suddenly slow PC and internet speed
-
suddenly slow PC and internet speed
Hello again guys,
Two weeks ago, NOD32 detected a virus and the following information is from the threat log:
26/02/2007 11:02:26 AM IMON archive http://prevedtraf.biz/adv/068/count.jar Java/ClassLoader.AA trojan Connection terminated OPTIMA-85704E5D\Dan
However, my pc began to slow considerably. After trying a few things that did not work, I restored to a back-up and it seemed to be OK.
Earlier this week it slowed down again. Whenever I check task manager to see what is using up my pc, it seems to be one of svchost.exe programs.
Because I have had assistance from you guys before, I run daily adware and spybot checks, and also run crap cleaner at the end of each internet session.
My internet speed (at the moment) is OK but last night, for example, it took me 10mins to download a 3KB email message!! I have spoken to my ISP about this and they suspected a virus at first but, when we pinged their website we got a 25% - 50% packet loss so they suspect a line problem. However, I am suspicious that my pc and internet speed slowed at the same time.
I have followed the initial instructions completely. Adaware and Spybot found nothing. Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:23:27 AM, on 10/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optima.com.au/
O1 - Hosts: 207.210.117.53 www.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.optima.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30FE9B81-D822-4C15-80F7-E7D262AC5B7C}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{30FE9B81-D822-4C15-80F7-E7D262AC5B7C}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Will be grateful, as always, for your assistance.
Regards, Dan
-
Sorry for the delay Dan. Not much showing in that log and it sounds like you keep pretty good care of things. Let's look a little deeper than the scans you've run so far look.
- Let's get an Uninstall List from HijackThis:
- Open HijackThis, click Config, click Misc Tools
- Click "Open Uninstall Manager"
- Click "Save List" (generates uninstall_list.txt)
- Click Save, copy and paste the results in your next post.
- Kaspersky Online Scanner
Go to http://www.kaspersky.com/virusscanner
Note: This Scan requires Internet Explorer to run.
You will be promted to install an ActiveX component from Kaspersky, Click Yes.- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Archives
Scan Mail Bases
- Click OK
- Now under select a target to scan:
- This program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post with another HJT log.
- Please re-open HiJackThis and scan and save a new log file.
- Post Logs
- Uninstall List
- Kaspersky Results
- New Hijack This Log
-
Hi Scott,
Thank you for getting back to me - if only everything in life were as reliable as you guys at D-A-L.
I did exactly what you asked and the results are below. However, I did encounter a slight problem with the Kaspersky Online Scanner which might be a problem with my computer or their website:
When I clicked the Online Scanner button, it took me to a welcome page that also asked whether I would accept or decline their conditions. Of course I accepted and the download began. As you predicted, I was asked to allow the installation of an ActiveX component and I clicked to allow this. The problem was when I did this it took me back to the welcome page but this time the "Accept" and "Decline" buttons were no longer there. Therefore I could go no further. In the end, I had to leave my computer vulnerable by lowering the security level for the whole duration of the scan. You might have some ideas why this happened.
Here are the logs you asked for, in order:
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.7
Agere Systems PCI Soft Modem
a-squared Free 2.0
BigPond Broadband ADSL FAQ
Camera Plus
CCleaner (remove only)
Express Burn Uninstall
Express Rip Uninstall
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
ImageMixer VCD/DVD2 for OLYMPUS
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Join ME
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (1.5.0.10)
Mozilla Thunderbird (1.5.0.9)
MP3 Player Utilities 3.15
MP3 Player Utilities 3.68
MSXML 4.0 SP2 (KB927978)
Nero BurnRights
Nero Media Player
Nero OEM
NeroVision Express 3 SE
NOD32 Antivirus System
OLYMPUS Master
PowerDVD
RealPlayer
RecordPad Sound Recorder Uninstall
RegSupreme 1.4
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Shockwave
Skype 2.5
Switch Uninstall
TeVeo VIDiO Suite
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
USB2.0 PC Camera (SN9C201&202)
WavePad Uninstall
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB896626
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 12, 2007 1:25:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/03/2007
Kaspersky Anti-Virus database records: 280503
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
I:\
Scan Statistics:
Total number of scanned objects: 59597
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:03:54
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\call256.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\chat512.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\index2.dat Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\profile256.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\user1024.dbb Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Skype\heather.white1\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Dan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\History\History.IE5\MSHist012007031220070 313\index.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Temp\~DFA296.tmp Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Temp\~DFA2A1.tmp Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{92E2A8DD-3C9B-4919-B18B-C7757E1A1373}\RP154\A0007479.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{92E2A8DD-3C9B-4919-B18B-C7757E1A1373}\RP215\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 1:29:35 PM, on 12/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optima.com.au/
O1 - Hosts: 207.210.117.53 www.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.optima.com.au
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30FE9B81-D822-4C15-80F7-E7D262AC5B7C}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{30FE9B81-D822-4C15-80F7-E7D262AC5B7C}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Thanks,
Dan
-
You probably had disabled ActiveX controls. I apologize for not having you check that.
I don't see anything that's cause for concern in any of those logs. Let's get one more opinion and see if anything is hiding from us.
- Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Now click the Run Scan button on the toolbar.
- The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
Scott,
The scan took hardly any time at all but my internet connection was so slow that it took over an hour to download this 336KB program!!
I ran the scan twice; once with the (default?) settings the program opened with, and once with much wider settings ie 'All' instead of 'Non-Microsoft" and '90 days' instead of '30 days'. The results below are from the default scan. I have saved the other scan and will post it if you would like - but it is huge. Many thanks.
ps I noticed when I posted the scan results that there were a few smilies in it - I did not put them in there so why are they there?
WinPFind3 logfile created on: 13/03/2007 10:58:28 PM
WinPFind3U by OldTimer - Version 1.0.20 Folder = C:\Documents and Settings\Dan\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
196080 Kb Total Physical Memory | 51020 Kb Available Physical Memory | 26.02% Memory free
1000344 Kb Paging File | 766160 Kb Available in Paging File | 76.59% Paging File free
Paging file location(s): I:\pagefile.sys 512 1064;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 78148160 Kb Total Space | 60974128 Kb Free Space | 78.02% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
[Processes - Non-Microsoft Only]
agrsmmsg.exe -> %SystemRoot%\AGRSMMSG.exe -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 29/06/2004 10:06:38 AM | Attr = ]
fixcamera.exe -> %SystemRoot%\FixCamera.exe -> [Ver = 1, 0, 0, 6 | Size = 20480 bytes | Modified Date = 1/06/2006 11:26:10 AM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.11 28.5462\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 2/03/2007 10:15:42 AM | Attr = ]
hpoevm08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.170 | Size = 282624 bytes | Modified Date = 2/12/2002 9:30:02 PM | Attr = ]
hpohmr08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.170 | Size = 147456 bytes | Modified Date = 2/12/2002 10:08:34 PM | Attr = ]
hposts08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hposts08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.170 | Size = 307200 bytes | Modified Date = 2/12/2002 9:41:48 PM | Attr = ]
hpotdd01.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> Hewlett-Packard [Ver = 1, 0, 0, 1 | Size = 40960 bytes | Modified Date = 2/12/2002 9
10 PM | Attr = ]
hpzipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 5, 0, 5, 3 | Size = 65536 bytes | Modified Date = 27/11/2002 10:30:30 PM | Attr = R ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 12/10/2006 3:10:54 AM | Attr = ]
nod32krn.exe -> %ProgramFiles%\ESET\nod32krn.exe -> Eset [Ver = 2, 70, 32 | Size = 552064 bytes | Modified Date = 2/03/2007 11:05:24 AM | Attr = ]
nod32kui.exe -> %ProgramFiles%\ESET\nod32kui.exe -> Eset [Ver = 2, 70, 32 | Size = 949376 bytes | Modified Date = 2/03/2007 11:05:24 AM | Attr = ]
pdvdserv.exe -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 12/01/2005 4:01:32 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3725 | Size = 185784 bytes | Modified Date = 17/09/2006 9:24:30 PM | Attr = ]
skype.exe -> %ProgramFiles%\Skype\Phone\Skype.exe -> [Ver = | Size = 20058152 bytes | Modified Date = 13/10/2006 5:20:08 PM | Attr = ]
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 46 | Size = 90112 bytes | Modified Date = 24/10/2005 2:45:00 PM | Attr = ]
tsnp2std.exe -> %SystemRoot%\tsnp2std.exe -> [Ver = 1, 1, 3, 4 | Size = 262144 bytes | Modified Date = 19/06/2006 1:37:30 PM | Attr = ]
vsnp2std.exe -> %SystemRoot%\vsnp2std.exe -> Sonix [Ver = 1, 1, 2, 0 | Size = 675840 bytes | Modified Date = 15/05/2006 3:52:22 PM | Attr = ]
vttimer.exe -> %System32%\VTTimer.exe -> S3 Graphics, Inc. [Ver = 2.00.01-0307 | Size = 53248 bytes | Modified Date = 8/03/2005 3:33:28 AM | Attr = ]
vttrayp.exe -> %System32%\VTTrayp.exe -> S3 Graphics Co., Ltd. [Ver = 2.00.36-0308B | Size = 147456 bytes | Modified Date = 11/03/2005 5:33:28 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.20.0 | Size = 310784 bytes | Modified Date = 4/03/2007 1
48 PM | Attr = ]
wzqkpick.exe -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/03/2007 10:15:22 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/04/2005 1:41:10 AM | Attr = ]
(NOD32krn) NOD32 Kernel Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ESET\nod32krn.exe -> Eset [Ver = 2, 70, 32 | Size = 552064 bytes | Modified Date = 2/03/2007 11:05:24 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Running] -> %System32%\HPZipm12.exe -> HP [Ver = 5, 0, 5, 3 | Size = 65536 bytes | Modified Date = 27/11/2002 10:30:30 PM | Attr = R ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
AGRSMMSG -> %SystemRoot%\AGRSMMSG.exe -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 29/06/2004 10:06:38 AM | Attr = ]
FixCamera -> %SystemRoot%\FixCamera.exe -> [Ver = 1, 0, 0, 6 | Size = 20480 bytes | Modified Date = 1/06/2006 11:26:10 AM | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 9/07/2001 12:50:42 PM | Attr = ]
nod32kui -> %ProgramFiles%\ESET\nod32kui.exe -> Eset [Ver = 2, 70, 32 | Size = 949376 bytes | Modified Date = 2/03/2007 11:05:24 AM | Attr = ]
OM_Monitor -> %ProgramFiles%\OLYMPUS\OLYMPUS Master\FirstStart.exe -> OLYMPUS IMAGING CORP. [Ver = 1, 1, 0, 2 | Size = 40960 bytes | Modified Date = 29/09/2004 4:49:18 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> File not found
RemoteControl -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 12/01/2005 4:01:32 AM | Attr = ]
ScanRegistry -> -> File not found
snp2std -> %SystemRoot%\vsnp2std.exe -> Sonix [Ver = 1, 1, 2, 0 | Size = 675840 bytes | Modified Date = 15/05/2006 3:52:22 PM | Attr = ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 46 | Size = 90112 bytes | Modified Date = 24/10/2005 2:45:00 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 12/10/2006 3:10:54 AM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3725 | Size = 185784 bytes | Modified Date = 17/09/2006 9:24:30 PM | Attr = ]
tsnp2std -> %SystemRoot%\tsnp2std.exe -> [Ver = 1, 1, 3, 4 | Size = 262144 bytes | Modified Date = 19/06/2006 1:37:30 PM | Attr = ]
VTTimer -> %System32%\VTTimer.exe -> S3 Graphics, Inc. [Ver = 2.00.01-0307 | Size = 53248 bytes | Modified Date = 8/03/2005 3:33:28 AM | Attr = ]
VTTrayp -> %System32%\VTTrayp.exe -> S3 Graphics Co., Ltd. [Ver = 2.00.36-0308B | Size = 147456 bytes | Modified Date = 11/03/2005 5:33:28 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe -> [Ver = | Size = 20058152 bytes | Modified Date = 13/10/2006 5:20:08 PM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.11 28.5462\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 2/03/2007 10:15:42 AM | Attr = ]
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.9 | Size = 307200 bytes | Modified Date = 24/10/2005 4:53:40 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 24/09/2005 5:05:26 PM | Attr = ]
%AllUsersStartup%\hp psc 1000 series.lnk -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.170 | Size = 147456 bytes | Modified Date = 2/12/2002 10:08:34 PM | Attr = ]
%AllUsersStartup%\hpoddt01.exe.lnk -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> Hewlett-Packard [Ver = 1, 0, 0, 1 | Size = 40960 bytes | Modified Date = 2/12/2002 910 PM | Attr = ]
%AllUsersStartup%\WinZip Quick Pick.lnk -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
< File Associations > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.chm [@ = chm.file] -> PersistentHandler = Reg Data - Key not found ->
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.hlp [@ = hlpfile] -> PersistentHandler = Reg Data - Key not found ->
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found ->
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found ->
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found ->
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found ->
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found ->
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found ->
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found ->
< Registry Shell Spawning > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
batfile [open] -> "%1" %* ->
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
chm.file [open] -> "%SystemRoot%\hh.exe" %1 -> Microsoft Corporation [Ver = 5.2.3790.2453 (srv03_sp1_gdr.050525-1542) | Size = 10752 bytes | Modified Date = 27/05/2005 10:22:02 AM | Attr = ]
cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
cmdfile [open] -> "%1" %* ->
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
comfile [open] -> "%1" %* ->
cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 20/12/2006 8:52:18 AM | Attr = ]
exefile [open] -> "%1" %* ->
helpfile [open] -> winhlp32.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 283648 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
hlpfile [open] -> %SystemRoot%\System32\winhlp32.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.0 (XPClient.010817-1148) | Size = 8192 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
htafile [open] -> %System32%\mshta.exe "%1" %* -> Microsoft Corporation [Ver = 7.00.5730.11 (winmain(wmbla).061017-1135) | Size = 45568 bytes | Modified Date = 17/10/2006 1110 AM | Attr = ]
htmlfile [edit] -> "%ProgramFiles%\Microsoft Office\OFFICE11\msohtmed.exe" %1 -> Microsoft Corporation [Ver = 11.0.5510 | Size = 55360 bytes | Modified Date = 14/07/2003 11:52:56 PM | Attr = ]
htmlfile [open] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 8/01/2007 6:08:42 PM | Attr = ]
htmlfile [opennew] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" %1 -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 8/01/2007 6:08:42 PM | Attr = ]
htmlfile [print] -> "%ProgramFiles%\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 -> Microsoft Corporation [Ver = 11.0.5510 | Size = 55360 bytes | Modified Date = 14/07/2003 11:52:56 PM | Attr = ]
http [open] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 8/01/2007 6:08:42 PM | Attr = ]
https [open] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 8/01/2007 6:08:42 PM | Attr = ]
inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33280 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
InternetShortcut [open] -> rundll32.exe ieframe.dll,OpenURL %l -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 6054400 bytes | Modified Date = 12/01/2007 9:27:42 AM | Attr = ]
InternetShortcut [print] -> rundll32.exe %System32%\mshtml.dll,PrintHTML "%1" -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 3580416 bytes | Modified Date = 12/01/2007 9:27:42 AM | Attr = ]
jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
piffile [open] -> "%1" %* ->
regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
regfile [open] -> regedit.exe "%1" -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 146432 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
regfile [merge] -> Reg Data - Key not found ->
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
scrfile [config] -> "%1" ->
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
scrfile [open] -> "%1" /S ->
txtfile [edit] -> Reg Data - Key not found ->
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 20/12/2006 8:52:18 AM | Attr = ]
Directory [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
Drive [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
Applications\iexplore.exe [open] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" %1 -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 8/01/2007 6:08:42 PM | Attr = ]
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 8/01/2007 6:08:42 PM | Attr = ]
< ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -> ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser .NT ->
{5945c046-1e7d-11d1-bc44-00c04fd912be} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub ->
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} -> ->
{7790769C-0471-11d2-AF11-00C04FA35D02} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ->
{89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll ->
{89820200-ECBD-11cf-8B85-00AA005B4383} -> C:\WINDOWS\system32\ie4uinit.exe -BaseSettings ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install ->
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} -> C:\WINDOWS\system32\ieudinit.exe
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP ->
>{26923b43-4d38-484f-9b9e-de460746276c} -> C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ->
< WOW Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\WOW
cmdline -> %SystemRoot%\system32\ntvdm.exe ->
wowcmdline -> %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 ->
< Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager
BootExecute -> autocheck autochk *; ->
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system\\dontdisplaylastusernam e -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Inte rnet Explorer not found. -> ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< HOSTS File > (389274 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir...ie&ar=iesearch ->
HKCU: Start Page -> about:blank ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 12/01/2006 9:38:22 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 15/12/2006 3:23:24 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19/01/2007 11:55:32 PM | Attr = R ]
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8194 - Sun Java Console ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> 8193 - Reg Data - Value does not exist ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8192 - Windows Messenger ->
NextId -> 8194 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_11\bin\npjpi150_11.dl l [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75528 bytes | Modified Date = 15/12/2006 3:23:26 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 15/12/2006 3:23:24 AM | Attr = ]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&xport to Microsoft Excel -> -> File not found
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} [HKLM] -> Reg Data - Key not found [Autoplay for SlideShow] -> File not found
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
{7F1CF152-04F8-453A-B34C-E609530A9DC8} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalPropSheetHandler] -> Nero AG [Ver = 1.1.1.1 | Size = 1515520 bytes | Modified Date = 4/04/2005 2:06:02 PM | Attr = ]
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
{A155339D-CCCD-4714-85EB-3754B804C9DF} [HKLM] -> %ProgramFiles%\a-squared Free\a2freecontmenu.dll [a-squared Free Context Menu Shell Extension] -> Emsi Software GmbH [Ver = 2.0.0.48 | Size = 508928 bytes | Modified Date = 18/07/2006 2:32:50 PM | Attr = ]
{B089FE88-FB52-11D3-BDF1-0050DA34150D} [HKLM] -> %ProgramFiles%\ESET\nodshex.dll [NOD32 Context Menu Shell Extension] -> [Ver = | Size = 60544 bytes | Modified Date = 2/03/2007 11:05:26 AM | Attr = ]
{B327765E-D724-4347-8B16-78AE18552FC3} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalIconHandler] -> Nero AG [Ver = 1.1.1.1 | Size = 1515520 bytes | Modified Date = 4/04/2005 2:06:02 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
{E0D79305-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
{E0D79306-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
{E0D79307-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} [HKLM] -> %ProgramFiles%\Real\RealPlayer\rpshell.dll [Shell Extensions for RealOne Player] -> RealNetworks, Inc. [Ver = 1.0.1.2453 | Size = 54736 bytes | Modified Date = 17/09/2006 9:24:52 PM | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\Cont extMenuHandlers\
{B089FE88-FB52-11D3-BDF1-0050DA34150D} [HKLM] -> %ProgramFiles%\ESET\nodshex.dll [NOD32 Context Menu Shell Extension] -> [Ver = | Size = 60544 bytes | Modified Date = 2/03/2007 11:05:26 AM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
< ContextMenuHandlers - AllFilesystemObjects [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemO bjects\shellex\ContextMenuHandlers\
{A155339D-CCCD-4714-85EB-3754B804C9DF} [HKLM] -> %ProgramFiles%\a-squared Free\a2freecontmenu.dll [a2FreeContMenu] -> Emsi Software GmbH [Ver = 2.0.0.48 | Size = 508928 bytes | Modified Date = 18/07/2006 2:32:50 PM | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shel lex\ContextMenuHandlers\
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex \ContextMenuHandlers\
{A155339D-CCCD-4714-85EB-3754B804C9DF} [HKLM] -> %ProgramFiles%\a-squared Free\a2freecontmenu.dll [a2FreeContMenu] -> Emsi Software GmbH [Ver = 2.0.0.48 | Size = 508928 bytes | Modified Date = 18/07/2006 2:32:50 PM | Attr = ]
{B089FE88-FB52-11D3-BDF1-0050DA34150D} [HKLM] -> %ProgramFiles%\ESET\nodshex.dll [NOD32 Context Menu Shell Extension] -> [Ver = | Size = 60544 bytes | Modified Date = 2/03/2007 11:05:26 AM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 11/02/2003 9:10:00 AM | Attr = ]
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalColumnHandler Class] -> Nero AG [Ver = 1.1.1.1 | Size = 1515520 bytes | Modified Date = 4/04/2005 2:06:02 PM | Attr = ]
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 14/12/2004 3:20:02 AM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Adapters\
{30FE9B81-D822-4C15-80F7-E7D262AC5B7C} -> (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
{873D9446-5388-4EBF-8B1F-03951E56B154} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Hand ler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/par...an_unicode.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeup...tent/opuc3.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab ->
{9D190AE6-C81E-4039-8061-978EBAD10073} -> F-Secure Online Scanner 3.0 - CodeBase = http://support.f-secure.com/ols/fscax.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab ->
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/pub...sh/swflash.cab ->
[Files - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 200855552 bytes | Created Date = 2/01/1601 2:00:00 PM | Attr = HS]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 344532 bytes | Created Date = 13/03/2007 9:53:05 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 49248 bytes | Created Date = 12/03/2007 11:16:36 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 53346 bytes | Created Date = 12/03/2007 11:16:36 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 127078 bytes | Created Date = 12/03/2007 11:16:37 PM | Attr = ]
PerfStringBackup.TMP -> %System32%\PerfStringBackup.TMP -> [Ver = | Size = 3240 bytes | Created Date = 2/03/2007 7:16:42 AM | Attr = ]
RBK5AE4.tmp -> %System32%\RBK5AE4.tmp -> [Ver = | Size = 36864 bytes | Created Date = 2/03/2007 7:13:29 AM | Attr = ]
nod32drv.sys -> %System32%\drivers\nod32drv.sys -> [Ver = | Size = 15424 bytes | Created Date = 2/03/2007 10:05:27 AM | Attr = ]
[Files - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 200855552 bytes | Modified Date = 13/03/2007 10:14:36 PM | Attr = HS]
hpfr3420.xml -> %SystemDrive%\hpfr3420.xml -> [Ver = | Size = 522 bytes | Modified Date = 13/03/2007 10:54:02 PM | Attr = ]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 3712656 bytes | Modified Date = 13/03/2007 10:13:24 PM | Attr = H ]
spider.sav -> %UserDocuments%\spider.sav -> [Ver = | Size = 440 bytes | Modified Date = 4/03/2007 9:22:46 AM | Attr = ]
CCleaner.lnk -> %UserDesktop%\CCleaner.lnk -> [Ver = | Size = 1548 bytes | Modified Date = 2/03/2007 4:43:36 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 344532 bytes | Modified Date = 13/03/2007 10:53:10 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 13/03/2007 10:14:38 PM | Attr = S]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1088 bytes | Modified Date = 2/03/2007 11:59:26 PM | Attr = ]
imon.dll -> %System32%\imon.dll -> Eset [Ver = 2, 70, 32 | Size = 298104 bytes | Modified Date = 2/03/2007 11:05:26 AM | Attr = ]
imon1.dat -> %System32%\imon1.dat -> [Ver = | Size = 46 bytes | Modified Date = 27/02/2007 1:57:32 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 63536 bytes | Modified Date = 2/03/2007 8:16:44 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 404892 bytes | Modified Date = 2/03/2007 8:16:44 AM | Attr = ]
PerfStringBackup.TMP -> %System32%\PerfStringBackup.TMP -> [Ver = | Size = 3240 bytes | Modified Date = 2/03/2007 8:16:44 AM | Attr = ]
RBK5AE4.tmp -> %System32%\RBK5AE4.tmp -> [Ver = | Size = 36864 bytes | Modified Date = 2/03/2007 8:13:30 AM | Attr = ]
RBK5AE7.bak -> %System32%\RBK5AE7.bak -> [Ver = | Size = 262144 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = ]
RBK5AEC.bak -> %System32%\RBK5AEC.bak -> [Ver = | Size = 25427968 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = ]
RBK5AEF.bak -> %System32%\RBK5AEF.bak -> [Ver = | Size = 5505024 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = ]
RBK5AF4.bak -> %System32%\RBK5AF4.bak -> [Ver = | Size = 524288 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = ]
RBK5AF7.bak -> %System32%\RBK5AF7.bak -> [Ver = | Size = 262144 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = ]
RBK5AFC.bak -> %System32%\RBK5AFC.bak -> [Ver = | Size = 262144 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = H ]
RBK5B04.bak -> %System32%\RBK5B04.bak -> [Ver = | Size = 229376 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = H ]
RBK5B0C.bak -> %System32%\RBK5B0C.bak -> [Ver = | Size = 4980736 bytes | Modified Date = 2/03/2007 8:14:02 AM | Attr = H ]
RBK5B0F.bak -> %System32%\RBK5B0F.bak -> [Ver = | Size = 262144 bytes | Modified Date = 2/03/2007 8:14:02 AM | Attr = H ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 13/03/2007 10:16:00 PM | Attr = ]
amon.sys -> %System32%\drivers\amon.sys -> Eset [Ver = 2, 70, 32 | Size = 512096 bytes | Modified Date = 2/03/2007 11:05:26 AM | Attr = ]
nod32drv.sys -> %System32%\drivers\nod32drv.sys -> [Ver = | Size = 15424 bytes | Modified Date = 2/03/2007 11:05:22 AM | Attr = ]
[File String Scan - Non-Microsoft Only]
File scan skipped for file %UserDocuments%\a -> File size too big (104857611 bytes) ->
@Alternate Data Stream - 0 bytes -> %UserDocuments%\Immigration letter.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\selfportrait[1].jpg:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDesktop%\ccsetup132.exe:Zone.Identifier ->
Thawte Consulting , -> %UserDesktop%\ccsetup132.exe -> Piriform Ltd [Ver = 1.32.0.345 | Size = 1468464 bytes | Modified Date = 12/08/2006 12:41:06 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\FirefoxGoogleToolbarSetup.exe:Zone.I dentifier ->
UPX! , UPX0 , Thawte Consulting , -> %UserDesktop%\FirefoxGoogleToolbarSetup.exe -> [Ver = | Size = 5588736 bytes | Modified Date = 11/08/2006 7:04:14 PM | Attr = ]
UPX! , UPX0 , Thawte Consulting , -> %UserDesktop%\Thunderbird Setup 1.5.0.5.exe -> Mozilla [Ver = 3, 12, 0, 0 | Size = 6328128 bytes | Modified Date = 11/08/2006 7:12:58 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\VundoFix.exe:Zone.Identifier ->
UPX! , UPX0 , -> %UserDesktop%\VundoFix.exe -> Atribune.org [Ver = 6.01.0001 | Size = 85504 bytes | Modified Date = 21/08/2006 9:53:00 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2, 2, 0, 51 | Size = 18776064 bytes | Modified Date = 26/10/2005 2:32:00 PM | Attr = ]
UPX! , UPX0 , -> %System32%\CDSWITCH.EXE -> [Ver = 0.8.2.0 | Size = 182841 bytes | Modified Date = 12/08/2005 12:59:34 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
Thawte Consulting , USERTRUST , -> %System32%\RBK5AEC.bak -> [Ver = | Size = 25427968 bytes | Modified Date = 2/03/2007 8:14:22 AM | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2533 | Size = 181736 bytes | Modified Date = 17/09/2006 9:25:04 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 4/08/2004 11:00:00 PM | Attr = ]
qoologic , PTech , SAHAgent , abetterinternet.com , web-nex , ad-w-a-r-e.com , -> %System32%\drivers\etc\hosts -> [Ver = | Size = 389274 bytes | Modified Date = 5/03/2007 302 PM | Attr = ]
< End of report >
Regards, Dan
Last edited by dregsboy; 13-03-2007 at 02:52 PM.
-
I don't see anything there. Let's try one more thing.
- Click here to download FindAWF.exe and save it to your desktop.
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
- It may take a few minutes to complete so be patient.
- When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
- Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply along with a new Hijack This Log please..
-
Thanks Scott,
Here are the AWF text file and the new HJT log that you asked for:
Find AWF report by noahdfear ©2006
21504 byte files found
~~~~~~~~~~~~~
21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
25600 byte files found
~~~~~~~~~~~~~
25600 "C:\Documents and Settings\Dan\My Documents\My Documents\~WRL2730.tmp"
25600 "C:\Documents and Settings\Dan\My Documents\My Documents\~WRL3451.tmp"
25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
26450 byte files found
~~~~~~~~~~~~~
26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Logfile of HijackThis v1.99.1
Scan saved at 7:46:52 PM, on 14/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optima.com.au/
O1 - Hosts: 207.210.117.53 www.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.optima.com.au
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30FE9B81-D822-4C15-80F7-E7D262AC5B7C}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{30FE9B81-D822-4C15-80F7-E7D262AC5B7C}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Thanks again. Regards,
Dan
-
I'm just not seeing anything Malware related here. Are you still having the same trouble?
-
I am pleased that you cannot find any malware and, to be honest, the computer is performing better. It is just that, because I have had such devastating problems with viruses before, anytime my PC behaves strangely I am immediately suspicious and concerned.
The slowness I am still experiencing seems to be internet related so I shall contact my ISP again and see if I have any line or modem issues. A previous check with them suggested a line issue and they contacted me to say that there was a problem but that they had resolved it. Unfortunately, exactly the same slow behaviour happened within 24 hours of that so-called resolution, so I was left thinking that it must be a virus - but all your efforts have not revealed anything (and I trust you guys implicitly) so maybe my ISP is the problem.
Unless you think there is any point doing further tests, I am happy to leave it here. I am, as always, very grateful for your time and patience.
Thank you for your help, Scott.
Regards, Dan
-
You're welcome Dan. Here are some ideas that may help in the future.
Below is my standard closing speech. You may already have some of these programs and/or performed some of these steps. Use what you can and skip the rest.- Please re-hide hidden files. (If applicable)
Follow the directions you used earlier to show hidden files and undo the changes you made so that hidden files are actually hidden once again. - Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
- Create New Restore Point and Delete Old Restore Points.
Step #1 - Create a New Restore Point
Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
Step #2 - Flush All Previous Points
Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point.
- Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
- SpywareBlaster to help prevent spyware from installing in the first place.
- SpywareGuard to catch and block spyware before it can execute.
- IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
- You should also have a good firewall. Here are 2 free ones available for personal use:
- If you already have a software firewall, you can skip this step.
- You should also have a good Anti-Virus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
- To keep your operating system up to date you should do a windows update monthly. Here's the link:
- And to keep your system clean, run these free malware scanners weekly,and be aware of what emails you open and websites you visit.
- To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
Safe Surfing!
:P
