Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Trojan Downloader And/or More?


  • Please log in to reply
18 replies to this topic

#1 DrewC

DrewC

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 22 May 2008 - 06:56 PM

I am running Windows 2000 on a Dell PC. I definitely have a virus and the Win32 trojan downloader was detected on an ad-aware scan once and since then has not shown up. The main indicator that my system is infected is that I can double click to open folders but once I get down to the file itself I want to open, I need to go to File>Open as double clicking does not do anything(I can select with one click and double clicking works in Safe Mode, BTW). I can also not update my Norton Antivirus with the live update feature. I have run Spybot search and destroy, AVG 8.0, Ad-Aware 2007 and SysClean. There were a few things detected in different scans, one was Attune which seems to be gone and another is WildTangent which doesn't seem to want to go away. Kansup.reg was detected as a virus and was removed. I also got a Trojan.lowzones detection on one scan but have not seen it since.

I have also created a log from HijackThis which is below. Thanks for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:11, on 5/22/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myub.buffalo.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Hosts File] WindowsHosts.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [Windows Hosts File] WindowsHosts.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211051987260
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 6345 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 29 May 2008 - 01:57 PM

DrewC

Sorry for the delay

The main indicator that my system is infected is that I can double click to open folders but once I get down to the file itself I want to open, I need to go to File>Open as double clicking does not do anything(I can select with one click and double clicking works in Safe Mode, BTW).

Does this happen on files with certain extensions? Such as files with .txt or .exe extensions? If so which one or one's?

1. We Need to temporarily disable SpyBotS&D Tea timer so it doesn't interfere with our fix1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
2. Rerun Hijackthis (scan only) and place checks beside the following entriesO4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe
O4 - HKLM\..\Run: [Windows Hosts File] WindowsHosts.exe
O4 - HKLM\..\RunServices: [Windows Hosts File] WindowsHosts.exe

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#3 DrewC

DrewC
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 01 June 2008 - 09:49 AM

First of all, thanks for your help bamajim. To answer your first question, that issue is for any and all file extensions with the exception of items on the desktop. Which, by the way, is still occurring after following your instructions to delete those 3 items in HijackThis. The new log after following your steps:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:13, on 6/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myub.buffalo.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211051987260
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 5891 bytes

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 02 June 2008 - 01:56 PM

DrewC

You are most welcome.

To answer your first question, that issue is for any and all file extensions with the exception of items on the desktop.

I noticed that you were able to run Hijackthis.exe, and it is located in it's own folder on only the shorcut resides on the desktop. So in trying to understand, are files with .exe extensions (the executibles for programs) excluded?

I didn't think the items I had you fix in Hijackthis would resolve the file association problem, but they were part of the infection that caused the problem.

Go HERE and Download System Repair Engineer by smallfrogs
Select local download1 or 2Save it to your Desktop
Rt Click sreng2.zip->>Extract all->>Extract it to your desktop
Open the sreng folder
Double click SREngPS.exe->>Click Run
At the main Window, in the left Pane,Select Smart Scan
At the next window make sure all of the boxes are checked and Select Scan
When the scan is complete Select Save reports
Save it to your desktop and Close the tool
Double Click SREngLog.txt copy and paste that log as a reply to this thread
Do not run any other options with this tool unless instructed to do so.
Posted Image
Microsoft MVP - Windows Security

#5 DrewC

DrewC
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 June 2008 - 03:50 PM

BamaJim

I noticed that you were able to run Hijackthis.exe, and it is located in it's own folder on only the shorcut resides on the desktop. So in trying to understand, are files with .exe extensions (the executibles for programs) excluded?


So to clarify, if I were to double click on the shortcut icon on the desktop, I can open the program as normal. However, if I were to go to the HijackThis.exe in the folder it resides in, I am able to click on the .exe to highlight it. I can then click on it till the cows come home and nothing will happen until I go to File-->Open before it will actually run. This occurs for any file type in it's home directory. (Right clicking on the icons in their home directory also do not produce a menu either.)

The Log resulting in running SREngPS:

2008-06-02,16:41:57

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
	All Boot Items (Including Registry, Startup Folders, Services and so on)
	Browser Add-ons
	Runing Processes (Including process model information)
	File Associations
	Winsock Provider
	Autorun.Inf
	HOSTS File
	Process Privileges Scan


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
	<swg><C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe>  [(Verified)Google Inc]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
	<Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher]
	<Speed racer><C:\Program Files\Creative\PlayCenter\CTSRReg.exe>  [Creative Technology Ltd.]
	<AudioHQ><C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE>  [Creative Technology Ltd.]
	<UpdReg><C:\WINNT\Updreg.exe>  [Creative Technology Ltd.]
	<QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime>  [Apple Computer, Inc.]
	<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
	<AVG8_TRAY><C:\PROGRA~1\AVG\AVG8\avgtray.exe>  [(Verified)AVG Technologies]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
	<Userinit><C:\WINNT\system32\Userinit.exe>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
	<AppInit_DLLs><avgrsstx.dll>  [(Verified)"GRISOFT, s.r.o."]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
	<Internet Explorer Access><"C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
	<Outlook Express Access><"C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
	<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
	<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
	<Address Book 5><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
	<CRLUpdate><%SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl>  [N/A]

==================================
Startup Folders
[Adobe Gamma Loader]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk --> C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]><N>
[Adobe Reader Speed Launch]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk --> C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [Adobe Systems Incorporated]><N>
[hp psc 1000 series]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk --> C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe [Hewlett-Packard Co.]><N>
[hpoddt01.exe]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk --> C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe [Hewlett-Packard]><N>
[Microsoft Office]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~3\Office10\OSA.EXE [Microsoft Corporation]><N>
[PowerReg Scheduler]
  <C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\PowerReg Scheduler.exe -->  [N/A]><N>

==================================
Services
[Ad-Aware 2007 Service / aawservice][Running/Auto Start]
  <"C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"><Lavasoft>
[AVG8 E-mail Scanner / avg8emc][Running/Auto Start]
  <C:\PROGRA~1\AVG\AVG8\avgemc.exe><AVG Technologies CZ, s.r.o.>
[AVG8 WatchDog / avg8wd][Running/Auto Start]
  <C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe><AVG Technologies CZ, s.r.o.>
[AVG8 Firewall / avgfws8][Running/Auto Start]
  <C:\PROGRA~1\AVG\AVG8\avgfws8.exe><AVG Technologies CZ, s.r.o.>
[Creative Service for CDROM Access / Creative Service for CDROM Access][Running/Auto Start]
  <C:\WINNT\System32\CTSvcCDA.exe><Creative Technology Ltd>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Google Updater Service / gusvc][Stopped/Manual Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[Pml Driver HPZ12 / Pml Driver HPZ12][Stopped/Manual Start]
  <C:\WINNT\system32\HPZipm12.exe><HP>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\system32\mspmsnsv.dll><Microsoft Corporation>

==================================
Drivers
[Avgfwdx / Avgfwdx][Running/Manual Start]
  <system32\DRIVERS\avgfwdx.sys><GRISOFT, s.r.o.>
[AVG network filter service / Avgfwfd][Stopped/Manual Start]
  <system32\DRIVERS\avgfwdx.sys><GRISOFT, s.r.o.>
[AVG AVI Loader Driver x86 / AvgLdx86][Running/System Start]
  <\SystemRoot\System32\Drivers\avgldx86.sys><AVG Technologies CZ, s.r.o.>
[AVG On-access Scanner Minifilter Driver x86 / AvgMfx86][Running/System Start]
  <\SystemRoot\System32\Drivers\avgmfx86.sys><GRISOFT, s.r.o.>
[avgrkx86.sys / AvgRkx86][Running/Boot Start]
  <\SystemRoot\System32\Drivers\avgrkx86.sys><GRISOFT, s.r.o.>
[AVG8 Network Redirector / AvgTdiX][Running/Auto Start]
  <\SystemRoot\System32\Drivers\avgtdix.sys><AVG Technologies CZ, s.r.o.>
[Game Port for Creative SB Live! / ctljystk][Running/Manual Start]
  <System32\DRIVERS\ctljystk.sys><Microsoft Corporation>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[3Com EtherLink XL B/C Adapter Driver / EL90BC][Running/Manual Start]
  <System32\DRIVERS\el90xbc5.sys><3Com Corporation>
[Creative SB Live! Value (WDM) / emu10k][Running/Manual Start]
  <system32\drivers\emu10k1f.sys><Creative Technology Ltd.>
[Creative Interface Manager Driver (WDM) / emu10k1][Running/Manual Start]
  <System32\drivers\ctlface.sys><Creative Technology Ltd.>
[IEEE-1284.4 Driver HPZid412 / HPZid412][Stopped/Manual Start]
  <system32\DRIVERS\HPZid412.sys><HP>
[Print Class Driver for IEEE-1284.4 HPZipr12 / HPZipr12][Stopped/Manual Start]
  <system32\DRIVERS\HPZipr12.sys><HP>
[USB to IEEE-1284.4 Translation Driver HPZius12 / HPZius12][Stopped/Manual Start]
  <system32\DRIVERS\HPZius12.sys><HP>
[i81x / i81x][Running/Manual Start]
  <System32\DRIVERS\i81xnt5.sys><Intel Corporation>
[PfModNT / PfModNT][Stopped/Manual Start]
  <\??\C:\WINNT\System32\PfModNT.sys><Creative Technology Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[SaiNtHid / SaiNtHid][Stopped/Manual Start]
  <system32\DRIVERS\SaiNtHid.sys><Saitek>
[SaiNtSub / SaiNtSub][Stopped/Manual Start]
  <system32\DRIVERS\SaiNtSub.sys><Saitek>
[SecDrv / SecDrv][Running/Auto Start]
  <\??\C:\WINNT\system32\drivers\SECDRV.SYS><Macrovision Europe Ltd>
[Creative SoundFont Manager Driver (WDM) / sfman][Running/Manual Start]
  <System32\drivers\sfman.sys><Creative Technology Ltd.>
[tmcomm / tmcomm][Stopped/Auto Start]
  <\??\C:\WINNT\system32\drivers\tmcomm.sys><N/A>
[Winacpci / Winacpci][Running/Manual Start]
  <System32\DRIVERS\winacpci.sys><Conexant>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

==================================
Browser Add-ons
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[AVG Safe Search]
  {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} <C:\Program Files\AVG\AVG8\avgssie.dll, AVG Technologies CZ, s.r.o.>
[Spybot-S&D IE Protection]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[AIM]
  {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} <C:\Program Files\AIM95\aim.exe, America Online, Inc.>
[IECmdExecute Class]
  {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} <C:\Program Files\PartyPoker\IEExtension.dll, N/A>
[Spybot-S&D IE Protection]
  {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[@msdxmLC.dll,-1@1033,&Radio]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\System32\msdxm.ocx, >
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Shockwave ActiveX Control]
  {166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINNT\system32\Macromed\Director\SwDir.dll, Macromedia, Inc.>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINNT\system32\wuweb.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 144][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 172][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2195.6601]
[PID: 192][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2195.6997]
	[C:\WINNT\system32\avgrsstx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
	[C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
[PID: 228][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2195.7035]
	[C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2195.6605.297.3]
[PID: 240][C:\WINNT\system32\lsass.exe]  [Microsoft Corporation, 5.00.2195.7011]
[PID: 436][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 464][C:\WINNT\system32\spoolsv.exe]  [Microsoft Corporation, 5.00.2195.7059]
	[C:\WINNT\system32\hpzsnt07.dll]  [HP, 2,140,0,0]
[PID: 504][C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe]  [Lavasoft, 7,0,2,7]
	[C:\Program Files\Lavasoft\Ad-Aware 2007\CEAPI.dll]  [Lavasoft, 7,0,2,6]
	[C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive85u.dll]  [PKWARE, Inc., 8.4.1045.0]
	[C:\Program Files\Lavasoft\Ad-Aware 2007\lavalicense.dll]  [Lavasoft AB, 7, 0, 2, 6]
[PID: 528][C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\avgwd.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.81]
	[C:\PROGRA~1\AVG\AVG8\avgcfgx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
	[C:\PROGRA~1\AVG\AVG8\avgwdwsc.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\avglngx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.93]
	[C:\PROGRA~1\AVG\AVG8\avgsched.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
[PID: 540][C:\PROGRA~1\AVG\AVG8\avgfws8.exe]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\avgcfgx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
[PID: 572][C:\WINNT\System32\CTSvcCDA.exe]  [Creative Technology Ltd, 1.0.1.0]
[PID: 588][C:\WINNT\System32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
	[C:\WINNT\System32\unimdm.tsp]  [Microsoft Corporation, 5.00.2195.6601]
	[C:\WINNT\System32\kmddsp.tsp]  [Microsoft Corporation, 5.00.2150.1]
	[C:\WINNT\System32\ndptsp.tsp]  [Microsoft Corporation, 5.00.2143.1]
	[C:\WINNT\System32\ipconf.tsp]  [Microsoft Corporation, 5.00.2143.1]
	[C:\WINNT\System32\h323.tsp]  [Microsoft Corporation, 5.00.2195.6901]
[PID: 676][C:\WINNT\system32\regsvc.exe]  [Microsoft Corporation, 5.00.2195.6701]
[PID: 704][C:\WINNT\system32\MSTask.exe]  [Microsoft Corporation, 4.71.2195.6972]
[PID: 804][C:\WINNT\system32\stisvc.exe]  [Microsoft Corporation, 5.00.2195.6656]
[PID: 364][C:\WINNT\System32\WBEM\WinMgmt.exe]  [Microsoft Corporation, 1.50.1085.0100]
[PID: 884][C:\WINNT\system32\svchost.exe]  [Microsoft Corporation, 5.00.2134.1]
[PID: 1032][C:\PROGRA~1\AVG\AVG8\avgam.exe]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\avgcfgx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
	[C:\PROGRA~1\AVG\AVG8\avgameh.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\WINNT\system32\MFC80U.DLL]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MFC80ENU.DLL]  [Microsoft Corporation, 8.00.50727.762]
[PID: 1064][C:\WINNT\Explorer.EXE]  [Microsoft Corporation, 5.00.3700.6690]
	[C:\WINNT\AppPatch\AcLayers.DLL]  [Microsoft Corporation, 5.00.2195.6717]
	[C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
	[C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
	[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 7.0.0.2004121400]
	[C:\WINNT\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\PROGRA~1\SPYBOT~1\SDHelper.dll]  [Safer Networking Limited, 1, 5, 0, 11]
	[C:\Program Files\Microsoft Office\Office10\msohev.dll]  [Microsoft Corporation, 10.0.2609]
	[C:\WINNT\system32\msadp32.acm]  [Microsoft Corporation, 5.00.2134.1]
	[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
	[C:\PROGRA~1\WINZIP\WZSHLSTB.DLL]  [WinZip Computing, Inc., 4.1 (32-bit)]
	[C:\PROGRA~1\WINZIP\wzshlex1.dll]  [WinZip Computing, Inc., 4.1 (32-bit)]
	[C:\PROGRA~1\WINZIP\WZCAB3.DLL]  [WinZip Computing, Inc., 3.1 (32-bit)]
	[C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL]  [Microsoft Corporation, 10.145.3810.0]
	[C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll]  [Microsoft Corporation, 10.145.3722.0]
	[C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\nsextint.dll]  [Microsoft Corporation, 10.145.3722.0]
	[C:\Program Files\AVG\AVG8\avgse.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\WINNT\system32\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CMDLIN~1.DLL]  [N/A, ]
[PID: 1160][C:\PROGRA~1\AVG\AVG8\avgrsx.exe]  [AVG Technologies CZ, s.r.o., 8.0.0.84]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\avgcorex.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.88]
	[C:\PROGRA~1\AVG\AVG8\avgcrlpx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
[PID: 284][C:\PROGRA~1\AVG\AVG8\avgnsx.exe]  [AVG Technologies CZ, s.r.o., 8.0.0.93]
	[C:\PROGRA~1\AVG\AVG8\avgxpl.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.88]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\PROGRA~1\AVG\AVG8\imsdk32.dll]  [Winco Sistemas, 1.1g]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\Program Files\AVG\AVG8\avgcorex.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.88]
	[C:\PROGRA~1\AVG\AVG8\avgcrlpx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\avgcfgx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
[PID: 1220][C:\WINNT\system32\devldr32.exe]  [Creative Technology Ltd., 1, 0, 0, 13]
	[C:\WINNT\system32\DEVCON32.DLL]  [Creative Technology Ltd., 4.06.635]
	[C:\WINNT\system32\SFMAN32.DLL]  [Creative Technology Ltd., 4.06.501]
	[C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2195.6673]
[PID: 724][C:\PROGRA~1\AVG\AVG8\avgemc.exe]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\WINNT\system32\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\PROGRA~1\AVG\AVG8\libsasl.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\Program Files\AVG\AVG8\avgcfgx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
	[C:\Program Files\AVG\AVG8\avglngx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.93]
	[C:\PROGRA~1\AVG\AVG8\saslcrammd5.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\sasldigestmd5.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\sasllogin.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\PROGRA~1\AVG\AVG8\saslplain.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\Program Files\AVG\AVG8\winspamcatcher.dll]  [Mailshell.com, 5, 0, 12, 0]
[PID: 1480][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  [RealNetworks, Inc., 0.1.0.3275]
[PID: 1648][C:\PROGRA~1\AVG\AVG8\avgtray.exe]  [AVG Technologies CZ, s.r.o., 8.0.0.88]
	[C:\WINNT\system32\MFC80U.DLL]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MFC80ENU.DLL]  [Microsoft Corporation, 8.00.50727.762]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\Program Files\AVG\AVG8\avgcfgx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
	[C:\Program Files\AVG\AVG8\avglngx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.93]
	[C:\Program Files\AVG\AVG8\avgabout.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
	[C:\Program Files\AVG\AVG8\AVGUIRES.DLL]  [AVG Technologies CZ, s.r.o., 8.0.0.81]
	[C:\Program Files\AVG\AVG8\avgsrmx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\Program Files\AVG\AVG8\avgvvx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
[PID: 1668][C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe]  [Google Inc., 1, 2, 1128, 5462]
	[C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\res_en.dll]  [Google Inc., 1, 2, 1128, 5462]
	[C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\swg.dll]  [Google Inc., 1, 2, 1128, 5462]
[PID: 1780][C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8168.0]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxm08.dll]  [Hewlett-Packard Co., 4.2.0.127]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpodvb08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpocxi08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcob08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpodio08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\WINNT\system32\hpzidr12.dll]  [HP, 6, 0, 0, 0]
	[C:\WINNT\system32\hpzipr12.dll]  [HP, 6, 0, 0, 0]
[PID: 1796][C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe]  [Hewlett-Packard, 1, 0, 0, 1]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpodvd08.dll]  [Hewlett-Packard, 2, 0, 2, 2]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxm08.dll]  [Hewlett-Packard Co., 4.2.0.127]
	[C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8168.0]
[PID: 1816][C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8168.0]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxm08.dll]  [Hewlett-Packard Co., 4.2.0.127]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpocxi08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcob08.dll]  [Hewlett-Packard Co., 4.2.0.038]
[PID: 1908][C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtap08.dll]  [Hewlett-Packard Co., 4.2.0.129]
	[C:\WINNT\system32\MSVCP60.dll]  [Microsoft Corporation, 6.00.8168.0]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.rsc]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxm08.dll]  [Hewlett-Packard Co., 4.2.0.127]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpocxi08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcob08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpodio08.dll]  [Hewlett-Packard Co., 4.2.0.038]
	[C:\WINNT\system32\hpzipr12.dll]  [HP, 6, 0, 0, 0]
	[C:\WINNT\system32\hpzidr12.dll]  [HP, 6, 0, 0, 0]
[PID: 1944][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.8.1.14: 2008040413]
	[C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
	[C:\Program Files\Mozilla Firefox\nspr4.dll]  [Netscape Communications Corporation, 4.6.8]
	[C:\Program Files\Mozilla Firefox\xpcom_core.dll]  [Mozilla Foundation, 1.8.1.14: 2008040413]
	[C:\Program Files\Mozilla Firefox\plc4.dll]  [Netscape Communications Corporation, 4.6.8]
	[C:\Program Files\Mozilla Firefox\plds4.dll]  [Netscape Communications Corporation, 4.6.8]
	[C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
	[C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\xpcom_compat.dll]  [Mozilla Foundation, 1.8.1.14: 2008040413]
	[C:\Program Files\Mozilla Firefox\components\myspell.dll]  [Mozilla Foundation, 1.8.1.14: 2008040413]
	[C:\Program Files\Mozilla Firefox\components\jar50.dll]  [Mozilla Foundation, 1.8.1.14: 2008040413]
	[C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll]  [Mozilla Foundation, 1.8.1.11: 2007112718]
	[C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL]  [Full Circle Software, Inc., 2.2.unofficial]
	[C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.65]
	[C:\Program Files\Mozilla Firefox\components\spellchk.dll]  [Mozilla Foundation, 1.8.1.14: 2008040413]
	[C:\Program Files\AVG\AVG8\Firefox\components\avgssff.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.88]
	[C:\WINNT\system32\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINNT\system32\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.762]
	[C:\Program Files\Mozilla Firefox\xpcom.dll]  [Mozilla Foundation, 1.8.1.14: 2008040413]
	[C:\Program Files\AVG\AVG8\avgxpl.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.88]
	[C:\Program Files\AVG\AVG8\avgcfgx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.86]
	[C:\Program Files\AVG\AVG8\avglogx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.80]
	[C:\Program Files\AVG\AVG8\avglngx.dll]  [AVG Technologies CZ, s.r.o., 8.0.0.93]
[PID: 1712][C:\unzipped\kztechssuite\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
	[C:\unzipped\kztechssuite\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
	[C:\WINNT\system32\MSISIP.DLL]  [Microsoft Corporation, 3.1.4000.1823]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1	   localhost

==================================
Process Privileges Scan
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1480, C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1780, C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1796, C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1816, C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1908, C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE]

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================


#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 02 June 2008 - 08:13 PM

DrewC

We need to check some fiel associations

Click Start ->> Run ->> type in cmd.exe ->> Then O.K.

A the command promt copy and paste

regedit /e c:\EXPORT.TXT HKEY_CLASSES_ROOT\exefile\shell

Then enter.

Close the Cmd window, then locate the C:\export.txt file. Copy and paste the results of that log in your reply.
Posted Image
Microsoft MVP - Windows Security

#7 DrewC

DrewC
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 June 2008 - 03:10 PM

BamaJim

Here are the results of the export file created:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]
"Extended"=""

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 03 June 2008 - 03:33 PM

DrewC

O.k. Got one more I need to see.

Click Start ->> Run ->> type in cmd.exe ->> Then O.K.

A the command promt copy and paste

regedit /e c:\EXPORT2.TXT HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe

Then enter.

Close the Cmd window, then locate the C:\EXPORT2.txt file. Copy and paste the results of that log in your reply.
Posted Image
Microsoft MVP - Windows Security

#9 DrewC

DrewC
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 04 June 2008 - 01:54 PM

bamaJim

the log you requested:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]
"a"="iexplore.exe"
"MRUList"="cab"
"b"="aim.exe"
"c"="firefox.exe"

#10 DrewC

DrewC
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 05 June 2008 - 04:02 PM

BamaJim

Again, I really appreciate your support and help. Just to let you know, I am going on a road trip tomorrow morning and won't be back till the end of next week. We can pick up where we left off when I get back.

#11 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 05 June 2008 - 04:26 PM

DrewC

O.k. That will give me some time to research this as well
Posted Image
Microsoft MVP - Windows Security

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 10 June 2008 - 09:30 AM

DrewC

Are you using the same login in Safe Mode that you are in normal windows mode?

If you log in under another account in Normal windows mode, do you get the same results?
Posted Image
Microsoft MVP - Windows Security

#13 DrewC

DrewC
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 15 June 2008 - 10:35 AM

BamaJim

I never set up another user for myself to log into, I have always just used the Administrator login.

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 16 June 2008 - 07:53 AM

DrewC


Let's do this. Go to Control Panel ->> User accounts and set up a new user (with admin privledges). Reboot. Sign in under the User you just created and see if the condition is the same of different.

Reply with the results
Posted Image
Microsoft MVP - Windows Security

#15 DrewC

DrewC
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 16 June 2008 - 04:37 PM

BamaJim

This looks good. I created a new account and am able to navigate through the C: drive and double click to open things in any folder. The only thing that concerns me now is that I am unable to update my Norton AntiVirus Corporate edition software. The LiveUpdate feature that gets the new virus definitions goes through the process of connecting but then hangs on the downloading data part. It may be that the software is just not maintained anymore by Norton but on my other computer(running Windows XP) I can download definitions, there is just no longer a date for the definition. Any thoughts on this?

And beyond that, in your opinion is the computer in the clear now?

Thanks for all your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users