Please help with Win32:BHO-KD [Trj] infection

[Grisen]

Thank you, Essexboy and 1975Maggie.  New combofix and hijackthis logs follow:

ComboFix 08-01-23.1C - John 2008-01-25 22:41:04.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1487 [GMT -6:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\dlcxcomml.dll
C:\WINDOWS\system32\ecccigpx.dat
C:\WINDOWS\system32\u4hgogewh.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ecccigpx.dat
C:\WINDOWS\system32\u4hgogewh.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-26 to 2008-01-26  )))))))))))))))))))))))))))))))
.

2008-01-25 15:51 . 2008-01-25 15:51   15,232   --a------   C:\WINDOWS\system32\u4hgogewh.zip
2008-01-25 04:16 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\Nircmd.exe
2008-01-24 20:39 . 2008-01-24 21:31   <DIR>   d--------   C:\Program Files\a-squared Free
2008-01-24 20:22 . 2008-01-25 22:43   1,779,744   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 20:22 . 2008-01-25 16:02   21,668   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 20:17 . 2007-09-06 16:14   75,248   --a------   C:\WINDOWS\zllsputility.exe
2008-01-24 20:16 . 2007-09-06 16:14   1,086,952   --a------   C:\WINDOWS\system32\zpeng24.dll
2008-01-24 20:16 . 2008-01-25 22:29   353,247   --a------   C:\WINDOWS\system32\vsconfig.xml
2008-01-24 19:43 . 2008-01-24 20:17   <DIR>   d--------   C:\WINDOWS\system32\ZoneLabs
2008-01-24 19:43 . 2004-04-27 04:40   11,264   --a------   C:\WINDOWS\system32\SpOrder.dll
2008-01-24 19:43 . 2008-01-24 20:19   4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2008-01-24 19:42 . 2008-01-25 22:30   <DIR>   d--------   C:\WINDOWS\Internet Logs
2008-01-24 13:16 . 2008-01-24 13:16   <DIR>   d--------   C:\Program Files\XoftSpySE
2008-01-24 11:32 . 2007-12-04 07:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-24 11:32 . 2004-01-09 03:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-24 11:32 . 2007-12-04 06:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-24 11:32 . 2007-12-04 08:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-24 11:32 . 2007-12-04 08:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-24 11:32 . 2007-12-04 08:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-24 11:32 . 2007-12-04 08:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-24 11:32 . 2007-12-04 08:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-22 19:39 . 2008-01-22 19:39   <DIR>   d--------   C:\Program Files\Alwil Software
2008-01-22 19:29 . 2007-05-30 06:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 14:50 . 2008-01-22 14:50   <DIR>   d--------   C:\WINDOWS\system32\AppCert
2008-01-22 14:49 . 2008-01-22 14:49   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-22 14:49 . 2008-01-22 14:49   1,409   --a------   C:\WINDOWS\QTFont.for
2008-01-14 11:17 . 2008-01-14 11:17   <DIR>   d--------   C:\Program Files\Axis Communications

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 01:32   ---------   d-----w   C:\Program Files\Google
2008-01-23 02:04   ---------   d-----w   C:\Program Files\dl_cats
2008-01-22 20:54   360,064   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-22 20:54   360,064   ----a-w   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-01-19 20:22   7,518   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-20 22:46   1,482,579   ----a-w   C:\Program Files\AlphaChessHistory.dat
2007-11-07 09:26   721,920   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26   721,920   ------w   C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42   3,590,656   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43   1,287,680   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40   222,720   ----a-w   C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40   222,720   ----a-w   C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34   8,460,288   ----a-w   C:\WINDOWS\system32\dllcache\shell32.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-01-25_ 4.25.45.59   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 10:17:42   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 04:40:26   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 10:17:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 04:40:27   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 10:17:43   3,698,688   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 04:40:27   3,715,072   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-25 10:17:43   98,304   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 04:40:27   98,304   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-25 10:17:43   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-26 04:40:27   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-25 10:17:43   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 04:40:27   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 04:26:24   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_b0.dat
.

[Grisen]

(continued)

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE4F4014-3BF4-4CEB-B46C-3730A2340C4E}]
2007-08-07 08:30   798720   --a------   C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{6F4F95AF-1647-4B72-A632-055405455423}

[HKEY_CLASSES_ROOT\clsid\{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6F4F95AF-1647-4B72-A632-055405455423}"= C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [2007-08-07 08:30 798720]

[HKEY_CLASSES_ROOT\clsid\{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 18:48 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 09:28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 09:28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 18:51 1032192]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 15:32 184320]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-06-14 06:51 286720]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [2006-06-27 05:34 299008]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-06-15 04:03 307200]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06 106496]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"DLCXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 10:17 106496]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 11:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-12-12 04:52:29 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-12 04:48:16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 03:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-12 05:00 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u4hgogewh]
C:\WINDOWS\system32\u4hgogewh.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\sessionmanager\appcertdlls]
appsecdll   REG_EXPAND_SZ     C:\WINDOWS\system32\AppCert\wsil32.dll

R3 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe [2006-05-18 14:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8a4e59e-c94e-11dc-aafb-00188ba682e6}]
\Shell\AutoRun\command - F:\
\Shell\open\Command - .\autorun.exe explore

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 04:29:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-26 04:26:25 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-24 19:30:52 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 22:43:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 22:44:17
ComboFix-quarantined-files.txt  2008-01-26 04:44:14
ComboFix2.txt  2008-01-25 10:26:44
.
2008-01-18 22:52:57   --- E O F --- 


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:14 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061212

[Grisen]

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 100% Free Chess Toolbar - {6F4F95AF-1647-4B72-A632-055405455423} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913282796
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://207.5.168.68/activex/AMC.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://mobilecountymaps.siteonestudio.com/taxmaps/acgm/acgm.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcx_device -   - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9901 bytes

BY THE WAY, I REMEMBER THAT THERE WAS A  C:\WINDOWS\system32\u4hgogewh.zip FILE IN THAT DIRECTORY AS WELL.  DON'T KNOW ITS FUNCTION BUT IF .EXE IS SUSPECT, THEN .ZIP SHOULD PROBABLY ALSO BE REMOVED, NO?

Thanks,

Grisen

[1975maggie]

Okay we seem have a new file, so let's clean somethings up and see if we can stop this.

Go to add/remove programs and uninstall this program


Free Chess toolbar or similar, you can keep the game, it's just the toolbar that's questionable.

Reason:

http://www.castlecops.com/CLSID.html



Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\u4hgogewh.zip

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u4hgogewh]

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Let's get this java caught up. Old java can be an entry point for malware.

Your java is a bit behind.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.





Please tell us of any problems you are experiencing.

[Grisen]

Thanks for your reply, 1975maggie.

100% Free Chess Toolbar - "Uninstaller Error: It may already have been removed.  Would you like to remove it from the Add / Remove Programs list?"

ComboFix 08-01-23.1C - John 2008-01-26  1:02:05.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1485 [GMT -6:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\u4hgogewh.zip
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\u4hgogewh.zip

.
(((((((((((((((((((((((((   Files Created from 2007-12-26 to 2008-01-26  )))))))))))))))))))))))))))))))
.

2008-01-25 04:16 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\Nircmd.exe
2008-01-24 20:39 . 2008-01-24 21:31   <DIR>   d--------   C:\Program Files\a-squared Free
2008-01-24 20:22 . 2008-01-26 01:03   1,816,608   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 20:22 . 2008-01-26 00:09   22,052   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 20:17 . 2007-09-06 16:14   75,248   --a------   C:\WINDOWS\zllsputility.exe
2008-01-24 20:16 . 2007-09-06 16:14   1,086,952   --a------   C:\WINDOWS\system32\zpeng24.dll
2008-01-24 20:16 . 2008-01-26 00:35   353,247   --a------   C:\WINDOWS\system32\vsconfig.xml
2008-01-24 19:43 . 2008-01-24 20:17   <DIR>   d--------   C:\WINDOWS\system32\ZoneLabs
2008-01-24 19:43 . 2004-04-27 04:40   11,264   --a------   C:\WINDOWS\system32\SpOrder.dll
2008-01-24 19:43 . 2008-01-24 20:19   4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2008-01-24 19:42 . 2008-01-26 00:37   <DIR>   d--------   C:\WINDOWS\Internet Logs
2008-01-24 13:16 . 2008-01-24 13:16   <DIR>   d--------   C:\Program Files\XoftSpySE
2008-01-24 11:32 . 2007-12-04 07:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-24 11:32 . 2004-01-09 03:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-24 11:32 . 2007-12-04 06:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-24 11:32 . 2007-12-04 08:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-24 11:32 . 2007-12-04 08:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-24 11:32 . 2007-12-04 08:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-24 11:32 . 2007-12-04 08:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-24 11:32 . 2007-12-04 08:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-22 19:39 . 2008-01-22 19:39   <DIR>   d--------   C:\Program Files\Alwil Software
2008-01-22 14:50 . 2008-01-22 14:50   <DIR>   d--------   C:\WINDOWS\system32\AppCert
2008-01-22 14:49 . 2008-01-22 14:49   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-22 14:49 . 2008-01-22 14:49   1,409   --a------   C:\WINDOWS\QTFont.for
2008-01-14 11:17 . 2008-01-14 11:17   <DIR>   d--------   C:\Program Files\Axis Communications

[Grisen]

(continued)

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 01:32   ---------   d-----w   C:\Program Files\Google
2008-01-23 02:04   ---------   d-----w   C:\Program Files\dl_cats
2008-01-22 20:54   360,064   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-22 20:54   360,064   ----a-w   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-01-19 20:22   7,518   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-20 22:46   1,482,579   ----a-w   C:\Program Files\AlphaChessHistory.dat
2007-11-07 09:26   721,920   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26   721,920   ------w   C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42   3,590,656   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43   1,287,680   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40   222,720   ----a-w   C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40   222,720   ----a-w   C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34   8,460,288   ----a-w   C:\WINDOWS\system32\dllcache\shell32.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-01-25_ 4.25.45.59   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 10:17:42   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 07:01:56   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 10:17:42   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 07:01:56   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 10:17:43   3,698,688   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 07:01:56   3,715,072   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-25 10:17:43   98,304   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 07:01:56   98,304   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-25 10:17:43   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-26 07:01:56   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-25 10:17:43   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 07:01:56   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 06:32:43   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_c0.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE4F4014-3BF4-4CEB-B46C-3730A2340C4E}]
2007-08-07 08:30   798720   --a------   C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{6F4F95AF-1647-4B72-A632-055405455423}

[HKEY_CLASSES_ROOT\clsid\{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6F4F95AF-1647-4B72-A632-055405455423}"= C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [2007-08-07 08:30 798720]

[HKEY_CLASSES_ROOT\clsid\{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 18:48 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 09:28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 09:28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 18:51 1032192]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 15:32 184320]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-06-14 06:51 286720]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [2006-06-27 05:34 299008]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-06-15 04:03 307200]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06 106496]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"DLCXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 10:17 106496]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 11:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-12-12 04:52:29 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-12 04:48:16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-12 05:00 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\sessionmanager\appcertdlls]
appsecdll   REG_EXPAND_SZ     C:\WINDOWS\system32\AppCert\wsil32.dll

R3 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe [2006-05-18 14:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8a4e59e-c94e-11dc-aafb-00188ba682e6}]
\Shell\AutoRun\command - F:\
\Shell\open\Command - .\autorun.exe explore

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 06:35:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-26 06:32:44 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-24 19:30:52 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 01:03:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
---------

JAVA 6 update 4 now appears in Add / Remove Programs

Lingering symptoms :

- Windows Security Center (red shield in systray) says ZoneAlarm is turned off, even though it appears to be running in the systray.  It gives the option to enable the Windows firewall but reports it's still impossible to start the Windows Firewall / Internet Connection Sharing (ICS) services.  Starting the service through Administrative tools also doesn't work.
- When Avast loads, Avast warnings pop up saying that it will not be able to protect outgoing and incoming email and news (Error 10050.)
- Was finally able uninstall AVG anti-spyware, loaded after the problem started.  Program hung and never functioned and wouldn't uninstall.   
- Trying to connect wirelessly and run > ipconfig flashes a command prompt window that disappears right away.  Dell connection assistant shows excellent connection to my local network, but an ip adress of 0.0.0.0. (Wireless zero config turned off).  Ethernet also doesn't work-- the normal connection for this machine.  (Loss of internet connectivity was the first result of the infection.)  IE7 cannot connect.

Grisen

[essexboy]

In control panel click on Administrative Tools, then Services, from the list of services find Windows Management Instrumentation right click mouse and from dropdown list stop the service.

Find folder C:\windows\system32\wbem, inside this folder identify the repository folder and delete ONLY this folder (the repository folder) from your computer.

In Administrative Tools find Windows Management Instrumentation service again, and re-start the service by right clicking mouse and pressing start from dropdown list. Restarting this service re-builds the repository folder database on your computer, which should now only contain information about your currently installed antivirus & firewall programs.

To reset the Windows Security Centre you must re-boot your computer."

Let us know how it goes.

[Grisen]

Thanks for hanging in there with me   

Ran checkdsk last night.  Auto reboot into Windows came with the following message-- note the misspelling of "Winidow":

CL RC Engine3 Dummy Winidow: PCMService.exe - Application Error
The instruction at "0x004023cc" referenced memory at "0x00000001". The memory could not be "read".

Click on OK to terminate the program
Click on CANCEL to debug the program

----


On reboot new Repository folder in wbem:  same Avast mail scanner warnings: Error 10050  Avast will not be able to protect incoming mail....outgoing mail (etc).  Different warning balloon from systray "Your computer might be at risk, no firewall is turned on"  (instead of "ZoneAlarm is turned off") and the big "Z" sitting next to it.  Tried to turn on Windows firewall, same error message as before, "the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?" Clicked yes and got same as before "Windows cannot start the ICS service"

I installed ZoneAlarm after the infection when Windows firewall had quit, maybe that's why it's messed up.  I'll try a remove/reinstall before your next post and see how it acts.

Can we say this machine is (or nearly) virus free, and we're dealing with the aftermath of the trojan, or are there still nasties, IYO?

Your thoughts about the internet connectivity issue?

Thanks again!
Grisen

[Grisen]

(continued)

Reinstalled ZA: Security Center says "Zone Alarm is installed but is status is unknown"  Funny that ZA didn't include IE7 in its list of programs: only LSA Shell (Export Version), Service Executable, and Windows Explorer.  Trying a manual update of Avast doesn't trigger a ZA popup (related to no internet connection?).  Neither does Dell Updates.

[essexboy]

Lets have a nice deep look shall we, also did you have another AV before you installed Avast ?

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and attach the log. I will review it when it comes in.

[Grisen]

BTW got wireless going by replacing TCPIP.sys in C:\WINDOWS\SYSTEM32\DRIVERS from D:\I386\TCPIP.sy_.  Avast errors and error messages regarding ZoneAlarm stopped.  ZA is functioning normally, although WMI is asking to contact internet and also act as a server (?).

Other AV prior to Avast was TrendMicro, which said it quarrantined the nasty as it loaded from a drive-by site, but it had already spread / done damage.  Replaced TrendMicro on this (friend's) machine with Avast post-infection.

You folks have been super, btw.

Here is the log:

WinPFind3 logfile created on: 1/26/2008 5:40:47 PM
WinPFind3U by OldTimer - Version 1.0.44   Folder = C:\Documents and Settings\John\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
 
2.00 Gb Total Physical Memory | 1.29 Gb Available Physical Memory | 64.77% Memory free
3.85 Gb Paging File | 3.20 Gb Available in Paging File | 83.17% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.26 Gb Total Space | 92.79 Gb Free Space | 87.32% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 244.63 Mb Total Space | 2.89 Mb Free Space | 1.18% Space Free

Computer Name: D486V7C1
Current User Name: John
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
a2service.exe -> %ProgramFiles%\a-squared Free\a2service.exe -> Emsi Software GmbH [Ver = 3.0.0.384 | Size = 366712 bytes | Modified Date = 1/7/2008 5:56:32 PM | Attr =    ]
aolacsd.exe -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> America Online, Inc. [Ver = 2.0.20.1.US.1         | Size = 1135728 bytes | Modified Date = 4/7/2004 12:07:32 PM | Attr =    ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 7:00:24 AM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 6:59:54 AM | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 7:00:16 AM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 6:59:02 AM | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 8:36:34 AM | Attr =    ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4133 | Size = 409600 bytes | Modified Date = 5/23/2006 1:59:38 PM | Attr =    ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4133 | Size = 409600 bytes | Modified Date = 5/23/2006 1:59:38 PM | Attr =    ]
btstac~1.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTStackServer.exe -> Broadcom Corporation. [Ver = 5.0.1.2609 | Size = 1372244 bytes | Modified Date = 5/24/2006 6:27:10 PM | Attr =    ]
bttray.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTTray.exe -> Broadcom Corporation. [Ver = 5.0.1.2609 | Size = 622653 bytes | Modified Date = 5/24/2006 6:28:28 PM | Attr =    ]
btwdins.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> Broadcom Corporation. [Ver = 5.0.1.2609 | Size = 266295 bytes | Modified Date = 5/24/2006 6:21:28 PM | Attr =    ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 5:41:22 PM | Attr =    ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 5:41:22 PM | Attr =    ]
dlcxcoms.exe -> %System32%\dlcxcoms.exe ->   [Ver = 6.2.28.0 | Size = 495616 bytes | Modified Date = 5/18/2006 2:36:10 PM | Attr =    ]
dlcxmon.exe -> %ProgramFiles%\Dell Photo AIO Printer 926\dlcxmon.exe ->  [Ver = 0.1.25.0 | Size = 286720 bytes | Modified Date = 6/14/2006 6:51:38 AM | Attr =    ]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 10/29/2003 2:06:00 AM | Attr =    ]
dot1xcfg.exe -> %ProgramFiles%\Intel\Wireless\Bin\Dot1XCfg.exe -> Intel Corporation [Ver = 10, 1, 1, 84 | Size = 397381 bytes | Modified Date = 5/1/2006 9:26:14 AM | Attr =    ]
dsagnt.exe -> %ProgramFiles%\Dell Support\DSAgnt.exe -> Gteko Ltd. [Ver = 2, 1, 3, 176 | Size = 395776 bytes | Modified Date = 8/28/2006 9:57:12 PM | Attr =    ]
evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 114753 bytes | Modified Date = 5/1/2006 9:20:52 AM | Attr =    ]
ezi_hnm2.exe -> %ProgramFiles%\Dell Network Assistant\ezi_hnm2.exe -> SingleClick Systems [Ver = 1, 0, 9, 0 | Size = 1082664 bytes | Modified Date = 8/27/2007 11:12:28 AM | Attr =    ]
hnm_svc.exe -> %ProgramFiles%\Dell Network Assistant\hnm_svc.exe -> SingleClick Systems [Ver = 1, 0, 4, 0 | Size = 111912 bytes | Modified Date = 8/27/2007 9:36:34 AM | Attr =    ]
ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10, 1, 1, 19 | Size = 602182 bytes | Modified Date = 5/1/2006 9:28:26 AM | Attr =    ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 81920 bytes | Modified Date = 6/10/2005 10:44:02 AM | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_04\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 144784 bytes | Modified Date = 12/14/2007 3:42:38 AM | Attr =    ]
mediadetect.exe -> %ProgramFiles%\Corel\Corel Photo Album 6\MediaDetect.exe -> Corel, Inc. [Ver = 6.0.0 (20050831.10) | Size = 106496 bytes | Modified Date = 8/31/2005 11:06:18 AM | Attr =    ]
memcard.exe -> %ProgramFiles%\Dell Photo AIO Printer 926\memcard.exe ->  [Ver = 1.0.18.1 | Size = 299008 bytes | Modified Date = 6/27/2006 5:34:50 AM | Attr =    ]
netwaiting.exe -> %ProgramFiles%\NetWaiting\netWaiting.exe ->  [Ver =  | Size = 20480 bytes | Modified Date = 9/10/2003 2:24:00 AM | Attr =    ]
pcmservice.exe -> %ProgramFiles%\Dell\MediaDirect\PCMService.exe -> CyberLink Corp. [Ver = 4, 5, 0, 0 | Size = 184320 bytes | Modified Date = 8/22/2006 3:32:18 PM | Attr =    ]
quickset.exe -> %ProgramFiles%\Dell\QuickSet\quickset.exe -> Dell Inc [Ver = 7, 1, 12, 0 | Size = 1032192 bytes | Modified Date = 8/3/2006 6:51:42 PM | Attr =    ]
regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 217164 bytes | Modified Date = 5/1/2006 9:20:26 AM | Attr =    ]
s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation  [Ver = 10, 1, 1, 34 | Size = 540745 bytes | Modified Date = 5/1/2006 9:22:42 AM | Attr =    ]
sprtcmd.exe -> %ProgramFiles%\Dell Support Center\bin\sprtcmd.exe -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 11/15/2007 9:23:56 AM | Attr =    ]
sprtsvc.exe -> %ProgramFiles%\Dell Support Center\bin\sprtsvc.exe -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 11/15/2007 9:23:56 AM | Attr =    ]
stsystra.exe -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4995.1  nd446 cp1 | Size = 282624 bytes | Modified Date = 3/24/2006 11:30:44 PM | Attr =    ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.4.6 08Mar06 | Size = 761947 bytes | Modified Date = 3/8/2006 6:48:02 PM | Attr =    ]
tfswctrl.exe -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.08a | Size = 127035 bytes | Modified Date = 12/6/2004 1:05:00 AM | Attr =    ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 75304 bytes | Modified Date = 11/14/2007 4:05:06 PM | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 AM | Attr =    ]
wlkeeper.exe -> %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe -> Intel(R) Corporation [Ver = 10, 1, 1, 28 | Size = 262217 bytes | Modified Date = 5/1/2006 9:34:00 AM | Attr =    ]
zcfgsvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10, 1, 1, 45 | Size = 667718 bytes | Modified Date = 5/1/2006 9:28:06 AM | Attr =    ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 919016 bytes | Modified Date = 11/14/2007 4:05:06 PM | Attr =    ]

[Grisen]

(continued)

[Win32 Services - Non-Microsoft Only]
(a2free) a-squared Free Service [Win32_Own | Auto | Running] -> %ProgramFiles%\a-squared Free\a2service.exe -> Emsi Software GmbH [Ver = 3.0.0.384 | Size = 366712 bytes | Modified Date = 1/7/2008 5:56:32 PM | Attr =    ]
(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> America Online, Inc. [Ver = 2.0.20.1.US.1         | Size = 1135728 bytes | Modified Date = 4/7/2004 12:07:32 PM | Attr =    ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 8:36:34 AM | Attr =    ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4133 | Size = 409600 bytes | Modified Date = 5/23/2006 1:59:38 PM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 7:00:16 AM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 6:59:54 AM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 6:59:02 AM | Attr =    ]
(btwdins) Bluetooth Service [Win32_Own | Auto | Running] -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> Broadcom Corporation. [Ver = 5.0.1.2609 | Size = 266295 bytes | Modified Date = 5/24/2006 6:21:28 PM | Attr =    ]
(dlcx_device) dlcx_device [Win32_Own | On_Demand | Running] -> %System32%\dlcxcoms.exe ->   [Ver = 6.2.28.0 | Size = 495616 bytes | Modified Date = 5/18/2006 2:36:10 PM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 5:00:00 AM | Attr =    ]
(EvtEng) Intel(R) PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 114753 bytes | Modified Date = 5/1/2006 9:20:52 AM | Attr =    ]
(hnmsvc) Advanced Networking Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Dell Network Assistant\hnm_svc.exe -> SingleClick Systems [Ver = 1, 0, 4, 0 | Size = 111912 bytes | Modified Date = 8/27/2007 9:36:34 AM | Attr =    ]
(RegSrvc) Intel(R) PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 217164 bytes | Modified Date = 5/1/2006 9:20:26 AM | Attr =    ]
(S24EventMonitor) Intel(R) PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation  [Ver = 10, 1, 1, 34 | Size = 540745 bytes | Modified Date = 5/1/2006 9:22:42 AM | Attr =    ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 75304 bytes | Modified Date = 11/14/2007 4:05:06 PM | Attr =    ]
(WLANKEEPER) Intel(R) PROSet/Wireless SSO Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe -> Intel(R) Corporation [Ver = 10, 1, 1, 28 | Size = 262217 bytes | Modified Date = 5/1/2006 9:34:00 AM | Attr =    ]
(sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) [Win32_Own | Auto | Running] -> %ProgramFiles%\Dell Support Center\bin\sprtsvc.exe -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 11/15/2007 9:23:56 AM | Attr =    ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 5:41:22 PM | Attr =    ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 7:00:24 AM | Attr =    ]
Corel Photo Downloader -> %ProgramFiles%\Corel\Corel Photo Album 6\MediaDetect.exe -> Corel, Inc. [Ver = 6.0.0 (20050831.10) | Size = 106496 bytes | Modified Date = 8/31/2005 11:06:18 AM | Attr =    ]
Dell QuickSet -> %ProgramFiles%\Dell\QuickSet\quickset.exe -> Dell Inc [Ver = 7, 1, 12, 0 | Size = 1032192 bytes | Modified Date = 8/3/2006 6:51:42 PM | Attr =    ]
dla -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.08a | Size = 127035 bytes | Modified Date = 12/6/2004 1:05:00 AM | Attr =    ]
DLCXCATS -> %System32%\spool\drivers\w32x86\3\dlcxtime.dll [rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16] ->  [Ver = 1.20.0.0 | Size = 106496 bytes | Modified Date = 6/7/2006 10:17:18 AM | Attr =    ]
dlcxmon.exe -> %ProgramFiles%\Dell Photo AIO Printer 926\dlcxmon.exe ->  [Ver = 0.1.25.0 | Size = 286720 bytes | Modified Date = 6/14/2006 6:51:38 AM | Attr =    ]
dscactivate -> %ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe ->   [Ver = 1.0.2767.18581 | Size = 16384 bytes | Modified Date = 11/15/2007 9:24:00 AM | Attr =    ]
FaxCenterServer -> %ProgramFiles%\Dell PC Fax\fm3032.exe ->  [Ver = 0.1.35.8 | Size = 307200 bytes | Modified Date = 6/15/2006 4:03:30 AM | Attr =    ]
IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10, 1, 1, 19 | Size = 602182 bytes | Modified Date = 5/1/2006 9:28:26 AM | Attr =    ]
IntelZeroConfig -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10, 1, 1, 45 | Size = 667718 bytes | Modified Date = 5/1/2006 9:28:06 AM | Attr =    ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 249856 bytes | Modified Date = 6/10/2005 10:44:02 AM | Attr =    ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 81920 bytes | Modified Date = 6/10/2005 10:44:02 AM | Attr =    ]
MemoryCardManager -> %ProgramFiles%\Dell Photo AIO Printer 926\memcard.exe ->  [Ver = 1.0.18.1 | Size = 299008 bytes | Modified Date = 6/27/2006 5:34:50 AM | Attr =    ]
PCMService -> %ProgramFiles%\Dell\MediaDirect\PCMService.exe -> CyberLink Corp. [Ver = 4, 5, 0, 0 | Size = 184320 bytes | Modified Date = 8/22/2006 3:32:18 PM | Attr =    ]
SigmatelSysTrayApp -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4995.1  nd446 cp1 | Size = 282624 bytes | Modified Date = 3/24/2006 11:30:44 PM | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_04\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 144784 bytes | Modified Date = 12/14/2007 3:42:38 AM | Attr =    ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.4.6 08Mar06 | Size = 761947 bytes | Modified Date = 3/8/2006 6:48:02 PM | Attr =    ]
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 919016 bytes | Modified Date = 11/14/2007 4:05:06 PM | Attr =    ]

[Grisen]

(continued)

ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 919016 bytes | Modified Date = 11/14/2007 4:05:06 PM | Attr =    ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
DellSupport -> %ProgramFiles%\Dell Support\DSAgnt.exe -> Gteko Ltd. [Ver = 2, 1, 3, 176 | Size = 395776 bytes | Modified Date = 8/28/2006 9:57:12 PM | Attr =    ]
DellSupportCenter -> %ProgramFiles%\Dell Support Center\bin\sprtcmd.exe -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 11/15/2007 9:23:56 AM | Attr =    ]
ModemOnHold -> %ProgramFiles%\NetWaiting\netWaiting.exe ->  [Ver =  | Size = 20480 bytes | Modified Date = 9/10/2003 2:24:00 AM | Attr =    ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr =    ]
%AllUsersStartup%\Bluetooth.lnk -> %ProgramFiles%\WIDCOMM\Bluetooth Software\BTTray.exe -> Broadcom Corporation. [Ver = 5.0.1.2609 | Size = 622653 bytes | Modified Date = 5/24/2006 6:28:28 PM | Attr =    ]
%AllUsersStartup%\Dell Network Assistant.lnk -> %SystemRoot%\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe ->  [Ver =  | Size = 7168 bytes | Modified Date = 10/28/2007 9:22:20 AM | Attr = R  ]
%AllUsersStartup%\Digital Line Detect.lnk -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 10/29/2003 2:06:00 AM | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4133 | Size = 61440 bytes | Modified Date = 5/23/2006 2:00:44 PM | Attr =    ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ ->  ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ ->  ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->

[Grisen]

(continued)

< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.google.com ->
HKLM: Start Page -> http://www.msn.com ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar ->  ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.msn.com ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 1/12/2006 8:38:22 PM | Attr =    ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Reg Data - Value does not exist] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr =    ]
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %System32%\dla\tfswshx.dll [DriveLetterAccess] -> Sonic Solutions [Ver = 1.04.08a | Size = 118842 bytes | Modified Date = 12/6/2004 1:05:00 AM | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_04\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 509328 bytes | Modified Date = 12/14/2007 3:42:36 AM | Attr =    ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1306, 3130 | Size = 2193280 bytes | Modified Date = 12/12/2006 5:03:14 AM | Attr = R  ]
{AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} [HKLM] -> %ProgramFiles%\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [100% Free Chess Toolbar Helper] ->  [Ver = 3,2,0,0 | Size = 798720 bytes | Modified Date = 8/7/2007 8:30:12 AM | Attr =    ]
{CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> %ProgramFiles%\BAE\BAE.dll [CBrowserHelperObject Object] -> Dell Inc. [Ver = 1.2.0.2 | Size = 98304 bytes | Modified Date = 11/17/2006 11:46:38 AM | Attr =    ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1306, 3130 | Size = 2193280 bytes | Modified Date = 12/12/2006 5:03:14 AM | Attr = R  ]
{6F4F95AF-1647-4B72-A632-055405455423} [HKLM] -> %ProgramFiles%\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [100% Free Chess Toolbar] ->  [Ver = 3,2,0,0 | Size = 798720 bytes | Modified Date = 8/7/2007 8:30:12 AM | Attr =    ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1306, 3130 | Size = 2193280 bytes | Modified Date = 12/12/2006 5:03:14 AM | Attr = R  ]
WebBrowser\\{6F4F95AF-1647-4B72-A632-055405455423} [HKLM] -> %ProgramFiles%\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [100% Free Chess Toolbar] ->  [Ver = 3,2,0,0 | Size = 798720 bytes | Modified Date = 8/7/2007 8:30:12 AM | Attr =    ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_04\bin\npjpi160_04.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 132496 bytes | Modified Date = 12/14/2007 3:42:38 AM | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_04\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 509328 bytes | Modified Date = 12/14/2007 3:42:36 AM | Attr =    ]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel ->  -> File not found
Send to &Bluetooth Device... -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ->  [Ver =  | Size = 1320 bytes | Modified Date = 5/29/2003 1:53:12 PM | Attr =    ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{1E38284A-62D1-4BE9-B6E7-73417C66E90D} ->    (Broadcom 440x 10/100 Integrated Controller) ->
{50A86D13-7F43-445B-A4E9-656BAD816FC0} ->    (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{D0DC9AA9-F65E-4617-B8E0-21D306789479} ->    (1394 Net Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913282796 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_04 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab ->
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_04 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_04 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab ->
{DE625294-70E6-45ED-B895-CFFA13AEB044} -> AxisMediaControlEmb Class - CodeBase = http://207.5.168.68/activex/AMC.cab ->
{F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} -> ActiveCGM Control - CodeBase = http://mobilecountymaps.siteonestudio.com/taxmaps/acgm/acgm.cab ->

[Grisen]

(continued)



[Files/Folders - Created Within 30 days]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 1/25/2008 10:39:57 PM | Attr =    ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 2145845248 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr =  HS]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 1/25/2008 4:16:37 AM | Attr =    ]
$NtUninstallKB941644$ -> %SystemRoot%\$NtUninstallKB941644$ ->  [Folder | Created Date = 1/10/2008 4:44:43 PM | Attr =  H ]
$NtUninstallKB943485$ -> %SystemRoot%\$NtUninstallKB943485$ ->  [Folder | Created Date = 1/10/2008 4:44:34 PM | Attr =  H ]
ctfile.rfc -> %SystemRoot%\ctfile.rfc ->  [Ver =  | Size = 424 bytes | Created Date = 1/26/2008 5:31:45 PM | Attr = RH ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 1/25/2008 4:17:39 AM | Attr =    ]
inres.dll -> %SystemRoot%\inres.dll -> Creative Technology Limited [Ver = 1, 0, 9, 0 | Size = 11776 bytes | Created Date = 1/26/2008 5:31:45 PM | Attr =    ]
Internet Logs -> %SystemRoot%\Internet Logs ->  [Folder | Created Date = 1/24/2008 7:42:49 PM | Attr =    ]
LastGood -> %SystemRoot%\LastGood ->  [Folder | Created Date = 1/26/2008 5:31:46 PM | Attr =    ]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 1/25/2008 4:16:22 AM | Attr =    ]
pss -> %SystemRoot%\pss ->  [Folder | Created Date = 1/24/2008 8:00:53 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 1/22/2008 2:49:15 PM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 1/22/2008 2:49:15 PM | Attr =  H ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 75248 bytes | Created Date = 1/26/2008 2:45:40 PM | Attr =    ]
actskin4.ocx -> %System32%\actskin4.ocx ->  [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 1/24/2008 11:32:20 AM | Attr =    ]
AppCert -> %System32%\AppCert ->  [Folder | Created Date = 1/22/2008 2:50:11 PM | Attr =    ]
appmgmt -> %System32%\appmgmt ->  [Folder | Created Date = 1/26/2008 1:07:48 AM | Attr =    ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Created Date = 1/24/2008 11:32:20 AM | Attr =    ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 95608 bytes | Created Date = 1/24/2008 11:32:31 AM | Attr =    ]
CiEcho.dll -> %System32%\CiEcho.dll -> Creative Technology Limited [Ver = 0, 0, 0, 3 | Size = 40448 bytes | Created Date = 1/26/2008 5:31:45 PM | Attr =    ]
cifilter.dll -> %System32%\cifilter.dll -> Creative Technology Ltd [Ver = 1, 0, 0, 22 | Size = 160768 bytes | Created Date = 1/26/2008 5:31:40 PM | Attr =    ]
CiFilter.ini -> %System32%\CiFilter.ini ->  [Ver =  | Size = 22629 bytes | Created Date = 1/26/2008 5:31:45 PM | Attr =    ]
ct4mgm.sf2 -> %System32%\ct4mgm.sf2 ->  [Ver =  | Size = 4174814 bytes | Created Date = 1/26/2008 5:31:48 PM | Attr =    ]
default4.sfm -> %System32%\default4.sfm ->  [Ver =  | Size = 59 bytes | Created Date = 1/26/2008 5:31:48 PM | Attr =    ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 135168 bytes | Created Date = 1/26/2008 1:17:03 AM | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 69632 bytes | Created Date = 1/26/2008 1:17:03 AM | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 135168 bytes | Created Date = 1/26/2008 1:17:03 AM | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 139264 bytes | Created Date = 1/26/2008 1:17:03 AM | Attr =    ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll ->  [Ver =  | Size = 796048 bytes | Created Date = 1/26/2008 2:45:24 PM | Attr =    ]
sfman32.dll -> %System32%\sfman32.dll -> Creative Technology Ltd [Ver = 5.12.01.0130-1.00.0000 | Size = 20992 bytes | Created Date = 1/26/2008 5:31:48 PM | Attr =    ]
sfms32.dll -> %System32%\sfms32.dll -> Creative Technology Ltd [Ver = 5.12.01.1081-2.04.0050 | Size = 115200 bytes | Created Date = 1/26/2008 5:31:48 PM | Attr =    ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Created Date = 1/25/2008 4:16:22 AM | Attr =    ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 1/25/2008 4:16:22 AM | Attr =    ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 1/25/2008 4:16:22 AM | Attr =    ]
VFind.exe -> %System32%\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 1/25/2008 4:16:22 AM | Attr =    ]
vsconfig.xml -> %System32%\vsconfig.xml ->  [Ver =  | Size = 353365 bytes | Created Date = 1/26/2008 2:45:16 PM | Attr =    ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 83432 bytes | Created Date = 1/26/2008 2:44:48 PM | Attr =    ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 394952 bytes | Created Date = 1/26/2008 2:45:16 PM | Attr =    ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 157160 bytes | Created Date = 1/26/2008 2:44:48 PM | Attr =    ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 103912 bytes | Created Date = 1/26/2008 2:45:17 PM | Attr =    ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 275944 bytes | Created Date = 1/26/2008 2:45:17 PM | Attr =    ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 71144 bytes | Created Date = 1/26/2008 2:45:24 PM | Attr =    ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 472552 bytes | Created Date = 1/26/2008 2:44:48 PM | Attr =    ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 46568 bytes | Created Date = 1/26/2008 2:45:18 PM | Attr =    ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 99816 bytes | Created Date = 1/26/2008 2:45:17 PM | Attr =    ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 83432 bytes | Created Date = 1/26/2008 2:45:23 PM | Attr =    ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 71144 bytes | Created Date = 1/26/2008 2:45:23 PM | Attr =    ]
zllictbl.dat -> %System32%\zllictbl.dat ->  [Ver =  | Size = 4212 bytes | Created Date = 1/24/2008 7:43:51 PM | Attr =  H ]
ZoneLabs -> %System32%\ZoneLabs ->  [Folder | Created Date = 1/24/2008 7:43:16 PM | Attr =    ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1086952 bytes | Created Date = 1/26/2008 2:45:17 PM | Attr =    ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Created Date = 1/24/2008 11:32:33 AM | Attr =    ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 93264 bytes | Created Date = 1/24/2008 11:32:31 AM | Attr =    ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 94544 bytes | Created Date = 1/24/2008 11:32:31 AM | Attr =    ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Created Date = 1/24/2008 11:32:35 AM | Attr =    ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Created Date = 1/24/2008 11:32:34 AM | Attr =    ]
ctoss2k.sys -> %System32%\drivers\ctoss2k.sys -> Creative Technology Ltd. [Ver = 5.12.01.1081-2.04.0050 | Size = 106496 bytes | Created Date = 1/26/2008 5:31:48 PM | Attr =    ]
ctsfm2k.sys -> %System32%\drivers\ctsfm2k.sys -> Creative Technology Ltd [Ver = 5.12.01.1081-2.04.0050 | Size = 138752 bytes | Created Date = 1/26/2008 5:31:48 PM | Attr =    ]
ctusfsyn.sys -> %System32%\drivers\ctusfsyn.sys -> Creative Technology Ltd. [Ver = 5.12.1.105 | Size = 158464 bytes | Created Date = 1/26/2008 5:31:48 PM | Attr =    ]
fidbox.dat -> %System32%\drivers\fidbox.dat ->  [Ver =  | Size = 497696 bytes | Created Date = 1/26/2008 2:48:44 PM | Attr =  HS]
fidbox.idx -> %System32%\drivers\fidbox.idx ->  [Ver =  | Size = 32 bytes | Created Date = 1/26/2008 2:48:44 PM | Attr =  HS]
klif.sys -> %System32%\drivers\klif.sys -> Kaspersky Lab [Ver = 7.0.0.122 | Size = 127768 bytes | Created Date = 1/26/2008 5:03:01 PM | Attr =    ]
monfilt.sys -> %System32%\drivers\monfilt.sys -> Creative Technology Ltd. [Ver = 5.10.0.4112 | Size = 1389056 bytes | Created Date = 1/26/2008 5:31:40 PM | Attr =    ]