Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]

[DavidR]

You shouldn't be able to find files that are in the avast chest on your hard disk, that is the whole point of the chest, it is a protected area where they can't get out nor other applications get in.

<snip>
Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

So to be able to upload files to VT or Jotti you need to export the file to a temporary folder (of your choice).

[mauserme]

SDFix should help with this.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.


Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

[cupladays]

Hi there DavidR / mauserme,

Sorry - bit stupid there trying to find a file in the chest on C:

Anyway - heres the VT results of the file:

File album59.scr received on 10.16.2007 14:20:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 31/32 (96.88%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 56 and 81 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.10.16.2 2007.10.16 Win32/ShadoBot.worm.116224
AntiVir 7.6.0.23 2007.10.16 Worm/IrcBot.116224.6
Authentium 4.93.8 2007.10.16 W32/Backdoor.BMHU
Avast 4.7.1051.0 2007.10.15 Win32:Ircbot-CDT
AVG 7.5.0.488 2007.10.16 BackDoor.Ircbot.AXB
BitDefender 7.2 2007.10.16 Backdoor.IRCBot.ABEU
CAT-QuickHeal 9.00 2007.10.15 Backdoor.IRCBot.acd
ClamAV 0.91.2 2007.10.14 Trojan.IRCBot-1132
DrWeb 4.44.0.09170 2007.10.16 BackDoor.IRC.Sdbot.1987
eSafe 7.0.15.0 2007.10.15 Win32.IRCBot.acd
eTrust-Vet 31.2.5214 2007.10.16 Win32/Checkout.J
Ewido 4.0 2007.10.16 Backdoor.IRCBot.acd
FileAdvisor 1 2007.10.16 High threat detected
Fortinet 3.11.0.0 2007.10.16 W32/IRCBot.ACD!tr.bdr
F-Prot 4.3.2.48 2007.10.15 W32/Backdoor.BMHU
F-Secure 6.70.13030.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Ikarus T3.1.1.12 2007.10.16 Backdoor.Win32.IRCBot.acd
Kaspersky 7.0.0.125 2007.10.16 Backdoor.Win32.IRCBot.acd
McAfee 5141 2007.10.15 W32/Checkout
Microsoft 1.2908 2007.10.16 Backdoor:Win32/IRCbot.OU
NOD32v2 2594 2007.10.16 Win32/IRCBot.WO
Norman 5.80.02 2007.10.15 W32/Ircbot.XIC
Panda 9.0.0.4 2007.10.16 W32/Gaobot.OXI.worm
Prevx1 V2 2007.10.16 -
Rising 19.45.11.00 2007.10.16 Backdoor.Win32.IRCbot.bcr
Sophos 4.22.0 2007.10.16 W32/IRCBot-XG
Sunbelt 2.2.907.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Symantec 10 2007.10.16 W32.Mubla.B
TheHacker 6.2.8.093 2007.10.16 Backdoor/IRCBot.acd
VBA32 3.12.2.4 2007.10.16 Backdoor.Win32.IRCBot.acd
VirusBuster 4.3.26:9 2007.10.15 Worm.IRCBot.BDP
Webwasher-Gateway 6.0.1 2007.10.16 Worm.IrcBot.116224.6
Additional information
File size: 116224 bytes
MD5: 03ba79f306a641caf442eb328f2fc379
SHA1: b5d736fb206d233627e0d2278fb2f7cac57eb236
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=03ba79f306a641caf442eb328f2fc379
packers: PE_Patch, NTKrnl

So that dont look to good eh? Thats the file from 11/10/2007.

[cupladays]

Hi again..

And heres the VT report from a file moved to the chest this afternoon. So it looks like I still have some trojan activity going on here.

File webcam-photos086.zip received on 10.16.2007 14:35:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 29/32 (90.63%)
Loading server information...
Your file is queued in position: 9.
Estimated start time is between 74 and 106 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.10.16.2 2007.10.16 -
AntiVir 7.6.0.23 2007.10.16 Worm/IrcBot.116224.6
Authentium 4.93.8 2007.10.16 W32/Backdoor.BMHU
Avast 4.7.1051.0 2007.10.15 Win32:Ircbot-CDT
AVG 7.5.0.488 2007.10.16 BackDoor.Ircbot.AXB
BitDefender 7.2 2007.10.16 Backdoor.IRCBot.ABEU
CAT-QuickHeal 9.00 2007.10.15 Backdoor.IRCBot.acd
ClamAV 0.91.2 2007.10.14 Trojan.IRCBot-1132
DrWeb 4.44.0.09170 2007.10.16 BackDoor.IRC.Sdbot.1987
eSafe 7.0.15.0 2007.10.15 Win32.IRCBot.acd
eTrust-Vet 31.2.5214 2007.10.16 Win32/Checkout.J
Ewido 4.0 2007.10.16 Backdoor.IRCBot.acd
FileAdvisor 1 2007.10.16 -
Fortinet 3.11.0.0 2007.10.16 W32/IRCBot.ACD!tr.bdr
F-Prot 4.3.2.48 2007.10.15 W32/Backdoor.BMHU
F-Secure 6.70.13030.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Ikarus T3.1.1.12 2007.10.16 Backdoor.Win32.IRCBot.acd
Kaspersky 7.0.0.125 2007.10.16 Backdoor.Win32.IRCBot.acd
McAfee 5141 2007.10.15 W32/Checkout
Microsoft 1.2908 2007.10.16 Backdoor:Win32/IRCbot.OU
NOD32v2 2594 2007.10.16 Win32/IRCBot.WO
Norman 5.80.02 2007.10.15 W32/Ircbot.XIC
Panda 9.0.0.4 2007.10.16 W32/Gaobot.OXI.worm
Prevx1 V2 2007.10.16 -
Rising 19.45.11.00 2007.10.16 Backdoor.Win32.IRCbot.bcr
Sophos 4.22.0 2007.10.16 W32/IRCBot-XG
Sunbelt 2.2.907.0 2007.10.16 Backdoor.Win32.IRCBot.acd
Symantec 10 2007.10.16 W32.Mubla.B
TheHacker 6.2.8.093 2007.10.16 Backdoor/IRCBot.acd
VBA32 3.12.2.4 2007.10.16 Backdoor.Win32.IRCBot.acd
VirusBuster 4.3.26:9 2007.10.15 Worm.IRCBot.BDP
Webwasher-Gateway 6.6.1 2007.10.16 Worm.IrcBot.116224.6
Additional information
File size: 116362 bytes
MD5: e33bc0fefe4be59e541a3c3653af6782
SHA1: f77dc82c25203bab553e5a62165957016a0384da
packers: PE_Patch, NTKrnl

So its a zipfile as well. So its fairly safe right?
And am I right is saying this is obviusly not a false positive?
I will run SDfix and report back with its log and a new Hijack this log as advised by mauserme
Is this my best next move?

Regards

[DavidR]

Well you mist certainly have something downloading stuff (apologies for getting technical), what I'm surprised about is that the web shield provider didn't catch it on download. So I can only assume that it wasn't downloaded using http protocol.

Which also begs the question why didn't your firewall catch the outbound connection to download this. Two things come to mind, first if you are using ZA free it is crippled as far as outbound protection goes in an attempt to promote the Pro version. Second many of the scanners see what is being a backdoor, now if there is already a backdoor on your system that could be bypassing your firewall any way.

Based on the two points above I would suggest a change of firewall, many forum members use the Comodo Firewall (free) which isn't crippled in any way which may provide you with better protection against unauthorised outbound connection.

So after you have run SDfix you may want to look at a firewall change, download comodo, disconnect from the internet, uninstall ZA free, reboot and install comodo firewall. You will obviously get a number of pop-ups as applications connect to the internet, etc.

[cupladays]

DavidR,

The SDfix didnt run - or it certainly didnt appear to. There are a few patches on the link to the online readme thats in the folder so I tried all of those but still no luck. There was no report.txt created, The only text file there was one called kill which contents read:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of wupdmgr.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of wupdmgr.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of wupdmgr.exe

Which would be the 3 times I ran it - once for first time and one each for the patches.
I will take your advice on the firewall. Once I sort this out.

Any advice why SDfix wont run?

[DavidR]

Sorry I only suggested you should run it because mauserme had suggested it before you posted the VT results. Did you follow his run instructions to the letter as in the bit about running it in safe mode ?

[mauserme]

The SDfix didnt run ...

Probably the malware having some fun with us.

I think the basic problem might still be C:\WINDOWS\SYSHOST.DLL.   When you originally posted you showed this file as something avast! quarantined - it has a 10 April, 2007 date in your log.

The ComboFix log generated 9 October, shows C:\WINDOWS\SYSHOST.DLL created 26 September.  If these dates are accurate the file has been recreated but I see no indication that the second copy has been deleted.  This would go along with the apparent rootkit techniques being employed and the continued downloading of malware.

I suggest you open OTMoveIt again and paste in the following to be moved

C:\WINDOWS\SYSHOST.DLL
C:\Windows\svchost.exe

Then click the MoveIt button as you did in the past.

Post the results of OTMoveIt along with fresh ComboFix and HJT logs.

BTW, C:\Windows\svchost.exe is not the same as the valid file which is C:\Windows\System32\svchost.exe.  It may or may not be found.

[cupladays]

davidR - yes I followed mauserme instructions to a tee - including safe mode. Hes given me some homwework which Ill do tonight and report back.

[cupladays]

Hi all,

Ok - heres the results of OTmoveit!:

File/Folder C:\WINDOWS\SYSHOST.DLL not found.
File/Folder C:\Windows\svchost.exe not found.
 
Created on 10/17/2007 22:56:24

And heres the Combofix and HJT logs over a few posts as usual

Combofix:

ComboFix 07-10-09.3 - P & J Harmen 2007-10-17 22:50:25.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.494 [GMT 10:00]
Running from: C:\Documents and Settings\P & J Harmen\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-09-17 to 2007-10-17  )))))))))))))))))))))))))))))))
.

2007-10-16 23:19   <DIR>   d--------   C:\WINDOWS\ERUNT
2007-10-11 20:34   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-10-10 20:52   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-10 09:20   582,656   ---------   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 21:04   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-10-09 20:57   <DIR>   d--------   C:\Program Files\Trend Micro
2007-10-09 20:18   <DIR>   d--------   C:\Program Files\RogueRemover FREE
2007-10-04 21:52   <DIR>   d--------   C:\Program Files\Lavasoft
2007-10-04 21:52   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-04 21:50   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-10-04 21:35   <DIR>      C:\Documents and Settings\P 2007-10-04  21:35    <DIR>           J Harmen\DoctorWeb
2007-10-02 22:40   <DIR>      C:\Documents and Settings\P 2007-10-02  22:40    <DIR>           J Harmen\Application Data\AdwareAlert
2007-10-02 22:08   <DIR>   d--------   C:\Program Files\Navilog1
2007-10-02 20:27   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-10-02 20:27   <DIR>   d--------   C:\Program Files\Picasa2
2007-10-02 20:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-02 19:38   <DIR>   d--------   C:\Program Files\Enigma Software Group
2007-10-02 14:47   6,029,312      C:\Documents and Settings\P 2007-10-02  14:47         6,029,312  J Harmen\ntuser.dat
2007-10-01 21:23   3,837,984   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-01 21:20   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-29 21:26   <DIR>   d--------   C:\Program Files\Snapshot Viewer
2007-09-29 21:26   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SBT
2007-09-29 21:21   <DIR>   d--------   C:\WINDOWS\ShellNew
2007-09-29 21:19   <DIR>      C:\Documents and Settings\P 2007-09-29  21:19    <DIR>           J Harmen\Application Data\Microsoft Web Folders

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 14:15   42,980   --sha-w   C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-12 23:23   4,814   ----a-w   C:\Documents and Settings\P & J Harmen\Application Data\wklnhst.dat
2007-10-02 12:42   ---------   d-----w   C:\Documents and Settings\P & J Harmen\Application Data\AdwareAlert
2007-10-02 10:11   ---------   d-----w   C:\Program Files\Google
2007-10-02 10:11   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Google
2007-09-29 11:25   ---------   d-----w   C:\Program Files\microsoft frontpage
2007-09-29 11:19   ---------   d-----w   C:\Documents and Settings\P & J Harmen\Application Data\Microsoft Web Folders
2007-09-28 05:41   ---------   d-----w   C:\Documents and Settings\P & J Harmen\Application Data\OpenOffice.org2
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05   94,416   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05   92,848   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 06:14   75,248   ----a-w   C:\WINDOWS\zllsputility.exe
2007-09-06 06:14   1,086,952   ----a-w   C:\WINDOWS\system32\zpeng24.dll
2007-09-05 11:03   168,105   ----a-w   C:\CleanUp452.exe
2007-09-05 10:03   ---------   d-----w   C:\Program Files\Nokia
2007-08-21 09:11   12,087   ----a-w   C:\Documents and Settings\P & J Harmen\phraxd.exe
2007-08-21 08:57   12,087   ----a-w   C:\Documents and Settings\P & J Harmen\lcojug.exe
2007-08-21 06:15   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15   683,520   ------w   C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04   824,832   ----a-w   C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04   671,232   ----a-w   C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04   63,488   ------w   C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04   6,058,496   ------w   C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04   52,224   ------w   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04   477,696   ----a-w   C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04   459,264   ------w   C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04   44,544   ------w   C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04   384,512   ------w   C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04   383,488   ------w   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04   3,584,512   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04   27,648   ----a-w   C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04   267,776   ------w   C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04   232,960   ------w   C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04   230,400   ------w   C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04   214,528   ----a-w   C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04   193,024   ----a-w   C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04   153,088   ------w   C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04   132,608   ----a-w   C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04   124,928   ------w   C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04   105,984   ------w   C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04   102,400   ------w   C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04   1,152,000   ----a-w   C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21   625,152   ------w   C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20   63,488   ------w   C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20   13,824   ------w   C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34   161,792   ------w   C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 09:19   92,504   ----a-w   C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 09:19   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19   549,720   ----a-w   C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 09:19   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19   53,080   ----a-w   C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 09:19   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19   325,976   ----a-w   C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 09:19   271,224   ----a-w   C:\WINDOWS\system32\mucltui.dll
2007-07-30 09:19   207,736   ----a-w   C:\WINDOWS\system32\muweb.dll
2007-07-30 09:19   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19   203,096   ----a-w   C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 09:19   1,712,984   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:19   1,712,984   ----a-w   C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 09:18   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-07-30 09:18   33,624   ----a-w   C:\WINDOWS\system32\dllcache\wups.dll
2005-09-24 15:49   12,288   -c--a-w   C:\WINDOWS\Fonts\RandFont.dll
.

[cupladays]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 15:58]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 15:58]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 22:44 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 15:22]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 17:14]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 13:33]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 12:50]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 20:06]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 15:58]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00]
"nwiz"="nwiz.exe" [2006-07-20 15:58 C:\WINDOWS\system32\nwiz.exe]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-08-12 23:28 C:\WINDOWS\KHALMNPR.Exe]
"Logitech BT Wizard"="LBTWiz.exe" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 23:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 17:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 14:26]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 14:47]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 07:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 02:39:30]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-15 14:47:53]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-19 20:37:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2005-09-06 02:44 53248 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam  ;C:\WINDOWS\system32\Drivers\5U870CAP.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
S2 pciinfo;HP Pci Information;\??\C:\DOCUME~1\P&JHAR~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 10:30:04 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-10-11 13:20:53 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 22:53:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe???L?@? ?B???`?@??L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 22:54:14
C:\ComboFix-quarantined-files.txt ... 2007-10-17 22:54
C:\ComboFix2.txt ... 2007-10-09 21:19
.
   --- E O F ---

[cupladays]

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:13 PM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[cupladays]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/couriermail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161139718942
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10565 bytes

Regards,

[mauserme]

I'm not seeing anything in your logs.  Let's  try a deeper look:

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Change FilesFolder Created Within to 90 days
  
• Change Files/Folder Modified Within to 90 days
  

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  
  Use the Add Reply button and Copy/Paste the information back here. < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
  
  

[cupladays]

Hi Again,

Sorry - I had to go away for a couple of days - back now..

Heres the Winpfind3u log:

WinPFind3 logfile created on: 19/10/2007 10:19:13 PM
WinPFind3U by OldTimer - Version 1.0.42   Folder = C:\Documents and Settings\P & J Harmen\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
 
1021.98 Mb Total Physical Memory | 554.91 Mb Available Physical Memory | 54.30% Memory free
2.40 Gb Paging File | 1.99 Gb Available in Paging File | 82.84% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 82.89 Gb Total Space | 52.49 Gb Free Space | 63.33% Space Free
Drive D: | 9.24 Gb Total Space | 1.15 Gb Free Space | 12.40% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: PC147518913218
Current User Name: P & J Harmen
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr =    ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 6/09/2007 8:06:10 PM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 6/09/2007 8:05:42 PM | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 6/09/2007 8:06:04 PM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 6/09/2007 8:04:44 PM | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 6/09/2007 7:54:58 PM | Attr =    ]
btstac~1.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTStackServer.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 1265748 bytes | Modified Date = 12/05/2006 1:32:14 PM | Attr =    ]
bttray.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTTray.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 581693 bytes | Modified Date = 12/05/2006 1:33:22 PM | Attr =    ]
btwdins.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> Broadcom Corporation. [Ver = 4.0.1.3500 | Size = 258103 bytes | Modified Date = 12/05/2006 1:27:16 PM | Attr =    ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 15/07/2007 2:26:06 PM | Attr =    ]
hp wireless assistant.exe -> %ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 7, 2 | Size = 458752 bytes | Modified Date = 4/05/2006 3:58:26 PM | Attr =    ]
hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/01/2005 2:54:58 PM | Attr =    ]
hpqimzone.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqimzone.exe -> Hewlett-Packard Development Company, L.P. [Ver = 060.000.155.000 | Size = 475136 bytes | Modified Date = 25/09/2005 1:42:32 AM | Attr =    ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.31.0.147 | Size = 233472 bytes | Modified Date = 7/07/2003 1:20:40 AM | Attr =    ]
hpqwmiex.exe -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> Hewlett-Packard Development Company, L.P. [Ver = 2, 0, 1, 9 | Size = 135168 bytes | Modified Date = 2/05/2006 5:41:28 PM | Attr =    ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 16/02/2005 11:11:42 PM | Attr =    ]
khalmnpr.exe -> %CommonProgramFiles%\Logitech\KHAL\KHALMNPR.EXE -> Logitech Inc. [Ver = 2.44.413 | Size = 28160 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr =    ]
lbtserv.exe -> %CommonProgramFiles%\Logitech\Bluetooth\LBTSERV.EXE -> Logitech Inc. [Ver = 2.44.460 | Size = 81920 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr =    ]
lbtwiz.exe -> %ProgramFiles%\Logitech\SetPoint\LBTWiz.exe -> Logitech Inc. [Ver = 1.0.0.1 | Size = 28160 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr =    ]
logitechdesktopmessenger.exe -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> Logitech Inc. [Ver = 2.52.21.16 | Size = 67128 bytes | Modified Date = 15/02/2007 2:47:54 PM | Attr =    ]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.97.1 | Size = 49152 bytes | Modified Date = 18/05/2006 6:52:06 PM | Attr =    ]
qlbctrl.exe -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ->  Hewlett-Packard Development Company, L.P. [Ver = 6, 1, 1, 2 | Size = 163840 bytes | Modified Date = 19/06/2006 1:33:12 PM | Attr =    ]
qpservice.exe -> %ProgramFiles%\HP\QuickPlay\QPService.exe -> CyberLink Corp. [Ver = 4.5.0.0000 | Size = 102400 bytes | Modified Date = 19/07/2006 5:14:20 PM | Attr =    ]
rainlendar2.exe -> %ProgramFiles%\Rainlendar2\Rainlendar2.exe ->  [Ver = 2, 2, 0, 0 | Size = 1298432 bytes | Modified Date = 24/07/2007 5:12:56 PM | Attr =    ]
setpoint.exe -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 2.44.460 | Size = 528384 bytes | Modified Date = 6/09/2005 2:44:00 AM | Attr =    ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.3.8 16Jun06 | Size = 794713 bytes | Modified Date = 17/06/2006 3:22:46 PM | Attr =    ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75304 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 4/09/2007 10:47:26 AM | Attr =    ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 919016 bytes | Modified Date = 6/09/2007 4:14:18 PM | Attr =    ]