logs over several posts in the same topic but not new topics. This just makes it harder to try and help.
Please Modify your other topics (http://forum.avast.com/index.php?topic=30884.0 (http://forum.avast.com/index.php?topic=30884.0) and http://forum.avast.com/index.php?topic=30884.0 (http://forum.avast.com/index.php?topic=30884.0)) and copy the information into this topic.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. If using winXP AVG anti-spyware (formerly Ewido) (http://www.ewido.net/en/download/) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version. Or Spyware Terminator (http://www.spywareterminator.com/) Resident scanner.
-
And heres the second part of the hijack this log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/couriermail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Policies\Explorer\Run: [Service] C:\WINDOWS\sist32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161139718942
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11148 bytes
-
And heres the Combofix log:
ComboFix 07-10-09.3 - P & J Harmen 2007-10-09 21:11:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.545 [GMT 10:00]
Running from: C:\Documents and Settings\P & J Harmen\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\P & J Harmen.\aria.txt
C:\WINDOWS\images015.zip
C:\WINDOWS\images015.zip
C:\WINDOWS\images027.zip
C:\WINDOWS\images027.zip
C:\WINDOWS\images036.zip
C:\WINDOWS\images036.zip
C:\WINDOWS\images042.zip
C:\WINDOWS\images042.zip
C:\WINDOWS\images066.zip
C:\WINDOWS\images066.zip
C:\WINDOWS\images081.zip
C:\WINDOWS\images081.zip
C:\WINDOWS\images084.zip
C:\WINDOWS\images084.zip
C:\WINDOWS\images087.zip
C:\WINDOWS\images087.zip
C:\WINDOWS\images09.zip
C:\WINDOWS\images09.zip
C:\WINDOWS\images090.zip
C:\WINDOWS\images090.zip
C:\WINDOWS\images093.zip
C:\WINDOWS\images093.zip
C:\WINDOWS\photo15.zip
C:\WINDOWS\photo24.zip
C:\WINDOWS\photo30.zip
C:\WINDOWS\photo36.zip
C:\WINDOWS\photo39.zip
C:\WINDOWS\photo42.zip
C:\WINDOWS\photo48.zip
C:\WINDOWS\photo51.zip
C:\WINDOWS\photo60.zip
C:\WINDOWS\photo69.zip
C:\WINDOWS\photo75.zip
C:\WINDOWS\photos016.zip
C:\WINDOWS\photos019.zip
C:\WINDOWS\photos025.zip
C:\WINDOWS\photos028.zip
C:\WINDOWS\photos043.zip
C:\WINDOWS\photos061.zip
C:\WINDOWS\photos067.zip
C:\WINDOWS\photos073.zip
C:\WINDOWS\system32\xpdx.sys
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\xpdx
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.
2007-10-09 21:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 20:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-09 20:18 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-10-04 21:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-04 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-04 21:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-04 21:35 <DIR> C:\Documents and Settings\P 2007-10-04 21:35 <DIR> J Harmen\DoctorWeb
2007-10-02 22:40 <DIR> C:\Documents and Settings\P 2007-10-02 22:40 <DIR> J Harmen\Application Data\AdwareAlert
2007-10-02 22:08 <DIR> d-------- C:\Program Files\Navilog1
2007-10-02 20:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-02 20:27 <DIR> d-------- C:\Program Files\Picasa2
2007-10-02 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-02 19:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-02 14:47 6,029,312 C:\Documents and Settings\P 2007-10-02 14:47 6,029,312 J Harmen\ntuser.dat
2007-10-02 11:18 5,152 --a------ C:\WINDOWS\sist32.exe
2007-10-01 21:23 1,806,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-01 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-29 21:26 <DIR> d-------- C:\Program Files\Snapshot Viewer
2007-09-29 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SBT
2007-09-29 21:21 <DIR> d-------- C:\WINDOWS\ShellNew
2007-09-29 21:19 <DIR> C:\Documents and Settings\P 2007-09-29 21:19 <DIR> J Harmen\Application Data\Microsoft Web Folders
2007-09-26 09:19 5,120 --a------ C:\WINDOWS\SYSHOST.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 11:15 22,220 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-02 12:42 --------- d-----w C:\Documents and Settings\P & J Harmen\Application Data\AdwareAlert
2007-10-02 10:11 --------- d-----w C:\Program Files\Google
2007-10-02 10:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google
2007-09-29 11:25 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-29 11:19 --------- d-----w C:\Documents and Settings\P & J Harmen\Application Data\Microsoft Web Folders
2007-09-28 05:41 --------- d-----w C:\Documents and Settings\P & J Harmen\Application Data\OpenOffice.org2
2007-09-18 03:21 4,630 ----a-w C:\Documents and Settings\P & J Harmen\Application Data\wklnhst.dat
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 06:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 06:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-05 11:03 168,105 ----a-w C:\CleanUp452.exe
2007-09-05 10:03 --------- d-----w C:\Program Files\Nokia
2007-08-21 09:11 12,087 ----a-w C:\Documents and Settings\P & J Harmen\phraxd.exe
2007-08-21 08:57 12,087 ----a-w C:\Documents and Settings\P & J Harmen\lcojug.exe
2007-08-14 12:40 --------- d-----w C:\Documents and Settings\P & J Harmen\Application Data\Help
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 09:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 09:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 06:59 3,583,488 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 23:31 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
2005-09-24 15:49 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
-
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 15:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 15:58]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 15:58]
"nwiz"="nwiz.exe" [2006-07-20 15:58 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 22:44 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 15:22]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 17:14]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 13:33]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 12:50]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 23:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00]
"Logitech BT Wizard"="LBTWiz.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-08-12 23:28 C:\WINDOWS\KHALMNPR.Exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 20:06]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"DXDllRegExe"="dxdllreg.exe" []
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 14:47]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 07:00]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 17:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 14:26]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 02:39:30]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-15 14:47:53]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-19 20:37:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2005-09-06 02:44 53248 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
S2 pciinfo;HP Pci Information;\??\C:\DOCUME~1\P&JHAR~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 10:30:04 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-10-04 12:44:31 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 21:16:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????B??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-09 21:19:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 21:19
.
--- E O F ---
-
I can only deal with your HJT log as I don't have the tools to analyse the combofix logs.
Fix
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Possibly nasty
O4 - HKLM\..\Policies\Explorer\Run: [Service] C:\WINDOWS\sist32.exe
See, http://fileinfo.prevx.com/adware/qqa807103374971-SIST43677002/SIST32.EXE.html (http://fileinfo.prevx.com/adware/qqa807103374971-SIST43677002/SIST32.EXE.html).
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Other than that I don't see anything obvious.
-
Hi there the file highlighted by David is a variant on the win32 trojan. After you have uploaded it to Avast as recommended
Delete the following from Hijackthis
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Policies\Explorer\Run: [Service] C:\WINDOWS\sist32.exe
The dxdllreg is a looped installation and can safely be removed
____________________________
To kill the bad file
Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\sist32.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
-
Hi again, thanks for the quick help.
I have followed instructions and it all seems to have gone OK.
OTMoveIt results:
C:\WINDOWS\sist32.exe moved successfully.
Created on 10/10/2007 20:35:50
New Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:47 PM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\P & J Harmen\Desktop\OTMoveIt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
-
Other half of HJT log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/couriermail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161139718942
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10909 bytes
-
Ok - More good news - Adaware 2007 completes its run and Regseeker completes now as well. System speed fixed. Looking good so far. Top work chaps. Fingers crossed eh? Ta for all help!
-
Fingers crossed eh?
If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx).
Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.
After you're clean, use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.
Finally, when you're clean, check for insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/) to update insecure applications and avoid reinfection.
-
I noticed this.
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Which has clearly failed as the JAVA version is out of date the latest is JRE version 1.6.0_03 so the java update scheduler hasn't kept you up to date and this is an known issue in these forums, it simply doesn't work.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp (http://www.java.com/en/download/index.jsp)
Point 2.
You have a huge amount of stuff running on start-up (O4 Run entries) whilst this isn't a security issue it must be using a lot of resources, I only allow absolutely essential applications to run on boot. Many programs when installed want to run on boot when there is no need, typical of these are media players that aren't needed until you double click a media file.
-
Hi Tech and DavidR,
Thanks for sticking with me.
Ran AVG anti-rootkit and its clear. (full scan)
Good news - it appears Win32:Small-HTC [trj] & Win32:Dialer-gen. [trj] have gone
Bad News - It appears I now have Win32:Ircbot-CDT[trj] Avast has found it tonight. Is this related?
I have updated Java as instructed.
I am chipping away at start up items as I check their usefullness.
I will post HJT and Runscanner logs as requested in next post.
Thanks again in advance.
-
HJT log beginning:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:45 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
-
HJT end:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/couriermail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161139718942
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10477 bytes
-
Is this related?
Difficult to say... are the same files being detected or other ones?
I have updated Java as instructed.
Don't forget to uninstall the old versions.
-
Runscanner log:
Runscanner logfile http://www.runscanner.net
* = authenticode signed file
- = file not found
000 General info
----------------
Computer name : PC147518913218
Creation time : 11/10/2007 9:13:02 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.11
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.0.3.0
Type of scan : Full scan
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS
001 Running processes
---------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft AB)
* c:\program files\alwil software\avast4\ashserv.exe (ALWIL Software)
* c:\program files\alwil software\avast4\aswupdsv.exe (ALWIL Software)
* c:\program files\alwil software\avast4\ashmaisv.exe (ALWIL Software)
* c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program files\alwil software\avast4\ashwebsv.exe (ALWIL Software)
c:\program files\logitech\setpoint\lbtwiz.exe (Logitech Inc.)
c:\progra~1\widcomm\blueto~1\btstac~1.exe (Broadcom Corporation.)
c:\program files\widcomm\bluetooth software\bin\btwdins.exe (Broadcom Corporation.)
c:\program files\widcomm\bluetooth software\bttray.exe (Broadcom Corporation.)
* c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Co.)
c:\program files\hp\digital imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
c:\program files\hp\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
c:\program files\hp\digital imaging\bin\hpqimzone.exe (Hewlett-Packard Development Company, L.P.)
c:\program files\hp\quickplay\qpservice.exe (CyberLink Corp.)
c:\program files\hpq\hp wireless assistant\hp wireless assistant.exe (Hewlett-Packard Development Company, L.P.)
c:\program files\hewlett-packard\shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)
* c:\program files\java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
c:\program files\common files\logitech\bluetooth\lbtserv.exe (Logitech Inc.)
c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe (Logitech Inc.)
* c:\program files\common files\logitech\khal\khalmnpr.exe (Logitech Inc.)
c:\program files\logitech\setpoint\setpoint.exe (Logitech Inc.)
c:\program files\common files\lightscribe\lssrvc.exe (Hewlett-Packard Company)
* c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl.exe ( Hewlett-Packard Development Company, L.P.)
c:\program files\rainlendar2\rainlendar2.exe
* c:\docume~1\p&jhar~1\locals~1\temp\temporary directory 2 for runscanner.zip\runscanner.exe (Runscanner.net)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\windows\system32\zonelabs\vsmon.exe (Zone Labs, LLC)
* c:\program files\zone labs\zonealarm\zlclient.exe (Zone Labs, LLC)
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\adobe\reader 8.0\reader\reader_sl.exe (Adobe Systems Incorporated)
* c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
c:\program files\hewlett-packard\default settings\cpqset.exe
* C:\WINDOWS\system32\chdaudpropshortcut.exe (Windows (R) Server 2003 DDK provider)
c:\program files\hp\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Co.)
c:\program files\hpq\hp wireless assistant\hp wireless assistant.exe (Hewlett-Packard Development Company, L.P.)
- lbtwiz.exe
* C:\WINDOWS\khalmnpr.exe (Logitech Inc.)
* c:\windows\system32\ime\pintlgnt\imscinst.exe
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation)
* c:\windows\system32\nvmctray.dll (NVIDIA Corporation)
C:\WINDOWS\system32\nwiz.exe
C:\Program Files\hewlett-packard\hp quick launch buttons\qlbctrl.exe ( Hewlett-Packard Development Company, L.P.)
c:\program files\hp\quickplay\qpservice.exe (CyberLink Corp.)
c:\windows\sminst\recguard.exe
* c:\program files\java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\program files\zone labs\zonealarm\zlclient.exe (Zone Labs, LLC)
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe (Logitech Inc.)
c:\program files\rainlendar2\rainlendar2.exe
* c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)
005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
c:\progra~1\widcomm\blueto~1\bttray.exe (Broadcom Corporation.)
c:\progra~1\hp\digita~1\bin\hpqtra08.exe (Hewlett-Packard Co.)
c:\progra~1\hp\digita~1\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
c:\progra~1\logitech\deskto~1\8876480\program\logite~1.exe (Logitech Inc.)
c:\progra~1\logitech\setpoint\setpoint.exe (Logitech Inc.)
c:\progra~1\micros~4\office\osa9.exe (Microsoft Corporation)
010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
c:\program files\hewlett-packard\hp quick launch buttons\addfiltr.exe (AddFiltr)
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
* c:\program files\alwil software\avast4\ashserv.exe (avast! Antivirus)
* c:\program files\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\program files\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\program files\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
c:\program files\widcomm\bluetooth software\bin\btwdins.exe (Bluetooth Service)
* c:\program files\google\common\google updater\googleupdaterservice.exe (Google Updater Service)
c:\program files\hewlett-packard\shared\hpqwmiex.exe (hpqwmiex)
c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe (InstallDriver Table Manager)
c:\program files\common files\lightscribe\lssrvc.exe (LightScribeService Direct Disc Labeling Service)
c:\program files\common files\logitech\bluetooth\lbtserv.exe (Logitech Bluetooth Service)
* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Display Driver Service)
c:\windows\system32\hpzipm12.exe (Pml Driver HPZ12)
c:\program files\pc connectivity solution\servicelayer.exe (ServiceLayer)
* c:\windows\system32\zonelabs\vsmon.exe (TrueVector Internet Monitor)
-
Middle of Runscanner:
011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* c:\windows\system32\drivers\amdagp.sys (AMD AGP Bus Filter Driver)
* c:\windows\system32\drivers\asc.sys (asc)
* c:\windows\system32\drivers\asc3550.sys (asc3550)
C:\WINDOWS\system32\drivers\avgarkt.sys (AVG Anti-Rootkit)
C:\WINDOWS\system32\drivers\avgarcln.sys (Avg Anti-Rootkit Clean Driver)
- c:\docume~1\p&jhar~1\locals~1\temp\catchme.sys (Base)
C:\WINDOWS\system32\drivers\btaudio.sys (Bluetooth Audio Device)
C:\WINDOWS\system32\drivers\btkrnl.sys (Bluetooth Bus Enumerator)
C:\WINDOWS\system32\drivers\btwdndis.sys (Bluetooth LAN Access Server)
C:\WINDOWS\system32\drivers\btport.sys (Bluetooth Virtual Communications Driver)
C:\WINDOWS\system32\drivers\btwhid.sys (Bluetooth Virtual HID Minidriver)
* c:\windows\system32\drivers\cmdide.sys (CmdIde)
- c:\windows\system32\drivers\uiusys.sys (Conexant Setup API)
* c:\windows\system32\drivers\dac2w2k.sys (dac2w2k)
* C:\WINDOWS\system32\drivers\mdmxsdk.sys (Diagnostic Interface x86 Driver)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\eabfiltr.sys (Extended Base)
* C:\WINDOWS\system32\drivers\cpqbttn.sys (Extended Base)
* C:\WINDOWS\system32\drivers\eabusb.sys (Extended Base)
* C:\WINDOWS\system32\drivers\5u870cap.sys (HP Pavilion Webcam)
- c:\docume~1\p&jhar~1\locals~1\temp\hpispz\hpdom\pciinfo.sys (HP Pci Information)
* C:\WINDOWS\system32\drivers\hsf_cnxt.sys (HSF_CNXT driver)
* C:\WINDOWS\system32\drivers\hsf_dpv.sys (HSF_DP driver)
* C:\WINDOWS\system32\drivers\hsfhwazl.sys (HSF_HWAZL WDM driver)
* C:\WINDOWS\system32\drivers\hpzid412.sys (IEEE-1284.4 Driver HPZid412)
* C:\WINDOWS\system32\drivers\iastor.sys (Intel AHCI Controller)
* C:\WINDOWS\system32\drivers\e1e5132.sys (Intel(R) PRO/1000 PCI Express Network Connection Driver)
* C:\WINDOWS\system32\drivers\w39n51.sys (Intel(R) PRO/Wireless 3945ABG Adapter Driver)
* C:\WINDOWS\system32\drivers\netw3x32.sys (Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit)
* C:\WINDOWS\system32\drivers\lhidke.sys (Logitech SetPoint HID Mouse Filter Driver)
* C:\WINDOWS\system32\drivers\lmouke.sys (Logitech SetPoint Mouse Filter Driver)
* C:\WINDOWS\system32\drivers\rimsptsk.sys (MemoryStick)
* C:\WINDOWS\system32\drivers\hdaudbus.sys (Microsoft UAA Bus Driver for High Definition Audio)
* C:\WINDOWS\system32\drivers\chdaud.sys (Microsoft UAA Function Driver for High Definition Audio Service)
* c:\windows\system32\drivers\mraid35x.sys (mraid35x)
* C:\WINDOWS\system32\drivers\hpzipr12.sys (Print Class Driver for IEEE-1284.4 HPZipr12)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* c:\windows\system32\drivers\ql1080.sys (ql1080)
* c:\windows\system32\drivers\ql12160.sys (ql12160)
* c:\windows\system32\drivers\ql1280.sys (ql1280)
* C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver)
* C:\WINDOWS\system32\drivers\rixdptsk.sys (Ricoh xD-Picture Card Driver)
* C:\WINDOWS\system32\drivers\rimmptsk.sys (SD / MMC)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* c:\windows\system32\drivers\sisagp.sys (SIS AGP Bus Filter)
* c:\windows\system32\drivers\sparrow.sys (Sparrow)
* C:\WINDOWS\system32\zonelabs\srescan.sys (srescan)
* c:\windows\system32\drivers\sym_hi.sys (sym_hi)
* c:\windows\system32\drivers\sym_u3.sys (sym_u3)
* c:\windows\system32\drivers\symc810.sys (symc810)
* c:\windows\system32\drivers\symc8xx.sys (symc8xx)
* C:\WINDOWS\system32\drivers\syntp.sys (Synaptics TouchPad Driver)
* C:\WINDOWS\system32\drivers\aliide.sys (System Bus Extender)
* c:\windows\system32\drivers\ultra.sys (ultra)
* C:\WINDOWS\system32\drivers\hpzius12.sys (USB to IEEE-1284.4 Translation Driver HPZius12)
* C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
* C:\WINDOWS\system32\vsdatant.sys (vsdatant)
C:\WINDOWS\system32\drivers\btwusb.sys (WIDCOMM USB Bluetooth Driver)
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll (Logitech Inc.) {9462A756-7B47-47BC-8C80-C34B9B80B32B}
c:\program files\hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}
035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\program files\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11d4-9B18-009027A5CD4F}
045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
* c:\program files\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11D4-9B18-009027A5CD4F}
-
End of runscanner:
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}
* c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\program files\google\googletoolbar3.dll (Google Inc.) {AA58ED58-01DD-4d91-8333-CF10577473F7}
* c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
* c:\program files\java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
* c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
c:\progra~1\micros~4\office\olkfstub.dll (Microsoft Corporation) {0006F045-0000-0000-C000-000000000046}
* c:\program files\zone labs\zonealarm\zlavscan.dll (Zone Labs, LLC) {D9872D13-7651-4471-9EEE-F0A00218BEBB}
c:\windows\system32\btneighborhood.dll (Broadcom Corporation.) {6af09ec9-b429-11d4-a1fb-0090960218cb}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {A70C977A-BF00-412C-90B7-034C51DA2439}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {63542C48-9552-494A-84F7-73AA6A7C99C1}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {3B092F0C-7696-40E3-A80F-68D74DA84210}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {FFB699E0-306A-11d3-8BD1-00104B6F7516}
c:\windows\system32\shellvrtf.dll (XSS) {7F67036B-66F1-411A-AD85-759FB9C5B0DB}
* c:\program files\synaptics\syntp\syntpcpl.dll (Synaptics, Inc.) {2F603045-309F-11CF-9774-0020AFD0CFF6}
c:\progra~1\common~1\micros~1\webfol~1\msonsext.dll {BDEADF00-C265-11d0-BCED-00A0C90AB50F}
062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
C:\WINDOWS\system32\lsdelete.exe
067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
c:\program files\common files\logitech\bluetooth\lbtwlgn.dll (Logitech Inc.)
069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\bthcrp.dll (Broadcom Corporation.)
* C:\WINDOWS\system32\hpzsnt09.dll (HP)
073 %windir%\Tasks
------------------
AdwareAlert Scheduled Scan.job : c:\program files\adwarealert\adwarealert.exe
HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job : c:\program files\common files\sonic shared\sonic central\main\mediahub.exe
100 Internet Explorer settings
------------------------------
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchAssistant HKCU : http://www.google.com/ie
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SearchUrl HKCU : http://www.google.com/search?q=%s
ShellNext HKCU : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
Start Page HKCU : http://www.news.com.au/couriermail/
Start Page HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
c:\windows\downloaded program files\hpisdatamanager.dll (Hewlett-Packard) {14C1B87C-3342-445F-9B5E-365FF330A3AC}
* c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
* c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
Send To &Bluetooth : C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
NoDispBackgroundPage : 0
161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1
171 HKCU\Control Panel\Desktop\SCRNSAVE.EXE
-------------------------------------------
* c:\windows\system32\avastss.scr (ALWIL Software)
173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
GUID / CLSID not found
* c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* c:\program files\zone labs\zonealarm\zlavscan.dll (Zone Labs, LLC) {D9872D13-7651-4471-9EEE-F0A00218BEBB}
-
Hi Tech,
No the Win32:Ircbot [trj] detection message is new as of tonight.
And I uninstalled the old Java first and re-booted. There was a few of them!
What do you reckon of the HJT and Runscanner logs?
Ta,
Cupladays
-
Bad News - It appears I now have Win32:Ircbot-CDT[trj] Avast has found it tonight. Is this related?
Hard to say as we are hunting for either an undetected or hidden malware which could be a trojan downloader, that can bring down any sort of malware.
You don't give the infected file name or location which can be of more help than simply the malware name (more things for us to check for) ?
Did you not fix this in HJT as it was mentioned before ?
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Other than that I see nothing obvious in the HJT log.
-
Update:
I have been doing a little more searching and checked out the Rainlender2.exe, do you know what this is ?
There are a couple of google hits that indicate it could be malware (trojan) rather than a desktop calender, though this isn't conclusive.
C:\Program Files\Rainlendar2\Rainlendar2.exe]O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe (http://O4 - HKCU\..\Run: [Rainlendar2)
See http://spywarefiles.prevx.com/RRCFDI24268863/RAINLENDAR2.EXE.html (http://spywarefiles.prevx.com/RRCFDI24268863/RAINLENDAR2.EXE.html)
So it would probably best to check the offending/suspect file at and report the findings: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
-
I have been doing a little more searching and checked out the Rainlender2.exe, do you know what this is ?
A calendar, a todo list... a clean program should be.
-
Further down the next sentence I stated it is a desktop calendar but there may be a possibility it is not, and that is why the question is directed to cupladays do 'they' know what it is.
If cupladays installed it then there shouldn't be a problem, but it doesn't hurt to check at VT and Jotti.
-
Hi Tech / DavidR,
Sorry - heres the filename / location from the log viewer:
11/10/2007 11:54:12 PM P & J Harmen 528 Sign of "Win32:Ircbot-CDT [trj]" has been found in "C:\DOCUME~1\P&JHAR~1\LOCALS~1\Temp\Temporary Directory 1 for album59.zip\album59.scr" file.
Also - there are Win32:Ircbot-CDR logs in the logviewer from August now that I look harder.
12/08/2007 10:32:20 AM P & J Harmen 536 Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.
12/08/2007 6:18:03 PM P & J Harmen 432 Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.
13/08/2007 10:41:41 AM P & J Harmen 520 Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.
13/08/2007 3:32:47 PM P & J Harmen 520 Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.
13/08/2007 7:50:54 PM P & J Harmen 440 Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.
And David R - No, I didn't get rid of that 02-BHO file before. I missed that. It's done now.
Rainlender should be OK. Its a cute calender / To do list as Tech says. Was recommended by PCuser mag. I installed it.
Cheers
-
To know if a file is a false positive, please submit it to JOTTI (http://virusscan.jotti.org/) or VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.
As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.
This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586
-
The detection is in a zip file which is inert by nature, so unless it was unpacked and the screen-saver file album59.src was executed (avast wouldn't have allowed that) you should be in the clear from that particular issue. What we have to determine is what/how it got in the Temp folder, which is a common location for some downloaders to place files. If it was downloaded I wonder why the web shield didn't catch it before the standard shield though.
The others detected in the system folder were a different ball game, since they were in the system32 folder and as dlls could have been running. I think that they have been dealt with though, to add files to system folders and create registry entries permission is required.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob's, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link.
http://mysharedfiles.no-ip.org/dropmyrights (http://mysharedfiles.no-ip.org/dropmyrights)
I would only have been worried about the rainlender if you hadn't known what it was and hadn't installed it, so panic over.
-
Hi Tech / DavidR,
I beleive the old Win32:Ircbot-CDR is gone.
The new Win32:Ircbot-CDR is the last one to banish.
I will run the false positives tests as you say, submit it to JOTTI or VirusTotal and report back. Also Ill look at the administrator browsing issues as you suggest.
This has been a fairly impressive forum. I am back with a healthy lappy. You guys get paid for this?
Regards,
-
There are many volunteers who help on the forums, those with Alwil Team in their details at the left of the post are from Alwil Software the developers of avast.
We are avast users like yourself, so our pay is helping other avast users get the best from avast.
-
Hi again,
Sorry been a couple of days....but might need another hand.
I just went to submit the file to VirusTotal but couldnt find that particular one!... There has been a few more entries into the virus chest since then but I can't find them either... is there a secret to finding these files? I have turned the view hidden files feature on.
The only file I could see that resembled the ones in the log viewer or the chest was this one - but it appears OK?
File webcam-photos08.zip received on 10.15.2007 13:49:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/29 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.13.1 2007.10.12 -
AntiVir 7.6.0.23 2007.10.15 -
Authentium 4.93.8 2007.10.14 -
Avast 4.7.1051.0 2007.10.14 -
BitDefender 7.2 2007.10.15 -
CAT-QuickHeal 9.00 2007.10.13 -
ClamAV 0.91.2 2007.10.14 -
DrWeb 4.44.0.09170 2007.10.15 -
eSafe 7.0.15.0 2007.10.10 -
eTrust-Vet 31.2.5207 2007.10.13 -
Ewido 4.0 2007.10.15 -
FileAdvisor 1 2007.10.15 -
Fortinet 3.11.0.0 2007.10.15 -
F-Secure 6.70.13030.0 2007.10.15 -
Ikarus T3.1.1.12 2007.10.15 -
Kaspersky 7.0.0.125 2007.10.15 -
McAfee 5140 2007.10.12 -
Microsoft 1.2908 2007.10.15 -
NOD32v2 2591 2007.10.14 -
Norman 5.80.02 2007.10.15 -
Panda 9.0.0.4 2007.10.14 -
Prevx1 V2 2007.10.15 -
Rising 19.45.02.00 2007.10.15 -
Sophos 4.22.0 2007.10.15 -
Sunbelt 2.2.907.0 2007.10.13 -
TheHacker 6.2.8.091 2007.10.15 -
VBA32 3.12.2.4 2007.10.15 -
VirusBuster 4.3.26:9 2007.10.14 -
Webwasher-Gateway 6.0.1 2007.10.15 -
Additional information
File size: 116360 bytes
MD5: 5f2221a4f79890e165ac82b84e40fe83
SHA1: 6bd2c39fc1661da2dc498e8d4516cc5750af2127
-
You shouldn't be able to find files that are in the avast chest on your hard disk, that is the whole point of the chest, it is a protected area where they can't get out nor other applications get in.
<snip>
Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
So to be able to upload files to VT or Jotti you need to export the file to a temporary folder (of your choice).
-
SDFix should help with this.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
-
Hi there DavidR / mauserme,
Sorry - bit stupid there trying to find a file in the chest on C:
Anyway - heres the VT results of the file:
File album59.scr received on 10.16.2007 14:20:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 31/32 (96.88%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 56 and 81 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.16.2 2007.10.16 Win32/ShadoBot.worm.116224
AntiVir 7.6.0.23 2007.10.16 Worm/IrcBot.116224.6
Authentium 4.93.8 2007.10.16 W32/Backdoor.BMHU
Avast 4.7.1051.0 2007.10.15 Win32:Ircbot-CDT
AVG 7.5.0.488 2007.10.16 BackDoor.Ircbot.AXB
BitDefender 7.2 2007.10.16 Backdoor.IRCBot.ABEU
CAT-QuickHeal 9.00 2007.10.15 Backdoor.IRCBot.acd
ClamAV 0.91.2 2007.10.14 Trojan.IRCBot-1132
DrWeb 4.44.0.09170 2007.10.16 BackDoor.IRC.Sdbot.1987
eSafe 7.0.15.0 2007.10.15 Win32.IRCBot.acd
eTrust-Vet 31.2.5214 2007.10.16 Win32/Checkout.J
Ewido 4.0 2007.10.16 Backdoor.IRCBot.acd
FileAdvisor 1 2007.10.16 High threat detected
Fortinet 3.11.0.0 2007.10.16 W32/IRCBot.ACD!tr.bdr
F-Prot 4.3.2.48 2007.10.15 W32/Backdoor.BMHU
F-Secure 6.70.13030.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Ikarus T3.1.1.12 2007.10.16 Backdoor.Win32.IRCBot.acd
Kaspersky 7.0.0.125 2007.10.16 Backdoor.Win32.IRCBot.acd
McAfee 5141 2007.10.15 W32/Checkout
Microsoft 1.2908 2007.10.16 Backdoor:Win32/IRCbot.OU
NOD32v2 2594 2007.10.16 Win32/IRCBot.WO
Norman 5.80.02 2007.10.15 W32/Ircbot.XIC
Panda 9.0.0.4 2007.10.16 W32/Gaobot.OXI.worm
Prevx1 V2 2007.10.16 -
Rising 19.45.11.00 2007.10.16 Backdoor.Win32.IRCbot.bcr
Sophos 4.22.0 2007.10.16 W32/IRCBot-XG
Sunbelt 2.2.907.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Symantec 10 2007.10.16 W32.Mubla.B
TheHacker 6.2.8.093 2007.10.16 Backdoor/IRCBot.acd
VBA32 3.12.2.4 2007.10.16 Backdoor.Win32.IRCBot.acd
VirusBuster 4.3.26:9 2007.10.15 Worm.IRCBot.BDP
Webwasher-Gateway 6.0.1 2007.10.16 Worm.IrcBot.116224.6
Additional information
File size: 116224 bytes
MD5: 03ba79f306a641caf442eb328f2fc379
SHA1: b5d736fb206d233627e0d2278fb2f7cac57eb236
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=03ba79f306a641caf442eb328f2fc379
packers: PE_Patch, NTKrnl
So that dont look to good eh? Thats the file from 11/10/2007.
-
Hi again..
And heres the VT report from a file moved to the chest this afternoon. So it looks like I still have some trojan activity going on here.
File webcam-photos086.zip received on 10.16.2007 14:35:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 29/32 (90.63%)
Loading server information...
Your file is queued in position: 9.
Estimated start time is between 74 and 106 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.16.2 2007.10.16 -
AntiVir 7.6.0.23 2007.10.16 Worm/IrcBot.116224.6
Authentium 4.93.8 2007.10.16 W32/Backdoor.BMHU
Avast 4.7.1051.0 2007.10.15 Win32:Ircbot-CDT
AVG 7.5.0.488 2007.10.16 BackDoor.Ircbot.AXB
BitDefender 7.2 2007.10.16 Backdoor.IRCBot.ABEU
CAT-QuickHeal 9.00 2007.10.15 Backdoor.IRCBot.acd
ClamAV 0.91.2 2007.10.14 Trojan.IRCBot-1132
DrWeb 4.44.0.09170 2007.10.16 BackDoor.IRC.Sdbot.1987
eSafe 7.0.15.0 2007.10.15 Win32.IRCBot.acd
eTrust-Vet 31.2.5214 2007.10.16 Win32/Checkout.J
Ewido 4.0 2007.10.16 Backdoor.IRCBot.acd
FileAdvisor 1 2007.10.16 -
Fortinet 3.11.0.0 2007.10.16 W32/IRCBot.ACD!tr.bdr
F-Prot 4.3.2.48 2007.10.15 W32/Backdoor.BMHU
F-Secure 6.70.13030.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Ikarus T3.1.1.12 2007.10.16 Backdoor.Win32.IRCBot.acd
Kaspersky 7.0.0.125 2007.10.16 Backdoor.Win32.IRCBot.acd
McAfee 5141 2007.10.15 W32/Checkout
Microsoft 1.2908 2007.10.16 Backdoor:Win32/IRCbot.OU
NOD32v2 2594 2007.10.16 Win32/IRCBot.WO
Norman 5.80.02 2007.10.15 W32/Ircbot.XIC
Panda 9.0.0.4 2007.10.16 W32/Gaobot.OXI.worm
Prevx1 V2 2007.10.16 -
Rising 19.45.11.00 2007.10.16 Backdoor.Win32.IRCbot.bcr
Sophos 4.22.0 2007.10.16 W32/IRCBot-XG
Sunbelt 2.2.907.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Symantec 10 2007.10.16 W32.Mubla.B
TheHacker 6.2.8.093 2007.10.16 Backdoor/IRCBot.acd
VBA32 3.12.2.4 2007.10.16 Backdoor.Win32.IRCBot.acd
VirusBuster 4.3.26:9 2007.10.15 Worm.IRCBot.BDP
Webwasher-Gateway 6.6.1 2007.10.16 Worm.IrcBot.116224.6
Additional information
File size: 116362 bytes
MD5: e33bc0fefe4be59e541a3c3653af6782
SHA1: f77dc82c25203bab553e5a62165957016a0384da
packers: PE_Patch, NTKrnl
So its a zipfile as well. So its fairly safe right?
And am I right is saying this is obviusly not a false positive?
I will run SDfix and report back with its log and a new Hijack this log as advised by mauserme
Is this my best next move?
Regards
-
Well you mist certainly have something downloading stuff (apologies for getting technical), what I'm surprised about is that the web shield provider didn't catch it on download. So I can only assume that it wasn't downloaded using http protocol.
Which also begs the question why didn't your firewall catch the outbound connection to download this. Two things come to mind, first if you are using ZA free it is crippled as far as outbound protection goes in an attempt to promote the Pro version. Second many of the scanners see what is being a backdoor, now if there is already a backdoor on your system that could be bypassing your firewall any way.
Based on the two points above I would suggest a change of firewall, many forum members use the Comodo Firewall (free) which isn't crippled in any way which may provide you with better protection against unauthorised outbound connection.
So after you have run SDfix you may want to look at a firewall change, download comodo, disconnect from the internet, uninstall ZA free, reboot and install comodo firewall. You will obviously get a number of pop-ups as applications connect to the internet, etc.
-
DavidR,
The SDfix didnt run - or it certainly didnt appear to. There are a few patches on the link to the online readme thats in the folder so I tried all of those but still no luck. There was no report.txt created, The only text file there was one called kill which contents read:
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of wupdmgr.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of wupdmgr.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of wupdmgr.exe
Which would be the 3 times I ran it - once for first time and one each for the patches.
I will take your advice on the firewall. Once I sort this out.
Any advice why SDfix wont run?
-
Sorry I only suggested you should run it because mauserme had suggested it before you posted the VT results. Did you follow his run instructions to the letter as in the bit about running it in safe mode ?
-
The SDfix didnt run ...
Probably the malware having some fun with us.
I think the basic problem might still be C:\WINDOWS\SYSHOST.DLL. When you originally posted you showed this file as something avast! quarantined - it has a 10 April, 2007 date in your log.
The ComboFix log generated 9 October, shows C:\WINDOWS\SYSHOST.DLL created 26 September. If these dates are accurate the file has been recreated but I see no indication that the second copy has been deleted. This would go along with the apparent rootkit techniques being employed and the continued downloading of malware.
I suggest you open OTMoveIt again and paste in the following to be moved
C:\WINDOWS\SYSHOST.DLL
C:\Windows\svchost.exe
Then click the MoveIt button as you did in the past.
Post the results of OTMoveIt along with fresh ComboFix and HJT logs.
BTW, C:\Windows\svchost.exe is not the same as the valid file which is C:\Windows\System32\svchost.exe. It may or may not be found.
-
davidR - yes I followed mauserme instructions to a tee - including safe mode. Hes given me some homwework which Ill do tonight and report back.
-
Hi all,
Ok - heres the results of OTmoveit!:
File/Folder C:\WINDOWS\SYSHOST.DLL not found.
File/Folder C:\Windows\svchost.exe not found.
Created on 10/17/2007 22:56:24
And heres the Combofix and HJT logs over a few posts as usual
Combofix:
ComboFix 07-10-09.3 - P & J Harmen 2007-10-17 22:50:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.494 [GMT 10:00]
Running from: C:\Documents and Settings\P & J Harmen\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.
2007-10-16 23:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-11 20:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-10-10 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-10 09:20 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 21:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 20:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-09 20:18 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-10-04 21:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-04 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-04 21:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-04 21:35 <DIR> C:\Documents and Settings\P 2007-10-04 21:35 <DIR> J Harmen\DoctorWeb
2007-10-02 22:40 <DIR> C:\Documents and Settings\P 2007-10-02 22:40 <DIR> J Harmen\Application Data\AdwareAlert
2007-10-02 22:08 <DIR> d-------- C:\Program Files\Navilog1
2007-10-02 20:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-02 20:27 <DIR> d-------- C:\Program Files\Picasa2
2007-10-02 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-02 19:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-02 14:47 6,029,312 C:\Documents and Settings\P 2007-10-02 14:47 6,029,312 J Harmen\ntuser.dat
2007-10-01 21:23 3,837,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-01 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-29 21:26 <DIR> d-------- C:\Program Files\Snapshot Viewer
2007-09-29 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SBT
2007-09-29 21:21 <DIR> d-------- C:\WINDOWS\ShellNew
2007-09-29 21:19 <DIR> C:\Documents and Settings\P 2007-09-29 21:19 <DIR> J Harmen\Application Data\Microsoft Web Folders
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 14:15 42,980 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-12 23:23 4,814 ----a-w C:\Documents and Settings\P & J Harmen\Application Data\wklnhst.dat
2007-10-02 12:42 --------- d-----w C:\Documents and Settings\P & J Harmen\Application Data\AdwareAlert
2007-10-02 10:11 --------- d-----w C:\Program Files\Google
2007-10-02 10:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google
2007-09-29 11:25 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-29 11:19 --------- d-----w C:\Documents and Settings\P & J Harmen\Application Data\Microsoft Web Folders
2007-09-28 05:41 --------- d-----w C:\Documents and Settings\P & J Harmen\Application Data\OpenOffice.org2
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 06:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 06:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-05 11:03 168,105 ----a-w C:\CleanUp452.exe
2007-09-05 10:03 --------- d-----w C:\Program Files\Nokia
2007-08-21 09:11 12,087 ----a-w C:\Documents and Settings\P & J Harmen\phraxd.exe
2007-08-21 08:57 12,087 ----a-w C:\Documents and Settings\P & J Harmen\lcojug.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 09:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 09:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2005-09-24 15:49 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.
-
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 15:58]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 15:58]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 22:44 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 15:22]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 17:14]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 13:33]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 12:50]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 20:06]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 15:58]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00]
"nwiz"="nwiz.exe" [2006-07-20 15:58 C:\WINDOWS\system32\nwiz.exe]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-08-12 23:28 C:\WINDOWS\KHALMNPR.Exe]
"Logitech BT Wizard"="LBTWiz.exe" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 23:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 17:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 14:26]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 14:47]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 07:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 02:39:30]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-15 14:47:53]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-19 20:37:28]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2005-09-06 02:44 53248 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
S2 pciinfo;HP Pci Information;\??\C:\DOCUME~1\P&JHAR~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 10:30:04 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-10-11 13:20:53 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 22:53:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????B??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-17 22:54:14
C:\ComboFix-quarantined-files.txt ... 2007-10-17 22:54
C:\ComboFix2.txt ... 2007-10-09 21:19
.
--- E O F ---
-
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:13 PM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/couriermail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161139718942
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10565 bytes
Regards,
-
I'm not seeing anything in your logs. Let's try a deeper look:
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Change FilesFolder Created Within to 90 days
- Change Files/Folder Modified Within to 90 days
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
Hi Again,
Sorry - I had to go away for a couple of days - back now..
Heres the Winpfind3u log:
WinPFind3 logfile created on: 19/10/2007 10:19:13 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\P & J Harmen\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1021.98 Mb Total Physical Memory | 554.91 Mb Available Physical Memory | 54.30% Memory free
2.40 Gb Paging File | 1.99 Gb Available in Paging File | 82.84% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 82.89 Gb Total Space | 52.49 Gb Free Space | 63.33% Space Free
Drive D: | 9.24 Gb Total Space | 1.15 Gb Free Space | 12.40% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: PC147518913218
Current User Name: P & J Harmen
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 6/09/2007 8:06:10 PM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 6/09/2007 8:05:42 PM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 6/09/2007 8:06:04 PM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 6/09/2007 8:04:44 PM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 6/09/2007 7:54:58 PM | Attr = ]
btstac~1.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTStackServer.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 1265748 bytes | Modified Date = 12/05/2006 1:32:14 PM | Attr = ]
bttray.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTTray.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 581693 bytes | Modified Date = 12/05/2006 1:33:22 PM | Attr = ]
btwdins.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 258103 bytes | Modified Date = 12/05/2006 1:27:16 PM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 15/07/2007 2:26:06 PM | Attr = ]
hp wireless assistant.exe -> %ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 7, 2 | Size = 458752 bytes | Modified Date = 4/05/2006 3:58:26 PM | Attr = ]
hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/01/2005 2:54:58 PM | Attr = ]
hpqimzone.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqimzone.exe -> Hewlett-Packard Development Company, L.P. [Ver = 060.000.155.000 | Size = 475136 bytes | Modified Date = 25/09/2005 1:42:32 AM | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.31.0.147 | Size = 233472 bytes | Modified Date = 7/07/2003 1:20:40 AM | Attr = ]
hpqwmiex.exe -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 1, 9 | Size = 135168 bytes | Modified Date = 2/05/2006 5:41:28 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 16/02/2005 11:11:42 PM | Attr = ]
khalmnpr.exe -> %CommonProgramFiles%\Logitech\KHAL\KHALMNPR.EXE -> Logitech Inc. [Ver = 2.44.413 | Size = 28160 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
lbtserv.exe -> %CommonProgramFiles%\Logitech\Bluetooth\LBTSERV.EXE -> Logitech Inc. [Ver = 2.44.460 | Size = 81920 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
lbtwiz.exe -> %ProgramFiles%\Logitech\SetPoint\LBTWiz.exe -> Logitech Inc. [Ver = 1.0.0.1 | Size = 28160 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
logitechdesktopmessenger.exe -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> Logitech Inc. [Ver = 2.52.21.16 | Size = 67128 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.97.1 | Size = 49152 bytes | Modified Date = 18/05/2006 6:52:06 PM | Attr = ]
qlbctrl.exe -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe -> Hewlett-Packard Development Company, L.P. [Ver = 6, 1, 1, 2 | Size = 163840 bytes | Modified Date = 19/06/2006 1:33:12 PM | Attr = ]
qpservice.exe -> %ProgramFiles%\HP\QuickPlay\QPService.exe -> CyberLink Corp. [Ver = 4.5.0.0000 | Size = 102400 bytes | Modified Date = 19/07/2006 5:14:20 PM | Attr = ]
rainlendar2.exe -> %ProgramFiles%\Rainlendar2\Rainlendar2.exe -> [Ver = 2, 2, 0, 0 | Size = 1298432 bytes | Modified Date = 24/07/2007 5:12:56 PM | Attr = ]
setpoint.exe -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 2.44.460 | Size = 528384 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.3.8 16Jun06 | Size = 794713 bytes | Modified Date = 17/06/2006 3:22:46 PM | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75304 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 4/09/2007 10:47:26 AM | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 919016 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
-
[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
(AddFiltr) AddFiltr [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -> Hewlett-Packard Development Company, L.P. [Ver = 1.0.0.1 | Size = 126976 bytes | Modified Date = 12/06/2006 3:27:28 PM | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 6/09/2007 7:54:58 PM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 6/09/2007 8:06:04 PM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 6/09/2007 8:05:42 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 6/09/2007 8:04:44 PM | Attr = ]
(btwdins) Bluetooth Service [Win32_Own | Auto | Running] -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 258103 bytes | Modified Date = 12/05/2006 1:27:16 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 5/08/2004 7:00:00 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/02/2007 9:08:04 AM | Attr = ]
(hpqwmiex) hpqwmiex [Win32_Own | Auto | Running] -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 1, 9 | Size = 135168 bytes | Modified Date = 2/05/2006 5:41:28 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 22/10/2004 5:24:18 AM | Attr = ]
(LBTServ) Logitech Bluetooth Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Logitech\Bluetooth\LBTSERV.EXE -> Logitech Inc. [Ver = 2.44.460 | Size = 81920 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.97.1 | Size = 49152 bytes | Modified Date = 18/05/2006 6:52:06 PM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Stopped] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8602 | Size = 143426 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Unknown | Stopped] -> -> File not found
(ServiceLayer) ServiceLayer [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\PC Connectivity Solution\ServiceLayer.exe -> Nokia. [Ver = 6, 83, 78, 3 | Size = 292864 bytes | Modified Date = 26/03/2007 1:06:24 PM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75304 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 6/09/2007 8:06:10 PM | Attr = ]
Cpqset -> %ProgramFiles%\Hewlett-Packard\Default Settings\Cpqset.exe -> [Ver = | Size = 40960 bytes | Modified Date = 19/06/2006 12:50:40 PM | Attr = ]
High Definition Audio Property Page Shortcut -> %System32%\CHDAudPropShortcut.exe -> Windows (R) Server 2003 DDK provider [Ver = 5.10.00.5010 built by: WinDDK | Size = 61952 bytes | Modified Date = 27/07/2006 10:44:56 PM | Attr = ]
HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/01/2005 2:54:58 PM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 16/02/2005 11:11:42 PM | Attr = ]
hpWirelessAssistant -> %ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 7, 2 | Size = 458752 bytes | Modified Date = 4/05/2006 3:58:26 PM | Attr = ]
Logitech BT Wizard -> LBTWiz.exe -> File not found
Logitech Hardware Abstraction Layer -> %SystemRoot%\KHALMNPR.Exe -> Logitech Inc. [Ver = 2.44.413 | Size = 28160 bytes | Modified Date = 12/08/2005 11:28:04 PM | Attr = ]
MsmqIntCert -> regsvr32 /s mqrt.dll [regsvr32 /s mqrt.dll] -> File not found
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.8602 | Size = 7581696 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
NvMediaCenter -> %System32%\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.8602 | Size = 86016 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> [Ver = | Size = 1519616 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
QlbCtrl -> HP Quick Launch Buttons\QlbCtrl.exe -> File not found
QPService -> %ProgramFiles%\HP\QuickPlay\QPService.exe -> CyberLink Corp. [Ver = 4.5.0.0000 | Size = 102400 bytes | Modified Date = 19/07/2006 5:14:20 PM | Attr = ]
RecGuard -> %SystemRoot%\SMINST\Recguard.exe -> [Ver = 6, 0, 66, 5 | Size = 1187840 bytes | Modified Date = 11/10/2005 12:23:50 PM | Attr = ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.3.8 16Jun06 | Size = 794713 bytes | Modified Date = 17/06/2006 3:22:46 PM | Attr = ]
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 919016 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
LDM -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> Logitech Inc. [Ver = 2.52.21.16 | Size = 67128 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
Rainlendar2 -> %ProgramFiles%\Rainlendar2\Rainlendar2.exe -> [Ver = 2, 2, 0, 0 | Size = 1298432 bytes | Modified Date = 24/07/2007 5:12:56 PM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 15/07/2007 2:26:06 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Bluetooth.lnk -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTTray.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 581693 bytes | Modified Date = 12/05/2006 1:33:22 PM | Attr = ]
%AllUsersStartup%\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.31.0.147 | Size = 233472 bytes | Modified Date = 7/07/2003 1:20:40 AM | Attr = ]
%AllUsersStartup%\HP Photosmart Premier Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Development Company, L.P. [Ver = 060.000.155.000 | Size = 73728 bytes | Modified Date = 25/09/2005 2:39:30 AM | Attr = ]
%AllUsersStartup%\Logitech Desktop Messenger.lnk -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> Logitech Inc. [Ver = 2.52.21.16 | Size = 67128 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
%AllUsersStartup%\Logitech SetPoint.lnk -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 2.44.460 | Size = 528384 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
LBTWlgn -> %CommonProgramFiles%\Logitech\bluetooth\LBTWlgn.DLL -> Logitech Inc. [Ver = 2.44.460 | Size = 53248 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
-
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoCloseDragDropBands -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoMovingBands -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ClassicShell -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 0 ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.news.com.au/couriermail/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
-
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 22/10/2006 11:08:42 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 15/07/2007 2:26:04 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
{CCA281CA-C863-46ef-9331-5C8D4460577F} -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie.htm [ButtonText: @btrez.dll,-4015] -> [Ver = | Size = 2681 bytes | Modified Date = 29/05/2003 1:53:08 PM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Send To &Bluetooth -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm -> [Ver = | Size = 1320 bytes | Modified Date = 29/05/2003 1:53:12 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{3D341A4A-EF1A-4CEB-B567-2E56A4A974B7} -> () ->
{55B58AFF-43F5-42DD-8B79-44628A7E962F} -> (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{BEB5A92E-A08B-41A2-BB78-ED5FDEA613AA} -> (1394 Net Adapter) ->
{D3555E08-C09C-48D4-AE59-F85D375BC96A} -> () ->
{EF23EDA7-9639-4DDC-855F-155917565956} -> (Intel(R) PRO/1000 PL Network Connection) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
bwfile-8876480 -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll -> Logitech Inc. [Ver = Version 8.1.1 (Build 50R) | Size = 28711 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.6.2 | Size = 81920 bytes | Modified Date = 12/01/2005 2:54:56 PM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{14C1B87C-3342-445F-9B5E-365FF330A3AC} -> Hewlett-Packard Online Support Services - CodeBase = http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161139718942 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_03 - CodeBase = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
-
[Files/Folders - Created Within 90 days]
1F.tmp -> %SystemDrive%\1F.tmp -> [Ver = | Size = 0 bytes | Created Date = 20/08/2007 7:57:20 AM | Attr = ]
21.tmp -> %SystemDrive%\21.tmp -> [Ver = | Size = 0 bytes | Created Date = 20/08/2007 7:57:42 AM | Attr = ]
22.tmp -> %SystemDrive%\22.tmp -> [Ver = | Size = 0 bytes | Created Date = 20/08/2007 7:58:03 AM | Attr = ]
23.tmp -> %SystemDrive%\23.tmp -> [Ver = | Size = 0 bytes | Created Date = 20/08/2007 7:58:24 AM | Attr = ]
audiograbber -> %SystemDrive%\audiograbber -> [Folder | Created Date = 12/08/2007 8:01:17 PM | Attr = ]
CleanUp452.exe -> %SystemDrive%\CleanUp452.exe -> [Ver = | Size = 168105 bytes | Created Date = 5/09/2007 7:35:38 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\CleanUp452.exe:Zone.Identifier ->
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 11/10/2007 8:21:40 PM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071697920 bytes | Created Date = 2/01/1601 2:00:00 PM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 9/10/2007 9:11:06 PM | Attr = ]
RegSeeker -> %SystemDrive%\RegSeeker -> [Folder | Created Date = 5/09/2007 7:47:38 PM | Attr = ]
RegSeeker.zip -> %SystemDrive%\RegSeeker.zip -> [Ver = | Size = 450114 bytes | Created Date = 5/09/2007 7:45:33 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\RegSeeker.zip:Zone.Identifier ->
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 16/10/2007 11:17:50 PM | Attr = ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Created Date = 29/08/2007 9:14:24 PM | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Created Date = 29/08/2007 9:14:24 PM | Attr = H ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 10/10/2007 8:35:50 PM | Attr = ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Created Date = 16/08/2007 8:13:37 AM | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Created Date = 29/08/2007 9:15:23 PM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 10/10/2007 11:35:47 AM | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Created Date = 16/08/2007 8:13:48 AM | Attr = H ]
$NtUninstallKB936782_WMP11$ -> %SystemRoot%\$NtUninstallKB936782_WMP11$ -> [Folder | Created Date = 16/08/2007 8:11:18 AM | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Created Date = 16/08/2007 8:13:43 AM | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Created Date = 16/08/2007 8:13:32 AM | Attr = H ]
$NtUninstallKB939683$ -> %SystemRoot%\$NtUninstallKB939683$ -> [Folder | Created Date = 4/09/2007 7:45:59 PM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 10/10/2007 11:34:07 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 34 bytes | Created Date = 12/08/2007 10:44:27 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 9/10/2007 9:10:51 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 16/10/2007 11:19:00 PM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 9/10/2007 9:04:28 PM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 376 bytes | Created Date = 29/09/2007 9:23:21 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Created Date = 5/09/2007 9:33:17 PM | Attr = ]
ShellNew -> %SystemRoot%\ShellNew -> [Folder | Created Date = 29/09/2007 9:21:08 PM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 4/10/2007 9:12:58 PM | Attr = ]
AdwareAlert Scheduled Scan.job -> %SystemRoot%\tasks\AdwareAlert Scheduled Scan.job -> [Ver = | Size = 510 bytes | Created Date = 2/10/2007 10:40:22 PM | Attr = ]
HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> %SystemRoot%\tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> [Ver = | Size = 1034 bytes | Created Date = 4/10/2007 10:44:31 PM | Attr = H ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Created Date = 12/09/2007 2:43:30 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
fpencode.dll -> %System32%\dllcache\fpencode.dll -> [Ver = | Size = 94208 bytes | Created Date = 29/09/2007 9:22:44 PM | Attr = ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 11/10/2007 8:34:03 PM | Attr = ]
AWRTRD.sys -> %System32%\drivers\AWRTRD.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 8320 bytes | Created Date = 7/08/2007 1:58:08 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 4175904 bytes | Created Date = 1/10/2007 9:23:02 PM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 48164 bytes | Created Date = 1/10/2007 9:23:02 PM | Attr = HS]
klif.sys -> %System32%\drivers\klif.sys -> Kaspersky Lab [Ver = 7.0.0.122 | Size = 127768 bytes | Created Date = 1/10/2007 9:19:40 PM | Attr = ]
NSDriver.sys -> %System32%\drivers\NSDriver.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 9344 bytes | Created Date = 7/08/2007 1:56:58 PM | Attr = ]
-
[Files/Folders - Modified Within 90 days]
1F.tmp -> %SystemDrive%\1F.tmp -> [Ver = | Size = 0 bytes | Modified Date = 20/08/2007 7:57:22 AM | Attr = ]
21.tmp -> %SystemDrive%\21.tmp -> [Ver = | Size = 0 bytes | Modified Date = 20/08/2007 7:57:44 AM | Attr = ]
22.tmp -> %SystemDrive%\22.tmp -> [Ver = | Size = 0 bytes | Modified Date = 20/08/2007 7:58:04 AM | Attr = ]
23.tmp -> %SystemDrive%\23.tmp -> [Ver = | Size = 0 bytes | Modified Date = 20/08/2007 7:58:26 AM | Attr = ]
audiograbber -> %SystemDrive%\audiograbber -> [Folder | Modified Date = 15/08/2007 12:06:40 AM | Attr = ]
bOoT.iNi -> %SystemDrive%\bOoT.iNi -> [Ver = | Size = 211 bytes | Modified Date = 11/10/2007 10:36:14 PM | Attr = RHS]
CleanUp452.exe -> %SystemDrive%\CleanUp452.exe -> [Ver = | Size = 168105 bytes | Modified Date = 5/09/2007 9:03:26 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\CleanUp452.exe:Zone.Identifier ->
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 11/10/2007 8:35:44 PM | Attr = HS]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 4/10/2007 9:11:22 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071697920 bytes | Modified Date = 19/10/2007 9:22:00 AM | Attr = HS]
hpqp.ini -> %SystemDrive%\hpqp.ini -> [Ver = | Size = 1405 bytes | Modified Date = 19/10/2007 9:22:56 AM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 11/10/2007 8:34:04 PM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 17/10/2007 10:53:42 PM | Attr = ]
RegSeeker -> %SystemDrive%\RegSeeker -> [Folder | Modified Date = 5/09/2007 7:47:40 PM | Attr = ]
RegSeeker.zip -> %SystemDrive%\RegSeeker.zip -> [Ver = | Size = 450114 bytes | Modified Date = 5/09/2007 7:45:38 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\RegSeeker.zip:Zone.Identifier ->
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 16/10/2007 11:44:36 PM | Attr = ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 29/08/2007 9:14:26 PM | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 29/08/2007 9:14:26 PM | Attr = H ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 9/10/2007 9:10:40 PM | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 19/10/2007 9:23:56 AM | Attr = ]
XP_TV.ini -> %SystemDrive%\XP_TV.ini -> [Ver = | Size = 40 bytes | Modified Date = 19/10/2007 9:22:46 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 10/10/2007 8:35:52 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 10/10/2007 11:35:48 AM | Attr = H ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Modified Date = 16/08/2007 8:13:40 AM | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Modified Date = 29/08/2007 9:15:26 PM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 10/10/2007 11:35:50 AM | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Modified Date = 16/08/2007 8:13:50 AM | Attr = H ]
$NtUninstallKB936782_WMP11$ -> %SystemRoot%\$NtUninstallKB936782_WMP11$ -> [Folder | Modified Date = 16/08/2007 8:11:26 AM | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Modified Date = 16/08/2007 8:13:46 AM | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Modified Date = 16/08/2007 8:13:34 AM | Attr = H ]
$NtUninstallKB939683$ -> %SystemRoot%\$NtUninstallKB939683$ -> [Folder | Modified Date = 4/09/2007 7:46:02 PM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 10/10/2007 11:34:10 AM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 19/10/2007 9:22:06 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Modified Date = 28/09/2007 9:06:10 AM | Attr = ]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 34 bytes | Modified Date = 13/10/2007 12:50:52 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 11/10/2007 8:28:16 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 9/10/2007 9:15:06 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 16/10/2007 11:19:02 PM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 29/09/2007 9:28:28 PM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 29/09/2007 9:23:12 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 10/10/2007 11:34:22 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 10/10/2007 11:34:36 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 10/10/2007 11:35:52 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 11/10/2007 8:28:14 PM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 19/10/2007 10:18:24 PM | Attr = ]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 29/09/2007 9:22:06 PM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 9/10/2007 7:18:42 PM | Attr = ]
msapps -> %SystemRoot%\msapps -> [Folder | Modified Date = 29/09/2007 9:25:16 PM | Attr = ]
network diagnostic -> %SystemRoot%\network diagnostic -> [Folder | Modified Date = 6/09/2007 8:05:52 PM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 376 bytes | Modified Date = 29/09/2007 9:28:46 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 19/10/2007 10:18:56 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 11/10/2007 10:35:22 PM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 2/10/2007 9:15:20 PM | Attr = ]
ShellNew -> %SystemRoot%\ShellNew -> [Folder | Modified Date = 29/09/2007 9:28:10 PM | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 29/09/2007 9:25:16 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 11/10/2007 10:36:14 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 16/10/2007 11:06:22 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 11/10/2007 11:20:54 PM | Attr = S]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 19/10/2007 9:29:28 PM | Attr = ]
vbaddin.ini -> %SystemRoot%\vbaddin.ini -> [Ver = | Size = 59 bytes | Modified Date = 29/09/2007 9:23:12 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 658 bytes | Modified Date = 11/10/2007 10:36:14 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 16/08/2007 8:11:50 AM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75248 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
AdwareAlert Scheduled Scan.job -> %SystemRoot%\tasks\AdwareAlert Scheduled Scan.job -> [Ver = | Size = 510 bytes | Modified Date = 4/10/2007 8:30:06 PM | Attr = ]
HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> %SystemRoot%\tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> [Ver = | Size = 1034 bytes | Modified Date = 11/10/2007 11:20:54 PM | Attr = H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 19/10/2007 9:22:14 AM | Attr = H ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 6/09/2007 8:09:50 PM | Attr = ]
AVASTSS.scr -> %System32%\AVASTSS.scr -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 95608 bytes | Modified Date = 6/09/2007 8:00:08 PM | Attr = ]
-
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 19/10/2007 10:04:16 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 9/10/2007 9:15:16 PM | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 11/09/2007 8:49:30 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/10/2007 11:35:50 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 17/10/2007 10:50:30 PM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 5/09/2007 8:03:26 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 350584 bytes | Modified Date = 10/10/2007 10:28:54 PM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 24/09/2007 10:30:28 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 24/09/2007 11:31:42 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 24/09/2007 10:30:30 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 24/09/2007 11:31:42 PM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Modified Date = 12/09/2007 2:43:32 PM | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 51048 bytes | Modified Date = 19/10/2007 9:22:38 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 56124 bytes | Modified Date = 2/10/2007 8:28:44 PM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 391638 bytes | Modified Date = 2/10/2007 8:28:44 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 9/10/2007 9:10:40 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 5/10/2007 10:07:32 AM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 353247 bytes | Modified Date = 19/10/2007 9:22:36 AM | Attr = H ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 83432 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 395080 bytes | Modified Date = 6/09/2007 4:14:28 PM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 157160 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 103912 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 275944 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 71144 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 472552 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 46568 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 99816 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 2/10/2007 9:15:20 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 19/10/2007 9:22:54 AM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 83432 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 71144 bytes | Modified Date = 6/09/2007 4:14:08 PM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 1/10/2007 9:21:10 PM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 1/10/2007 9:22:58 PM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1086952 bytes | Modified Date = 6/09/2007 4:14:12 PM | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 26624 bytes | Modified Date = 6/09/2007 8:00:54 PM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 92848 bytes | Modified Date = 6/09/2007 8:05:26 PM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 94416 bytes | Modified Date = 6/09/2007 8:05:10 PM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 23152 bytes | Modified Date = 6/09/2007 8:03:02 PM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 42912 bytes | Modified Date = 6/09/2007 8:02:20 PM | Attr = ]
AWRTRD.sys -> %System32%\drivers\AWRTRD.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 8320 bytes | Modified Date = 7/08/2007 1:58:08 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 9/10/2007 9:16:38 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 4175904 bytes | Modified Date = 19/10/2007 10:11:44 PM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 48164 bytes | Modified Date = 18/10/2007 9:22:40 PM | Attr = HS]
NSDriver.sys -> %System32%\drivers\NSDriver.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 9344 bytes | Modified Date = 7/08/2007 1:56:58 PM | Attr = ]
UMDF -> %System32%\drivers\UMDF -> [Folder | Modified Date = 20/08/2007 5:35:58 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\CleanUp452.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\RegSeeker.zip:Zone.Identifier ->
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 6/09/2007 8:09:50 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 5/08/2004 7:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks, Inc. [Ver = 5.2.1.1338 | Size = 716800 bytes | Modified Date = 22/09/2004 10:26:40 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 5/10/2007 10:07:32 AM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 5/08/2004 7:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
< End of report >
-
Sorry - I had to go away for a couple of days - back now..
No problem :)
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Files/Folders - Created Within 90 days]
NY -> 1F.tmp -> %SystemDrive%\1F.tmp
NY -> 21.tmp -> %SystemDrive%\21.tmp
NY -> 22.tmp -> %SystemDrive%\22.tmp
NY -> 23.tmp -> %SystemDrive%\23.tmp
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.
Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.
-
Hi again,
No problem running the instructions - log of the paste fix here:
[Files/Folders - Created Within 90 days]
\1F.tmp moved successfully.
\21.tmp moved successfully.
\22.tmp moved successfully.
\23.tmp moved successfully.
< End of log >
Created on 10/20/2007 20:06:35
-
And heres the latest WinPFind3 log:
WinPFind3 logfile created on: 20/10/2007 8:13:12 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\P & J Harmen\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1021.98 Mb Total Physical Memory | 576.90 Mb Available Physical Memory | 56.45% Memory free
2.40 Gb Paging File | 1.96 Gb Available in Paging File | 81.75% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 82.89 Gb Total Space | 52.38 Gb Free Space | 63.19% Space Free
Drive D: | 9.24 Gb Total Space | 1.15 Gb Free Space | 12.40% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: PC147518913218
Current User Name: P & J Harmen
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 6/09/2007 8:06:10 PM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 6/09/2007 8:05:42 PM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 6/09/2007 8:06:04 PM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 6/09/2007 8:04:44 PM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 6/09/2007 7:54:58 PM | Attr = ]
btstac~1.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTStackServer.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 1265748 bytes | Modified Date = 12/05/2006 1:32:14 PM | Attr = ]
bttray.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTTray.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 581693 bytes | Modified Date = 12/05/2006 1:33:22 PM | Attr = ]
btwdins.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 258103 bytes | Modified Date = 12/05/2006 1:27:16 PM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 15/07/2007 2:26:06 PM | Attr = ]
hp wireless assistant.exe -> %ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 7, 2 | Size = 458752 bytes | Modified Date = 4/05/2006 3:58:26 PM | Attr = ]
hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/01/2005 2:54:58 PM | Attr = ]
hpqimzone.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqimzone.exe -> Hewlett-Packard Development Company, L.P. [Ver = 060.000.155.000 | Size = 475136 bytes | Modified Date = 25/09/2005 1:42:32 AM | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.31.0.147 | Size = 233472 bytes | Modified Date = 7/07/2003 1:20:40 AM | Attr = ]
hpqwmiex.exe -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 1, 9 | Size = 135168 bytes | Modified Date = 2/05/2006 5:41:28 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 16/02/2005 11:11:42 PM | Attr = ]
khalmnpr.exe -> %CommonProgramFiles%\Logitech\KHAL\KHALMNPR.EXE -> Logitech Inc. [Ver = 2.44.413 | Size = 28160 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
lbtserv.exe -> %CommonProgramFiles%\Logitech\Bluetooth\LBTSERV.EXE -> Logitech Inc. [Ver = 2.44.460 | Size = 81920 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
lbtwiz.exe -> %ProgramFiles%\Logitech\SetPoint\LBTWiz.exe -> Logitech Inc. [Ver = 1.0.0.1 | Size = 28160 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
logitechdesktopmessenger.exe -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> Logitech Inc. [Ver = 2.52.21.16 | Size = 67128 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.97.1 | Size = 49152 bytes | Modified Date = 18/05/2006 6:52:06 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8602 | Size = 143426 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
qlbctrl.exe -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe -> Hewlett-Packard Development Company, L.P. [Ver = 6, 1, 1, 2 | Size = 163840 bytes | Modified Date = 19/06/2006 1:33:12 PM | Attr = ]
qpservice.exe -> %ProgramFiles%\HP\QuickPlay\QPService.exe -> CyberLink Corp. [Ver = 4.5.0.0000 | Size = 102400 bytes | Modified Date = 19/07/2006 5:14:20 PM | Attr = ]
rainlendar2.exe -> %ProgramFiles%\Rainlendar2\Rainlendar2.exe -> [Ver = 2, 2, 0, 0 | Size = 1298432 bytes | Modified Date = 24/07/2007 5:12:56 PM | Attr = ]
setpoint.exe -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 2.44.460 | Size = 528384 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.3.8 16Jun06 | Size = 794713 bytes | Modified Date = 17/06/2006 3:22:46 PM | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75304 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 4/09/2007 10:47:26 AM | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 919016 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
-
[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
(AddFiltr) AddFiltr [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -> Hewlett-Packard Development Company, L.P. [Ver = 1.0.0.1 | Size = 126976 bytes | Modified Date = 12/06/2006 3:27:28 PM | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 6/09/2007 7:54:58 PM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 6/09/2007 8:06:04 PM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 6/09/2007 8:05:42 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 6/09/2007 8:04:44 PM | Attr = ]
(btwdins) Bluetooth Service [Win32_Own | Auto | Running] -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 258103 bytes | Modified Date = 12/05/2006 1:27:16 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 5/08/2004 7:00:00 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/02/2007 9:08:04 AM | Attr = ]
(hpqwmiex) hpqwmiex [Win32_Own | Auto | Running] -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 1, 9 | Size = 135168 bytes | Modified Date = 2/05/2006 5:41:28 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 22/10/2004 5:24:18 AM | Attr = ]
(LBTServ) Logitech Bluetooth Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Logitech\Bluetooth\LBTSERV.EXE -> Logitech Inc. [Ver = 2.44.460 | Size = 81920 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.97.1 | Size = 49152 bytes | Modified Date = 18/05/2006 6:52:06 PM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8602 | Size = 143426 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Unknown | Stopped] -> -> File not found
(ServiceLayer) ServiceLayer [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\PC Connectivity Solution\ServiceLayer.exe -> Nokia. [Ver = 6, 83, 78, 3 | Size = 292864 bytes | Modified Date = 26/03/2007 1:06:24 PM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75304 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 6/09/2007 8:06:10 PM | Attr = ]
Cpqset -> %ProgramFiles%\Hewlett-Packard\Default Settings\Cpqset.exe -> [Ver = | Size = 40960 bytes | Modified Date = 19/06/2006 12:50:40 PM | Attr = ]
High Definition Audio Property Page Shortcut -> %System32%\CHDAudPropShortcut.exe -> Windows (R) Server 2003 DDK provider [Ver = 5.10.00.5010 built by: WinDDK | Size = 61952 bytes | Modified Date = 27/07/2006 10:44:56 PM | Attr = ]
HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/01/2005 2:54:58 PM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 16/02/2005 11:11:42 PM | Attr = ]
hpWirelessAssistant -> %ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 7, 2 | Size = 458752 bytes | Modified Date = 4/05/2006 3:58:26 PM | Attr = ]
Logitech BT Wizard -> LBTWiz.exe -> File not found
Logitech Hardware Abstraction Layer -> %SystemRoot%\KHALMNPR.Exe -> Logitech Inc. [Ver = 2.44.413 | Size = 28160 bytes | Modified Date = 12/08/2005 11:28:04 PM | Attr = ]
MsmqIntCert -> regsvr32 /s mqrt.dll [regsvr32 /s mqrt.dll] -> File not found
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.8602 | Size = 7581696 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
NvMediaCenter -> %System32%\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.8602 | Size = 86016 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> [Ver = | Size = 1519616 bytes | Modified Date = 20/07/2006 3:58:00 PM | Attr = ]
QlbCtrl -> HP Quick Launch Buttons\QlbCtrl.exe -> File not found
QPService -> %ProgramFiles%\HP\QuickPlay\QPService.exe -> CyberLink Corp. [Ver = 4.5.0.0000 | Size = 102400 bytes | Modified Date = 19/07/2006 5:14:20 PM | Attr = ]
RecGuard -> %SystemRoot%\SMINST\Recguard.exe -> [Ver = 6, 0, 66, 5 | Size = 1187840 bytes | Modified Date = 11/10/2005 12:23:50 PM | Attr = ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.3.8 16Jun06 | Size = 794713 bytes | Modified Date = 17/06/2006 3:22:46 PM | Attr = ]
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 919016 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
LDM -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> Logitech Inc. [Ver = 2.52.21.16 | Size = 67128 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
Rainlendar2 -> %ProgramFiles%\Rainlendar2\Rainlendar2.exe -> [Ver = 2, 2, 0, 0 | Size = 1298432 bytes | Modified Date = 24/07/2007 5:12:56 PM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 15/07/2007 2:26:06 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Bluetooth.lnk -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTTray.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 581693 bytes | Modified Date = 12/05/2006 1:33:22 PM | Attr = ]
%AllUsersStartup%\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.31.0.147 | Size = 233472 bytes | Modified Date = 7/07/2003 1:20:40 AM | Attr = ]
%AllUsersStartup%\HP Photosmart Premier Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Development Company, L.P. [Ver = 060.000.155.000 | Size = 73728 bytes | Modified Date = 25/09/2005 2:39:30 AM | Attr = ]
%AllUsersStartup%\Logitech Desktop Messenger.lnk -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> Logitech Inc. [Ver = 2.52.21.16 | Size = 67128 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
%AllUsersStartup%\Logitech SetPoint.lnk -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 2.44.460 | Size = 528384 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
LBTWlgn -> %CommonProgramFiles%\Logitech\bluetooth\LBTWlgn.DLL -> Logitech Inc. [Ver = 2.44.460 | Size = 53248 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr = ]
-
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoCloseDragDropBands -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoMovingBands -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ClassicShell -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 0 ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.news.com.au/couriermail/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
-
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 22/10/2006 11:08:42 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 15/07/2007 2:26:04 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
{CCA281CA-C863-46ef-9331-5C8D4460577F} -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie.htm [ButtonText: @btrez.dll,-4015] -> [Ver = | Size = 2681 bytes | Modified Date = 29/05/2003 1:53:08 PM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Send To &Bluetooth -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm -> [Ver = | Size = 1320 bytes | Modified Date = 29/05/2003 1:53:12 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{3D341A4A-EF1A-4CEB-B567-2E56A4A974B7} -> () ->
{55B58AFF-43F5-42DD-8B79-44628A7E962F} -> (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{BEB5A92E-A08B-41A2-BB78-ED5FDEA613AA} -> (1394 Net Adapter) ->
{D3555E08-C09C-48D4-AE59-F85D375BC96A} -> () ->
{EF23EDA7-9639-4DDC-855F-155917565956} -> (Intel(R) PRO/1000 PL Network Connection) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
bwfile-8876480 -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll -> Logitech Inc. [Ver = Version 8.1.1 (Build 50R) | Size = 28711 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr = ]
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.6.2 | Size = 81920 bytes | Modified Date = 12/01/2005 2:54:56 PM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{14C1B87C-3342-445F-9B5E-365FF330A3AC} -> Hewlett-Packard Online Support Services - CodeBase = http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161139718942 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_03 - CodeBase = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
-
[Files/Folders - Created Within 90 days]
audiograbber -> %SystemDrive%\audiograbber -> [Folder | Created Date = 12/08/2007 8:01:17 PM | Attr = ]
CleanUp452.exe -> %SystemDrive%\CleanUp452.exe -> [Ver = | Size = 168105 bytes | Created Date = 5/09/2007 7:35:38 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\CleanUp452.exe:Zone.Identifier ->
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 11/10/2007 8:21:40 PM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071697920 bytes | Created Date = 2/01/1601 2:00:00 PM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 9/10/2007 9:11:06 PM | Attr = ]
RegSeeker -> %SystemDrive%\RegSeeker -> [Folder | Created Date = 5/09/2007 7:47:38 PM | Attr = ]
RegSeeker.zip -> %SystemDrive%\RegSeeker.zip -> [Ver = | Size = 450114 bytes | Created Date = 5/09/2007 7:45:33 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\RegSeeker.zip:Zone.Identifier ->
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 16/10/2007 11:17:50 PM | Attr = ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Created Date = 29/08/2007 9:14:24 PM | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Created Date = 29/08/2007 9:14:24 PM | Attr = H ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 10/10/2007 8:35:50 PM | Attr = ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Created Date = 16/08/2007 8:13:37 AM | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Created Date = 29/08/2007 9:15:23 PM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 10/10/2007 11:35:47 AM | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Created Date = 16/08/2007 8:13:48 AM | Attr = H ]
$NtUninstallKB936782_WMP11$ -> %SystemRoot%\$NtUninstallKB936782_WMP11$ -> [Folder | Created Date = 16/08/2007 8:11:18 AM | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Created Date = 16/08/2007 8:13:43 AM | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Created Date = 16/08/2007 8:13:32 AM | Attr = H ]
$NtUninstallKB939683$ -> %SystemRoot%\$NtUninstallKB939683$ -> [Folder | Created Date = 4/09/2007 7:45:59 PM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 10/10/2007 11:34:07 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 34 bytes | Created Date = 12/08/2007 10:44:27 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 9/10/2007 9:10:51 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 16/10/2007 11:19:00 PM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 9/10/2007 9:04:28 PM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 376 bytes | Created Date = 29/09/2007 9:23:21 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Created Date = 5/09/2007 9:33:17 PM | Attr = ]
ShellNew -> %SystemRoot%\ShellNew -> [Folder | Created Date = 29/09/2007 9:21:08 PM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 4/10/2007 9:12:58 PM | Attr = ]
AdwareAlert Scheduled Scan.job -> %SystemRoot%\tasks\AdwareAlert Scheduled Scan.job -> [Ver = | Size = 510 bytes | Created Date = 2/10/2007 10:40:22 PM | Attr = ]
HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> %SystemRoot%\tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> [Ver = | Size = 1034 bytes | Created Date = 4/10/2007 10:44:31 PM | Attr = H ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 11/10/2007 8:27:12 PM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Created Date = 12/09/2007 2:43:30 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 9/10/2007 9:10:35 PM | Attr = ]
fpencode.dll -> %System32%\dllcache\fpencode.dll -> [Ver = | Size = 94208 bytes | Created Date = 29/09/2007 9:22:44 PM | Attr = ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 11/10/2007 8:34:03 PM | Attr = ]
AWRTRD.sys -> %System32%\drivers\AWRTRD.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 8320 bytes | Created Date = 7/08/2007 1:58:08 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 4216864 bytes | Created Date = 1/10/2007 9:23:02 PM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 50276 bytes | Created Date = 1/10/2007 9:23:02 PM | Attr = HS]
klif.sys -> %System32%\drivers\klif.sys -> Kaspersky Lab [Ver = 7.0.0.122 | Size = 127768 bytes | Created Date = 1/10/2007 9:19:40 PM | Attr = ]
NSDriver.sys -> %System32%\drivers\NSDriver.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 9344 bytes | Created Date = 7/08/2007 1:56:58 PM | Attr = ]
-
[Files/Folders - Modified Within 90 days]
audiograbber -> %SystemDrive%\audiograbber -> [Folder | Modified Date = 15/08/2007 12:06:40 AM | Attr = ]
bOoT.iNi -> %SystemDrive%\bOoT.iNi -> [Ver = | Size = 211 bytes | Modified Date = 11/10/2007 10:36:14 PM | Attr = RHS]
CleanUp452.exe -> %SystemDrive%\CleanUp452.exe -> [Ver = | Size = 168105 bytes | Modified Date = 5/09/2007 9:03:26 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\CleanUp452.exe:Zone.Identifier ->
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 11/10/2007 8:35:44 PM | Attr = HS]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 4/10/2007 9:11:22 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071697920 bytes | Modified Date = 20/10/2007 7:28:32 PM | Attr = HS]
hpqp.ini -> %SystemDrive%\hpqp.ini -> [Ver = | Size = 1405 bytes | Modified Date = 20/10/2007 7:29:22 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 11/10/2007 8:34:04 PM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 17/10/2007 10:53:42 PM | Attr = ]
RegSeeker -> %SystemDrive%\RegSeeker -> [Folder | Modified Date = 5/09/2007 7:47:40 PM | Attr = ]
RegSeeker.zip -> %SystemDrive%\RegSeeker.zip -> [Ver = | Size = 450114 bytes | Modified Date = 5/09/2007 7:45:38 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\RegSeeker.zip:Zone.Identifier ->
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 16/10/2007 11:44:36 PM | Attr = ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 29/08/2007 9:14:26 PM | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 29/08/2007 9:14:26 PM | Attr = H ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 9/10/2007 9:10:40 PM | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 20/10/2007 7:30:10 PM | Attr = ]
XP_TV.ini -> %SystemDrive%\XP_TV.ini -> [Ver = | Size = 40 bytes | Modified Date = 20/10/2007 7:29:14 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 10/10/2007 8:35:52 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 10/10/2007 11:35:48 AM | Attr = H ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Modified Date = 16/08/2007 8:13:40 AM | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Modified Date = 29/08/2007 9:15:26 PM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 10/10/2007 11:35:50 AM | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Modified Date = 16/08/2007 8:13:50 AM | Attr = H ]
$NtUninstallKB936782_WMP11$ -> %SystemRoot%\$NtUninstallKB936782_WMP11$ -> [Folder | Modified Date = 16/08/2007 8:11:26 AM | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Modified Date = 16/08/2007 8:13:46 AM | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Modified Date = 16/08/2007 8:13:34 AM | Attr = H ]
$NtUninstallKB939683$ -> %SystemRoot%\$NtUninstallKB939683$ -> [Folder | Modified Date = 4/09/2007 7:46:02 PM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 10/10/2007 11:34:10 AM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 20/10/2007 7:28:38 PM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Modified Date = 28/09/2007 9:06:10 AM | Attr = ]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 34 bytes | Modified Date = 13/10/2007 12:50:52 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 11/10/2007 8:28:16 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 9/10/2007 9:15:06 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 16/10/2007 11:19:02 PM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 29/09/2007 9:28:28 PM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 29/09/2007 9:23:12 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 10/10/2007 11:34:22 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 10/10/2007 11:34:36 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 10/10/2007 11:35:52 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 11/10/2007 8:28:14 PM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 20/10/2007 8:03:54 PM | Attr = ]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 29/09/2007 9:22:06 PM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 9/10/2007 7:18:42 PM | Attr = ]
msapps -> %SystemRoot%\msapps -> [Folder | Modified Date = 29/09/2007 9:25:16 PM | Attr = ]
network diagnostic -> %SystemRoot%\network diagnostic -> [Folder | Modified Date = 6/09/2007 8:05:52 PM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 376 bytes | Modified Date = 29/09/2007 9:28:46 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 20/10/2007 8:08:42 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 11/10/2007 10:35:22 PM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 2/10/2007 9:15:20 PM | Attr = ]
ShellNew -> %SystemRoot%\ShellNew -> [Folder | Modified Date = 29/09/2007 9:28:10 PM | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 29/09/2007 9:25:16 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 11/10/2007 10:36:14 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 16/10/2007 11:06:22 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 11/10/2007 11:20:54 PM | Attr = S]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 20/10/2007 7:30:16 PM | Attr = ]
vbaddin.ini -> %SystemRoot%\vbaddin.ini -> [Ver = | Size = 59 bytes | Modified Date = 29/09/2007 9:23:12 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 658 bytes | Modified Date = 11/10/2007 10:36:14 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 16/08/2007 8:11:50 AM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75248 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr = ]
-
AdwareAlert Scheduled Scan.job -> %SystemRoot%\tasks\AdwareAlert Scheduled Scan.job -> [Ver = | Size = 510 bytes | Modified Date = 4/10/2007 8:30:06 PM | Attr = ]
HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> %SystemRoot%\tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job -> [Ver = | Size = 1034 bytes | Modified Date = 11/10/2007 11:20:54 PM | Attr = H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 20/10/2007 7:28:46 PM | Attr = H ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 6/09/2007 8:09:50 PM | Attr = ]
AVASTSS.scr -> %System32%\AVASTSS.scr -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 95608 bytes | Modified Date = 6/09/2007 8:00:08 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 19/10/2007 10:50:18 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 9/10/2007 9:15:16 PM | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 11/09/2007 8:49:30 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/10/2007 11:35:50 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 17/10/2007 10:50:30 PM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 5/09/2007 8:03:26 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 350584 bytes | Modified Date = 10/10/2007 10:28:54 PM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 24/09/2007 10:30:28 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 24/09/2007 11:31:42 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 24/09/2007 10:30:30 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 24/09/2007 11:31:42 PM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Modified Date = 12/09/2007 2:43:32 PM | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 51048 bytes | Modified Date = 20/10/2007 7:29:08 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 56124 bytes | Modified Date = 2/10/2007 8:28:44 PM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 391638 bytes | Modified Date = 2/10/2007 8:28:44 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 9/10/2007 9:10:40 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 5/10/2007 10:07:32 AM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 353247 bytes | Modified Date = 20/10/2007 7:29:06 PM | Attr = H ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 83432 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 395080 bytes | Modified Date = 6/09/2007 4:14:28 PM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 157160 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 103912 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 275944 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 71144 bytes | Modified Date = 6/09/2007 4:14:04 PM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 472552 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 46568 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 99816 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 2/10/2007 9:15:20 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 20/10/2007 7:29:18 PM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 83432 bytes | Modified Date = 6/09/2007 4:14:06 PM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 71144 bytes | Modified Date = 6/09/2007 4:14:08 PM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 1/10/2007 9:21:10 PM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 1/10/2007 9:22:58 PM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1086952 bytes | Modified Date = 6/09/2007 4:14:12 PM | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 26624 bytes | Modified Date = 6/09/2007 8:00:54 PM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 92848 bytes | Modified Date = 6/09/2007 8:05:26 PM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 94416 bytes | Modified Date = 6/09/2007 8:05:10 PM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 23152 bytes | Modified Date = 6/09/2007 8:03:02 PM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 42912 bytes | Modified Date = 6/09/2007 8:02:20 PM | Attr = ]
AWRTRD.sys -> %System32%\drivers\AWRTRD.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 8320 bytes | Modified Date = 7/08/2007 1:58:08 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 9/10/2007 9:16:38 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 4216864 bytes | Modified Date = 20/10/2007 8:08:44 PM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 50276 bytes | Modified Date = 20/10/2007 10:56:34 AM | Attr = HS]
NSDriver.sys -> %System32%\drivers\NSDriver.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 9344 bytes | Modified Date = 7/08/2007 1:56:58 PM | Attr = ]
UMDF -> %System32%\drivers\UMDF -> [Folder | Modified Date = 20/08/2007 5:35:58 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\CleanUp452.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %SystemDrive%\RegSeeker.zip:Zone.Identifier ->
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 6/09/2007 8:09:50 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 5/08/2004 7:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks, Inc. [Ver = 5.2.1.1338 | Size = 716800 bytes | Modified Date = 22/09/2004 10:26:40 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 5/10/2007 10:07:32 AM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 5/08/2004 7:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
< End of report >
OK Thats it - no problems so far doing that...
Regards
-
Open the Folder Oprions in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK.
Now see if you can find these files
c:\windows\system32\wupdmgr.exe
c:\windows\system32\dllcache\wupdmgr.exe
If found upload them to Virus Total (http://www.virustotal.com/en/indexf.html) for analysis and post the results.
Note: There should be files of this name in both locations. I want to make sure they're not missing and, if present, they haven't been patched.
Is there any change in the way your computer is running?
-
c:\windows\system32\wupdmgr.exe
I found it:
Virus total scan:
File wupdmgr.exe received on 10.21.2007 14:31:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 48 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.20.0 2007.10.19 -
AntiVir 7.6.0.27 2007.10.20 -
Authentium 4.93.8 2007.10.20 -
Avast 4.7.1051.0 2007.10.21 -
AVG 7.5.0.488 2007.10.20 -
BitDefender 7.2 2007.10.21 -
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.20 -
DrWeb 4.44.0.09170 2007.10.21 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5225 2007.10.20 -
Ewido 4.0 2007.10.21 -
FileAdvisor 1 2007.10.21 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.20 -
F-Secure 6.70.13030.0 2007.10.21 -
Ikarus T3.1.1.12 2007.10.21 -
Kaspersky 7.0.0.125 2007.10.21 -
McAfee 5145 2007.10.19 -
Microsoft 1.2908 2007.10.21 -
NOD32v2 2604 2007.10.19 -
Norman 5.80.02 2007.10.19 -
Panda 9.0.0.4 2007.10.21 -
Prevx1 V2 2007.10.21 -
Rising 19.45.62.00 2007.10.21 -
Sophos 4.22.0 2007.10.21 -
Sunbelt 2.2.907.0 2007.10.20 -
Symantec 10 2007.10.21 -
TheHacker 6.2.9.103 2007.10.21 -
VBA32 3.12.2.4 2007.10.19 -
VirusBuster 4.3.26:9 2007.10.20 -
Webwasher-Gateway 6.6.1 2007.10.20 -
Additional information
File size: 32256 bytes
MD5: 5c382832cc8da8d940bb902c5c656dfb
SHA1: cd4311561187ea699d9a9cc375b2b5b3fed4300f
-
c:\windows\system32\dllcache\wupdmgr.exe
I cant find this one at all??
Regards,
-
And what is the status of things at the moment? Still with malware alerts?
-
c:\windows\system32\dllcache\wupdmgr.exe
I cant find this one at all??
Have you elected to have, system files, hidden files and folders displayed
-
Hi again,
Things have been quiet on the alert front. Here is the last events from the log viewer:
16/10/2007 10:33:39 PM P & J Harmen 804 Sign of "Win32:Ircbot-CDT [trj]" has been found in "C:\Documents and Settings\P & J Harmen\My Documents\My Received Files\album59.scr" file.
11/10/2007 11:54:12 PM P & J Harmen 528 Sign of "Win32:Ircbot-CDT [trj]" has been found in "C:\DOCUME~1\P&JHAR~1\LOCALS~1\Temp\Temporary Directory 1 for album59.zip\album59.scr" file.
So nothing since the 16/10/2007
Yes I had elected to have the system files, hidden files and folders displayed
I still have to change over to Comodo from Zonelalarm free - I will do that tonight
Regards
-
Hi again,
Changeover from Zonealarm to Comodo complete.
In regards to Comodo as Im a new user are there any specific fine tuning/adjustment of settings you would recommend straight away I should do? At the moment apart from the usual pop up checks and confirmations - It is set to the default. But all seems OK so far.
As far as the trojans (etc) are there any other instructions to follow? Do you reckon I'm clean?
Regards
-
Im a new user are there any specific fine tuning/adjustment of settings you would recommend straight away I should do?
The ammount of popups could be configurated into Comodo settings.
Also, do you use a P2P program?
-
As far as the trojans (etc) are there any other instructions to follow? Do you reckon I'm clean?
Yes, I think you are clean. There are just a few more steps to tidy things up.
Open OTMovIt one last time, then click the Clean Up button to remove some of the tools (and backups) we've used.
Download and install CleanUp! (http://www.stevengould.org/downloads/cleanup/CleanUp40.exe)
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
It may ask you to log off at the end. Click Yes, then log back in.
Now we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean.
1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE
You now have a clean restore point, to get rid of the old ones:
1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done
Finally, you should have a copy of wupdmgr.exe in your dll cache. Since we've established the one in system32 is clean, copy the file from
c:\windows\system32\wupdmgr.exe
to
c:\windows\system32\dllcache\wupdmgr.exe
Then if the main file ever gets corrupted Windows will have the copy it needs to replace it.
Good luck and safe surfing :)
-
Hi again,
Tech - You asked about P2P - Yes, limewire is on this P.C. As for the Comodo settings - I am operating on default at the moment. Can you guide me with any known recommended setting adjustments that I should be aware of that is different from the default.
mauserme - Well , all is done. I have completed all of the last steps as per your last instruction. Still no new Avast logs still since 16/10/07. Amazing. Cant believe we were chasing these bastards around for so long. Lets hope thats the end of it.
I guess that means we are at an end for this thread eh? Thanks for all the guidance, special thanks to all you guys that helped me out!
If I have any more issues Ill be in touch. Lets hope not!
Regards - Cupladays.
-
Tech - You asked about P2P - Yes, limewire is on this P.C. As for the Comodo settings - I am operating on default at the moment. Can you guide me with any known recommended setting adjustments that I should be aware of that is different from the default.
Limewire is not as safe as eMule in my opinion.
eMule can run in a virtual account with non-admin privileges.
To connect into eMule network with a high ID (faster downloads), you must configure your firewall opening eMule ports.
-
emule or emuleplus?
-
emule or emuleplus?
eMule, the original one.
-
Ta!