Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Netbot?


  • This topic is locked This topic is locked
18 replies to this topic

#1 Nacire

Nacire

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 24 June 2008 - 12:49 PM

Hello everyone, today my internet was suspended by my provider who claims over 5000 emails were sent out from my IP address yesterday. I'm on a secure wireless network with a desktop and a laptop. The laptop was powered down which makes me believe it was my desktop. Therefore I'm provided these logs from my desktop pc. I do run regular manual scans via avg and asquared, as well as keep up an active firewall on my router. I greatly appreciate the ability to come here out of the blue and receive help with this problem, so thanks to everyone here.

Deckard's System Scanner v20071014.68
Run by Forrest on 2008-06-24 13:36:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
94: 2008-06-24 17:36:50 UTC - RP325 - Deckard's System Scanner Restore Point
93: 2008-06-24 17:14:30 UTC - RP324 - Installed AVG Free 8.0
92: 2008-06-24 17:05:13 UTC - RP323 - Installed AVG Free 8.0
91: 2008-06-24 17:03:55 UTC - RP322 - Removed AVG Free 8.0
90: 2008-06-23 17:35:28 UTC - RP321 - System Checkpoint


-- First Restore Point --
1: 2008-03-27 12:08:57 UTC - RP232 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 14.84 GiB (less than 15%) free.


-- HijackThis (run as Forrest.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:22 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ZyXEL G-202\ZyXEL G-202.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Forrest\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Forrest.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196066384171
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: rwia3 - C:\WINDOWS\SYSTEM32\rwia3.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 8440 bytes

-- File Associations -----------------------------------------------------------

.scr - DWGTrueViewScriptFile - shell\open\command - "" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 DS1410D - c:\windows\system32\drivers\ds1410d.sys
R2 hardlock - c:\windows\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R2 ZDCNDIS5 (ZDCNDIS5 NDIS5.1 Protocol Driver) - c:\windows\system32\zdcndis5.sys <Not Verified; ZDC., Inc. (ZDC); ZDC Rawether for Windows>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 Sntnlusb (Rainbow USB SuperPro) - c:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>
S3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 maya70docserver (Maya 7.0 Documentation Server) - "c:\program files\alias\maya7.0\docs\wrapper.exe" -s "c:\program files\alias\maya7.0\docs\wrapper.conf"
R2 mi-raysat_3dsMax2008_32 (mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit) - "c:\program files\autodesk\3ds max 2008\mentalray\satellite\raysat_3dsmax2008_32server.exe"
R2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe"
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 CachemanXPService (CachemanXP) - c:\progra~1\cachem~1\cachemanxp.exe <Not Verified; Outertech; >
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
S4 mi-raysat_3dsmax8 (RaySat_3dsmax8 Server) - "c:\program files\autodesk\3dsmax8\mentalray\satellite\raysat_3dsmax8server.exe"


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI Function Driver for High Definition Audio - ATI AA01
Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1000\5&CBA22F0&0&0001
Manufacturer: ATI
Name: ATI Function Driver for High Definition Audio - ATI AA01
PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1000\5&CBA22F0&0&0001
Service: HdAudAddService

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_1016147B&REV_10\4&1F7DBC9F&0&10F0
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_1016147B&REV_10\4&1F7DBC9F&0&10F0
Service: rtl8139


-- Files created between 2008-05-24 and 2008-06-24 -----------------------------

2008-06-24 13:14:37 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-24 13:14:37 0 d-------- C:\Documents and Settings\Forrest\Application Data\AVGTOOLBAR
2008-06-24 13:05:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-24 13:00:13 0 d-------- C:\Program Files\Trend Micro
2008-06-23 23:11:35 23 --a------ C:\WINDOWS\popcinfot.dat
2008-06-19 14:18:12 139264 --a------ C:\WINDOWS\system32\EBAPI2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
2008-06-19 14:18:12 0 d-------- C:\Program Files\Common Files\EPSON
2008-06-19 13:24:48 0 d-------- C:\Program Files\dRaster
2008-06-18 18:03:19 0 d-------- C:\Documents and Settings\Forrest\Application Data\InstallShield Installation Information
2008-06-18 17:46:44 0 d-------- C:\Program Files\Unreal Tournament 3
2008-06-18 10:10:27 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-06-18 04:14:14 0 dr-h----- C:\Documents and Settings\Forrest\Recent
2008-06-17 14:30:07 0 d-------- C:\Documents and Settings\Forrest\Application Data\ATI
2008-06-17 14:22:48 0 d-------- C:\Program Files\Common Files\ATI Technologies
2008-06-17 14:20:43 0 d-------- C:\Program Files\ATI Technologies
2008-06-17 12:46:17 84992 --a------ C:\WINDOWS\system32\drivers\AtiHdAud.sys <Not Verified; ATI Research Inc.; Windows ® Server 2003 DDK driver>
2008-06-11 13:40:05 0 d-------- C:\Program Files\Xvid
2008-06-11 13:38:09 0 d-------- C:\Program Files\Santiago Orgaz
2008-06-10 17:44:28 0 d-------- C:\Program Files\AVG
2008-06-09 23:40:14 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-09 22:20:41 0 d-------- C:\Documents and Settings\Forrest\Pavark
2008-06-04 21:03:25 0 d-------- C:\WINDOWS\Logs
2008-06-04 01:37:12 0 d-------- C:\Program Files\ZyXEL G-202
2008-05-30 19:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 19:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-25 20:32:02 0 d-------- C:\Program Files\Silo 2.0.5
2008-05-24 12:07:13 0 d-------- C:\Program Files\eMule


-- Find3M Report ---------------------------------------------------------------

2008-06-24 13:30:50 0 d-------- C:\Documents and Settings\Forrest\Application Data\DNA
2008-06-24 13:10:45 0 d-------- C:\Documents and Settings\Forrest\Application Data\WTablet
2008-06-24 13:05:28 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000004-00001102-00000004-20021102}.dat
2008-06-24 13:05:28 384 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000004-00001102-00000004-20021102}.dat
2008-06-24 00:37:35 0 d-------- C:\Program Files\Steam
2008-06-23 17:57:15 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-19 14:18:12 0 d-------- C:\Program Files\Common Files
2008-06-19 13:41:27 0 d-------- C:\Program Files\a-squared Free
2008-06-19 12:57:48 0 d-------- C:\Documents and Settings\Forrest\Application Data\LimeWire
2008-06-18 04:03:30 0 d-------- C:\Program Files\World of Warcraft
2008-06-18 00:49:54 0 d-------- C:\Program Files\Zune
2008-06-17 14:24:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 23:07:45 0 d-------- C:\Program Files\LimeWire
2008-06-13 22:27:12 0 d-------- C:\Documents and Settings\Forrest\Application Data\BitTorrent
2008-06-10 16:45:41 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-10 14:51:48 0 d-------- C:\Program Files\DivX
2008-05-22 18:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 18:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 18:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 18:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-12 11:56:04 397312 --a------ C:\WINDOWS\system32\ATIDEMGX.dll <Not Verified; Advanced Micro Devices, Inc.; Catalyst® Control Centre>
2008-05-12 11:54:44 305152 --a------ C:\WINDOWS\system32\ati2dvag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon WindowsNT Display Driver>
2008-05-12 11:53:34 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll <Not Verified; ATI Technologies Inc.; ATI Display Driver Utilities>
2008-05-12 11:45:37 180224 --a------ C:\WINDOWS\system32\atipdlxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-05-12 11:45:23 139264 --a------ C:\WINDOWS\system32\Oemdspif.dll <Not Verified; ATI Technologies, Inc.; ATI Driver Interface Component>
2008-05-12 11:45:14 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe <Not Verified; ATI Technologies, Inc.; ATI Default Resolution Update>
2008-05-12 11:45:05 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll <Not Verified; ATI Technologies, Inc.; ATI External Device Utility>
2008-05-12 11:44:50 139264 --a------ C:\WINDOWS\system32\ati2evxx.dll <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-05-12 11:43:18 540672 --a------ C:\WINDOWS\system32\ati2evxx.exe <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-05-12 11:43:14 10153984 --a------ C:\WINDOWS\system32\atioglx2.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-05-12 11:41:56 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2008-05-12 11:32:50 3203168 --a------ C:\WINDOWS\system32\ati3duag.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon DirectX Universal Driver>
2008-05-12 11:22:55 1999616 --a------ C:\WINDOWS\system32\ativvaxx.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon Video Acceleration Universal Driver>
2008-05-12 11:22:31 887724 --a------ C:\WINDOWS\system32\ativva6x.dat
2008-05-12 11:09:20 47104 --a------ C:\WINDOWS\system32\amdpcom32.dll <Not Verified; Advanced Micro Devices, Inc.; Advanced Micro Devices, Inc. Radeon PCOM Universal Driver>
2008-05-12 11:05:19 327680 --a------ C:\WINDOWS\system32\atikvmag.dll <Not Verified; ATI Technologies Inc.; Virtual Command And Memory Manager>
2008-05-12 11:03:56 19968 --a------ C:\WINDOWS\system32\atiadlxx.dll <Not Verified; Advanced Micro Devices, Inc.; ADL Component>
2008-05-12 11:03:46 17408 --a------ C:\WINDOWS\system32\atitvo32.dll <Not Verified; ATI Technologies Inc.; ATI RageTheater/ImpacTV COM interface>
2008-05-12 11:02:31 241664 --a------ C:\WINDOWS\system32\atiok3x2.dll <Not Verified; ATI Technologies Inc.; Ring 0 x2 Component>
2008-05-12 10:57:08 548864 --a------ C:\WINDOWS\system32\ati2cqag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2008-04-26 23:12:08 0 d-------- C:\Program Files\BitTorrent
2008-04-26 22:45:55 0 d-------- C:\Program Files\DNA
2008-04-15 12:45:46 20736 --a------ C:\WINDOWS\system32\ZDCndis5.sys <Not Verified; ZDC., Inc. (ZDC); ZDC Rawether for Windows>
2008-04-15 12:45:46 94208 --a------ C:\WINDOWS\system32\ZDCN50.dll <Not Verified; ZDC., Inc. (ZDC); PCAUSA Rawether for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/24/2008 01:14 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 05:28 PM C:\WINDOWS\soundman.exe]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [03/20/2007 06:40 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/23/2006 01:24 AM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [04/29/2008 07:56 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/24/2008 01:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/08/2008 02:08 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [6/19/2008 2:18:11 PM]
ZyXEL G-202 Wireless Adapter Utility.lnk - C:\Program Files\ZyXEL G-202\ZyXEL G-202.exe [6/4/2008 1:37:13 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rwia3]
rwia3.dll 06/19/2004 09:38 AM 10752 C:\WINDOWS\system32\rwia3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Forrest^Start Menu^Programs^Startup^Trillian.lnk]
path=C:\Documents and Settings\Forrest\Start Menu\Programs\Startup\Trillian.lnk
backup=C:\WINDOWS\pss\Trillian.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"a2free"=2 (0x2)
"mi-raysat_3dsmax8"=2 (0x2)
"avg8wd"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\LaunchCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60768192-ef98-11dc-bfad-00508df734c3}]
AutoRun\command- F:\setupSNK.exe

*Newly Created Service* - AVG8EMC
*Newly Created Service* - AVG8WD
*Newly Created Service* - AVGLDX86
*Newly Created Service* - AVGMFX86



-- End of Deckard's System Scanner: finished at 2008-06-24 13:39:12 ------------








Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 3071.48 MiB / 2547.35 MiB
Pagefile Memory (total/avail): 4451.35 MiB / 4113.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.58 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 115.03 GiB total, 14.84 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 115.04 GiB total, 19.18 GiB free.
F: is Removable (No Media)

\\.\PHYSICALDRIVE2 - EPSON SP 785EPX Storage

\\.\PHYSICALDRIVE0 - HDS722512VLSA80 - 115.04 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 115.03 GiB - C:

\\.\PHYSICALDRIVE1 - HDS722512VLSA80 - 115.04 GiB - 1 partition
\PARTITION0 - Installable File System - 115.04 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 8"
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"="C:\\Program Files\\Autodesk\\backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\backburner\\server.exe"="C:\\Program Files\\Autodesk\\backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2008 32-bit"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"="C:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe:*:Enabled:Maya"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"="C:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe:*:Enabled:CrazyBump"
"C:\\Program Files\\Crazybump\\CrazyBump.exe"="C:\\Program Files\\Crazybump\\CrazyBump.exe:*:Enabled:CrazyBump"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Crazybump\\cb.exe"="C:\\Program Files\\Crazybump\\cb.exe:*:Enabled:crazybump"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"="C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe:*:Enabled:Unreal Tournament 3"
"C:\\Program Files\\ZyXEL G-202\\ZyXEL G-202.exe"="C:\\Program Files\\ZyXEL G-202\\ZyXEL G-202.exe:*:Enabled:ZyXEL G-202 Wireless Adapter Utility"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Forrest\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FORRESTPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Forrest
LOGONSERVER=\\FORRESTPC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\PROGRA~1\MOZILL~1;C:\PROGRA~1\Mozilla Firefox;C:\Program Files\Trend Micro\HijackThis;C:\Program Files\Autodesk\Maya2008\bin;C:\Program Files\Alias\Maya7.0\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Autodesk\backburner\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Autodesk\DWG TrueView\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Forrest\LOCALS~1\Temp
TMP=C:\DOCUME~1\Forrest\LOCALS~1\Temp
USERDOMAIN=FORRESTPC
USERNAME=Forrest
USERPROFILE=C:\Documents and Settings\Forrest
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Forrest (admin)
Kelly (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> MsiExec /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.56 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
a-squared Free 3.1 --> "C:\Program Files\a-squared Free\unins000.exe"
Add or Remove Adobe Creative Suite 3 Design Premium --> C:\Program Files\Common Files\Adobe\Installers\c14ac4070fd9614ffe63f4bb533db2c\Setup.exe
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B7F560B3-6EFF-4026-A982-843895A41149}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite 3 Design Premium --> MsiExec.exe /I{D1C18EDD-571A-4BDD-BE7B-1DD86027D7FF}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{77D2A9D3-5800-43E3-B274-87841BC87DB2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 --> MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Setup --> MsiExec.exe /I{09E2111C-16B1-4DDF-BF0D-F994C9A12350}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SING CS3 --> MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server {ko_KR} --> MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AGEIA PhysX v7.09.13 --> MsiExec.exe /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk 3ds Max 2008 32-bit --> MsiExec.exe /I{BF658A51-6D4F-4CB0-8D40-D183692B995D}
Autodesk 3ds Max 2008 32-bit Additional Maps and Material Libraries --> MsiExec.exe /I{EDC8D89C-DC3D-4a3d-ABE7-97D281C0A13A}
Autodesk 3ds Max 2008 32-bit Architectural Materials Library --> MsiExec.exe /I{3C106CBD-3E5A-4275-94F9-23FFE687D090}
Autodesk 3ds Max 2008 32-bit Help --> MsiExec.exe /I{38EC4486-44FF-49da-8FFF-87DA9DCBC06B}
Autodesk 3ds Max 2008 32-bit Vault 2008 Plug-In --> MsiExec.exe /I{679035C8-CEB8-4a5c-847A-5FB3FFADC0EB}
Autodesk 3ds Max 2008 32-bit Vault 5 Plug-In --> MsiExec.exe /I{D1B7094B-8CAC-492a-9EE6-D1576ED35208}
Autodesk 3ds Max 2008 32-bit Videos --> MsiExec.exe /I{AB2037C6-FE46-41fd-B1B2-4D62FBB1E57A}
Autodesk 3ds Max 8 --> MsiExec.exe /I{DBB313D6-4B13-4961-BD5F-673CDA1793CC}
Autodesk 3ds Max 9 32-bit --> MsiExec.exe /I{E96D4088-AAC5-437F-9E39-EC0E387897B4}
Autodesk Design Review 2008 --> MsiExec.exe /I{FCF3DFF4-CB33-4343-9878-DEEC6D131DF8}
Autodesk DirectConnect 2.0 --> MsiExec.exe /I{C033BF6E-9D82-4E0B-A46E-ABC746D6F431}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Autodesk Vault 2008 --> C:\Program Files\Autodesk\Vault 2008\Setup\setup.exe /p {E55B00B0-9DBF-4EE1-AC1D-5DEBE12BD097} /M VAULT
Autodesk Vault 2008 --> MsiExec.exe /X{E55B00B0-9DBF-4EE1-AC1D-5DEBE12BD097}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Backburner --> MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
BitTorrent --> C:\Program Files\BitTorrent\uninst.exe
Cacheman 5.50 --> C:\PROGRA~1\Cacheman\UNWISE.EXE C:\PROGRA~1\Cacheman\install.dat
Canon Digital Camera USB WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\DC USB WIA\Uninst.isu" -c"C:\Program Files\Canon\DC USB WIA\SetupWia.dll"
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP --> "C:\Program Files\CDBurnerXP\unins000.exe"
CgFXSL for Maya7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2B02574-FA1A-4689-809A-2C680E5F440A}\Setup.exe" -l0x9
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
dog2 Screen Saver --> C:\WINDOWS\dog2.scr /u
dRaster Tools --> "C:\Program Files\dRaster\unins000.exe"
DWG TrueView 2007 --> MsiExec.exe /I{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}
eMule --> "C:\Program Files\eMule\Uninstall.exe"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EVEREST Home Edition v1.51 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
FBX Plugin 2006.11.1 for Max 2008 --> C:\Program Files\Autodesk\FBX\FbxPlugins\2006.11.1\Max2008\Uninstall.exe
ffdshow [rev 1324] [2007-07-01] --> "C:\Program Files\K-Lite Codec Pack\ffdshow\unins000.exe"
FixTunes (remove only) --> "C:\Program Files\Cloudbrain\FixTunes\uninstall.exe"
GLOBEtrotter FLEXid Drivers --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GLOBEtrotter Software Inc.\GLOBEtrotter FLEXid Drivers\Uninst.isu"
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two --> "C:\Program Files\Steam\steam.exe" steam://uninstall/420
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
K-Lite Codec Pack 3.5.7 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire 4.18.2 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech Harmony Remote Software 7 --> C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe -runfromtemp -l0x0009 -removeonly
Maya 2008 --> MsiExec.exe /I{DA864DC0-0BF2-454B-A6A9-08A45EB97D3B}
Maya 2008 Documentation (en_US) --> MsiExec.exe /I{6C70ACE2-6EF2-4F8D-8C4A-78198AA979DD}
Maya 7.0 --> MsiExec.exe /I{99B41A19-7FD5-4B0C-A2AB-1A065669F8A3}
Maya 7.0 Bonus Tools --> MsiExec.exe /X{366D8827-238B-419F-B1CB-9E2783EC71B3}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 --> "C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office Access 2007 --> MsiExec.exe /X{90120000-0015-0000-0000-0000000FF1CE}
Microsoft Office Access 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ACCESS /dll OSETUP.DLL
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall STANDARD /dll OSETUP.DLL
Microsoft Office Standard 2007 --> MsiExec.exe /X{90120000-0012-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft WSE 3.0 Runtime --> MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.12) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Mudbox 1.0 --> MsiExec.exe /I{F2DC9BD1-8DB8-461C-80B2-7264AFA54EE2}
MultiRes (remove only) --> C:\Program Files\MultiRes\uninstal.exe
NVIDIA Photoshop Plug-ins --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23F79416-CAD1-41BF-99A3-040F6C814AAA}\setup.exe" -l0x9
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Peggle Extreme --> "C:\Program Files\Steam\steam.exe" steam://uninstall/3483
PlayNC Launcher --> C:\Program Files\InstallShield Installation Information\{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}\setup.exe -runfromtemp -l0x0009 -removeonly
Portal --> "C:\Program Files\Steam\steam.exe" steam://uninstall/400
Prime95 --> "C:\Program Files\Prime95\Uninstall.exe" "C:\Program Files\Prime95\install.log"
Quake III Arena Point Release 1.32 --> C:\WINDOWS\unvise32.exe C:\Program Files\Quake III Arena\uninstal5.log
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Remote Control USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8471021C-F529-43DE-84DF-3612E10F58C4}\setup.exe" -l0x9 -removeonly
Sentinel System Driver --> C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
Silo 2.0.5 --> MsiExec.exe /I{53ADD828-62F6-4A3C-A31C-127363293653}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SteelSeries Ikari Laser --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A64ECAEE-51FE-4AC7-ABE8-EBBCDA7E3EDC}\Setup.exe"
TBS WMP Plug-in --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{DB5F474C-B584-417F-810B-DEBBC1893C2A}
Team Fortress 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/440
Tomb Raider: Anniversary 1.0 --> C:\Program Files\Tomb Raider - Anniversary\uninsttra.exe
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Turbo Squid Tentacles 3ds Max 2008 --> MsiExec.exe /X{72019134-3A61-4C39-A540-245600C4CDFA}
TVersity Codec Pack 1.1 --> C:\Program Files\TVersity Codec Pack\uninst.exe
Unity Web Player --> C:\Program Files\Unity\WebPlayer\Uninstall.exe
Unreal Tournament 3 --> "C:\Documents and Settings\Forrest\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe" -runfromtemp -l0x0409 -removeonly
Unreal Tournament 3 --> MsiExec.exe /X{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}
Wacom Tablet --> C:\Program Files\Tablet\Wacom\Remove.exe /u
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
xNormal 3.15.2 --> C:\Program Files\Santiago Orgaz\xNormal\3.15.2\uninstaller.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZBrush3 --> MsiExec.exe /I{6084D038-3401-4C9D-A216-86E6EEA25AFB}
Zune --> c:\Program Files\Zune\ZuneSetup.exe /x
Zune --> MsiExec.exe /X{FF70513F-E3A7-402F-84FB-B7810A064BE2}
Zune Desktop Theme --> MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}
Zune Language Pack (ES) --> MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}
ZyXEL G-202 Wireless Adapter Utility --> C:\Program Files\InstallShield Installation Information\{C5D78EFC-A9C1-44F3-81CB-D42C5DF8EA09}\setup.exe -runfromtemp -l0x0009 -removeonly


-- Application Event Log -------------------------------------------------------

Event Record #/Type4431 / Error
Event Submitted/Written: 06/23/2008 11:50:52 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application hl2.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4191 / Error
Event Submitted/Written: 06/12/2008 05:34:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module piclens18.dll, version 1.6.4.3332, fault address 0x0010b502.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type4190 / Error
Event Submitted/Written: 06/11/2008 10:25:13 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module piclens18.dll, version 1.6.4.3332, fault address 0x0010b502.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type4189 / Error
Event Submitted/Written: 06/11/2008 05:24:10 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application xNormal.exe, version 3.15.2.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4188 / Error
Event Submitted/Written: 06/11/2008 04:00:28 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application maya.exe, version 2005.7.19.2211, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9560 / Error
Event Submitted/Written: 06/24/2008 01:06:26 PM / 06/24/2008 01:06:56 PM
Event ID/Source: 4 / sptd
Event Description:
Driver detected an internal error in its data structures for .

Event Record #/Type9550 / Error
Event Submitted/Written: 06/24/2008 00:55:06 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.102 for the Network Card with network address 001349904DF4 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type9544 / Error
Event Submitted/Written: 06/24/2008 00:39:52 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.102 for the Network Card with network address 001349904DF4 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type9526 / Error
Event Submitted/Written: 06/24/2008 00:36:22 PM / 06/24/2008 00:36:52 PM
Event ID/Source: 4 / sptd
Event Description:
Driver detected an internal error in its data structures for .

Event Record #/Type9514 / Warning
Event Submitted/Written: 06/24/2008 03:15:52 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-06-24 13:39:12 ------------

BC AdBot (Login to Remove)

 


#2 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 27 June 2008 - 12:33 PM

Okay, I understand that I'm not supposed to bump my own thread, however, I'm a freelancer from home, it appears my laptop is infected as well, and nothing I've tried has curbed the botnet. I got zone alarm which block it yesterday while I used the net, but today I cant block the botnet without blocking my own connection. I see tons of info on virus, etc. But not a lot of info on how to beat or remove botnets. All I can conclude at this point is this must be a really good one and I think it is disguised in Generic Host Process for Win32.

I'm on the verge of reinstalling both PC, but I'm hesitant. I keep my work on a separate internal hard drive, but I don't know how to keep it from infecting my new install should it be compromised as well.

Any help? Im here until my ISP shuts me down again.

#3 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 27 June 2008 - 02:45 PM

Should I just zap this installation? Is it going to be a lot of trouble to cleanse out the botnet? Is anyone out there?

#4 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 28 June 2008 - 01:12 PM

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you must be checked by one of the teachers. Thus, there may be a bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#5 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 28 June 2008 - 09:27 PM

Thank you so much, I was beginning to lose hope. Anyhow, the way I've been checking to see if my pc is sending stuff out is via the outgoing log in my linksys wireless router. It seems to be sending something to various ip's over port www. When I tried the reinstall everything seemed to go fine until I set up mozilla thunderbird to pull my email from gmail. I cant tell you if thats what did it exactly, but that is around the time I noticed the log showing outgoing data again. When I did the install I completely wiped everything but an additional internal drive. It houses all of my work so I just couldnt part with it. It didnt seem to affect the install, but I definitely feel in over my head on this one.

One thing I've noticed for sometime, way before the cable company cut my service off is that the modem lights for pclink and cable as well as the internet light on my router have been flashing non stop. Even when all of my equipment is shutdown. I'm not sure if that is what is supposed to be going on or not, just an observation. With Zone alarm on I keep getting "Generic Host for Win32" is requesting access to the net. No scanner has detected anything either. I've tried MSRT, AVG, Asquared, Spybot, all in normal and safe mode. I also have zone alarm and my router firewall enabled.

Again thanks, Carolyn, sorry for the post in the other thread and my bumping, but this is going on 5 days or so if trying to best this issue. This situation just makes me realized how little I know about networks and pc's.

-ps- that log was taken before my reinstall so let me know if you would like a new one.

Edited by Nacire, 28 June 2008 - 09:29 PM.


#6 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 29 June 2008 - 06:37 AM

-ps- that log was taken before my reinstall so let me know if you would like a new one.


Yes, please scan again with Deckard's System Scanner and post the resulting log(s).

Don't worry if the scan does not produce the extra.txt. Main.txt should be sufficient at this time.

:thumbsup:
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#7 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 29 June 2008 - 11:41 AM

Deckard's System Scanner v20071014.68
Run by Forrest on 2008-06-29 12:29:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
27: 2008-06-29 16:29:59 UTC - RP27 - Deckard's System Scanner Restore Point
26: 2008-06-29 05:15:29 UTC - RP26 - Installed QuickTime
25: 2008-06-29 04:42:13 UTC - RP25 - Software Distribution Service 3.0
24: 2008-06-29 04:14:38 UTC - RP24 - Installed Creative Audio Console
23: 2008-06-29 02:47:38 UTC - RP23 - Installed Realtek AC'97 Audio


-- First Restore Point --
1: 2008-06-28 01:07:11 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Forrest.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:03 PM, on 6/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Forrest\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Forrest.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214619984091
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214619968168
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5003 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R4 ZDCNDIS5 (ZDCNDIS5 NDIS Protocol Driver) - c:\windows\zdcndis5.sys <Not Verified; ZDC., Inc. (ZDC); ZDC Rawether for Windows>

S3 COMMONFX - c:\windows\system32\drivers\commonfx.sys (file missing)
S3 COMMONFX.SYS - c:\windows\system32\drivers\commonfx.sys (file missing)
S3 CTAUDFX - c:\windows\system32\drivers\ctaudfx.sys (file missing)
S3 CTAUDFX.SYS - c:\windows\system32\drivers\ctaudfx.sys (file missing)
S3 CTEDSPFX.DLL - c:\windows\system32\ctedspfx.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTEDSPIO.DLL - c:\windows\system32\ctedspio.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTEDSPSY.DLL - c:\windows\system32\ctedspsy.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTERFXFX - c:\windows\system32\drivers\cterfxfx.sys (file missing)
S3 CTERFXFX.DLL - c:\windows\system32\cterfxfx.dll (file missing)
S3 CTERFXFX.SYS - c:\windows\system32\drivers\cterfxfx.sys (file missing)
S3 CTSBLFX - c:\windows\system32\drivers\ctsblfx.sys (file missing)
S3 CTSBLFX.SYS - c:\windows\system32\drivers\ctsblfx.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI Function Driver for High Definition Audio - ATI AA01
Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1000\5&CBA22F0&0&0001
Manufacturer: ATI
Name: ATI Function Driver for High Definition Audio - ATI AA01
PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1000\5&CBA22F0&0&0001
Service: AtiHdmiService

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_1016147B&REV_10\4&1F7DBC9F&0&10F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_1016147B&REV_10\4&1F7DBC9F&0&10F0
Service: RTL8023xp


-- Scheduled Tasks -------------------------------------------------------------

2008-06-29 10:09:47 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-29 12:28:42 0 d-------- C:\Program Files\Trend Micro
2008-06-29 11:22:37 0 d-------- C:\Documents and Settings\Kelly\Application Data\Identities
2008-06-29 11:22:17 0 d--h----- C:\Documents and Settings\Kelly\Templates
2008-06-29 11:22:17 0 dr------- C:\Documents and Settings\Kelly\Start Menu
2008-06-29 11:22:17 0 dr-h----- C:\Documents and Settings\Kelly\SendTo
2008-06-29 11:22:17 0 dr-h----- C:\Documents and Settings\Kelly\Recent
2008-06-29 11:22:17 0 d--h----- C:\Documents and Settings\Kelly\PrintHood
2008-06-29 11:22:17 0 d--h----- C:\Documents and Settings\Kelly\NetHood
2008-06-29 11:22:17 0 dr------- C:\Documents and Settings\Kelly\My Documents
2008-06-29 11:22:17 0 d--h----- C:\Documents and Settings\Kelly\Local Settings
2008-06-29 11:22:17 0 dr------- C:\Documents and Settings\Kelly\Favorites
2008-06-29 11:22:17 0 d-------- C:\Documents and Settings\Kelly\Desktop
2008-06-29 11:22:17 0 d--hs---- C:\Documents and Settings\Kelly\Cookies
2008-06-29 11:22:17 0 dr-h----- C:\Documents and Settings\Kelly\Application Data
2008-06-29 11:22:17 0 d---s---- C:\Documents and Settings\Kelly\Application Data\Microsoft
2008-06-29 11:22:16 786432 --ah----- C:\Documents and Settings\Kelly\NTUSER.DAT
2008-06-29 01:24:08 0 d-------- C:\Documents and Settings\Forrest\Application Data\Apple Computer
2008-06-29 01:15:33 0 d-------- C:\Program Files\QuickTime
2008-06-29 01:15:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-29 01:15:16 0 d-------- C:\Program Files\Apple Software Update
2008-06-29 01:15:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-29 01:03:10 0 d-------- C:\WINDOWS\system32\Defaults
2008-06-29 01:01:52 3072 --a------ C:\WINDOWS\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>
2008-06-29 00:43:14 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-06-29 00:14:38 0 d-------- C:\Program Files\Creative
2008-06-28 23:02:19 0 dr-h----- C:\Documents and Settings\Forrest\Recent
2008-06-28 22:55:18 0 d-------- C:\Program Files\Common Files\Logitech
2008-06-28 22:55:17 0 d-------- C:\Program Files\Logitech
2008-06-28 22:48:20 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-06-28 22:47:41 0 d-------- C:\Program Files\Realtek AC97
2008-06-28 22:47:38 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-06-28 14:51:08 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 14:51:08 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 14:51:08 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 14:51:08 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 14:51:08 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 14:51:08 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 14:51:08 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 14:51:08 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 14:51:08 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 14:51:08 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 14:51:08 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 14:51:08 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 14:51:08 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 14:51:08 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 14:48:03 0 d-------- C:\WINDOWS\pss
2008-06-28 04:15:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-28 04:14:36 888864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-28 04:10:48 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-28 04:10:36 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-28 04:10:15 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-06-28 04:09:31 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-06-28 04:08:40 0 d-------- C:\WINDOWS\Internet Logs
2008-06-28 02:56:25 0 d-------- C:\Documents and Settings\Forrest\Application Data\Talkback
2008-06-28 02:56:15 0 d-------- C:\Documents and Settings\Forrest\Application Data\Thunderbird
2008-06-28 02:56:04 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-28 02:54:56 0 d-------- C:\Program Files\CCleaner
2008-06-28 02:04:59 0 d-------- C:\Program Files\Steam
2008-06-28 01:56:47 0 d-------- C:\Program Files\Windows Defender
2008-06-28 01:51:39 0 d-------- C:\WINDOWS\Logs
2008-06-28 01:35:34 0 d-------- C:\Documents and Settings\Forrest\Application Data\Macromedia
2008-06-28 01:34:21 0 d-------- C:\Documents and Settings\Forrest\Application Data\Adobe
2008-06-28 01:29:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 01:23:16 139264 --a------ C:\WINDOWS\system32\EBAPI2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
2008-06-28 01:23:15 0 d-------- C:\Program Files\Common Files\EPSON
2008-06-28 01:22:36 0 d-------- C:\Program Files\EPSON
2008-06-28 01:22:21 0 d-------- C:\epson
2008-06-28 01:14:52 0 d-------- C:\Program Files\Yahoo!
2008-06-28 01:10:58 0 d-------- C:\Program Files\a-squared Free
2008-06-28 00:58:02 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-28 00:57:15 0 d-------- C:\Documents and Settings\Forrest\Application Data\Creative
2008-06-28 00:56:54 0 d-------- C:\WINDOWS\system32\data
2008-06-28 00:44:41 0 d-------- C:\WINDOWS\Prefetch
2008-06-28 00:39:29 0 d-------- C:\WINDOWS\system32\scripting
2008-06-28 00:39:29 0 d-------- C:\WINDOWS\system32\en
2008-06-28 00:39:29 0 d-------- C:\WINDOWS\system32\bits
2008-06-28 00:39:29 0 d-------- C:\WINDOWS\l2schemas
2008-06-28 00:37:15 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-28 00:34:26 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-06-28 00:00:14 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-27 23:59:19 0 d-------- C:\7eeac72bb975fa29b35853c5a4a713
2008-06-27 23:59:15 0 d-------- C:\WINDOWS\system32\LogFiles
2008-06-27 23:59:15 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-27 23:59:00 0 d-------- C:\a26b9b103d3afeccde4918
2008-06-27 23:37:50 0 d-------- C:\WINDOWS\network diagnostic
2008-06-27 23:07:14 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-27 22:30:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-27 22:29:48 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-27 22:29:46 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-27 22:27:11 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-27 22:18:09 0 d--hs---- C:\Documents and Settings\Forrest\UserData
2008-06-27 22:10:21 0 d-------- C:\Program Files\AVG
2008-06-27 22:10:21 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-27 22:00:28 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-27 22:00:26 0 d-------- C:\Documents and Settings\Forrest\Application Data\Mozilla
2008-06-27 21:57:29 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-06-27 21:57:26 307200 -ra------ C:\WINDOWS\system32\atiiiexx.dll <Not Verified; ATI Technologies Inc.; ATI Display Driver Utilities>
2008-06-27 21:57:25 364544 -ra------ C:\WINDOWS\system32\ATIDEMGX.dll <Not Verified; Advanced Micro Devices, Inc.; Catalyst® Control Centre>
2008-06-27 21:57:23 887724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-06-27 21:57:22 3107788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-06-27 21:57:21 3107788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-06-27 21:57:21 157034 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-06-27 21:56:56 0 d-------- C:\Program Files\ATI Technologies
2008-06-27 21:08:33 24576 --a------ C:\WINDOWS\system32\ZyDelReg.exe <Not Verified; ; ZyDelReg Application>
2008-06-27 21:08:33 81920 --a------ C:\WINDOWS\system32\ZDPN50.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-06-27 21:08:33 15872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-06-27 21:08:33 28672 --a------ C:\WINDOWS\system32\InsDrvZD.dll <Not Verified; ; InsDrvZD Dynamic Link Library>
2008-06-27 21:08:29 102400 --a------ C:\WINDOWS\system32\W32N55.DLL <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-06-27 21:08:26 32768 --a------ C:\WINDOWS\Zdcndis5a64.sys <Not Verified; ZDC., Inc. (ZDC); ZDC Rawether for Windows>
2008-06-27 21:08:26 18944 --a------ C:\WINDOWS\ZDCndis5.sys <Not Verified; ZDC., Inc. (ZDC); ZDC Rawether for Windows>
2008-06-27 21:08:26 102400 --a------ C:\WINDOWS\ZDCN50.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-06-27 21:08:26 31744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-06-27 21:08:26 17664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-06-27 21:08:26 17151 --a------ C:\WINDOWS\system32\drivers\ZDPNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-06-27 21:08:26 20608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-06-27 21:08:26 0 d-------- C:\Program Files\ZyXEL
2008-06-27 21:08:26 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-27 21:08:12 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-27 21:07:00 0 d-------- C:\Documents and Settings\Forrest\Application Data\Identities
2008-06-27 21:06:43 0 d--h----- C:\Documents and Settings\Forrest\Templates
2008-06-27 21:06:43 0 dr------- C:\Documents and Settings\Forrest\Start Menu
2008-06-27 21:06:43 0 dr-h----- C:\Documents and Settings\Forrest\SendTo
2008-06-27 21:06:43 0 d--h----- C:\Documents and Settings\Forrest\PrintHood
2008-06-27 21:06:43 2883584 --ah----- C:\Documents and Settings\Forrest\NTUSER.DAT
2008-06-27 21:06:43 0 d--h----- C:\Documents and Settings\Forrest\NetHood
2008-06-27 21:06:43 0 dr------- C:\Documents and Settings\Forrest\My Documents
2008-06-27 21:06:43 0 d--h----- C:\Documents and Settings\Forrest\Local Settings
2008-06-27 21:06:43 0 dr------- C:\Documents and Settings\Forrest\Favorites
2008-06-27 21:06:43 0 d-------- C:\Documents and Settings\Forrest\Desktop
2008-06-27 21:06:43 0 d--hs---- C:\Documents and Settings\Forrest\Cookies
2008-06-27 21:06:43 0 dr-h----- C:\Documents and Settings\Forrest\Application Data
2008-06-27 21:03:19 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-06-27 21:03:17 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-06-27 21:03:16 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-06-27 21:03:16 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-06-27 21:03:16 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-06-27 21:03:16 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-06-27 21:03:16 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-06-27 20:59:32 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-06-27 20:59:32 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-06-27 20:59:32 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-06-27 20:59:32 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-06-27 20:59:32 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-06-27 20:56:39 0 d-------- C:\WINDOWS\system32\xircom
2008-06-27 20:56:39 0 d-------- C:\Program Files\microsoft frontpage
2008-06-27 20:56:27 262144 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-06-27 20:56:15 0 -rahs---- C:\MSDOS.SYS
2008-06-27 20:56:15 0 -rahs---- C:\IO.SYS
2008-06-27 20:56:15 0 --a------ C:\CONFIG.SYS
2008-06-27 20:56:15 0 --a------ C:\AUTOEXEC.BAT
2008-06-27 20:55:25 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-06-27 20:55:16 0 dr------- C:\WINDOWS\Offline Web Pages
2008-06-27 20:55:16 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-06-27 20:54:45 0 d-------- C:\WINDOWS\system32\DirectX
2008-06-27 20:54:07 0 d---s---- C:\WINDOWS\Tasks
2008-06-27 20:54:06 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-27 20:54:02 0 d-------- C:\WINDOWS\system32\Macromed
2008-06-27 20:54:02 0 d-------- C:\WINDOWS\srchasst
2008-06-27 20:53:54 0 d-------- C:\Program Files\Movie Maker
2008-06-27 20:53:46 0 d-------- C:\WINDOWS\system32\Restore
2008-06-27 20:53:07 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-27 20:52:53 0 d-------- C:\WINDOWS\Registration
2008-06-27 20:52:47 0 d-------- C:\Program Files\Online Services
2008-06-27 20:52:42 0 d-------- C:\Program Files\Messenger
2008-06-27 20:52:38 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-27 20:51:57 0 d-------- C:\Program Files\Windows NT
2008-06-27 20:51:54 0 d-------- C:\WINDOWS\system32\MsDtc
2008-06-27 20:51:52 0 d-------- C:\WINDOWS\system32\Com
2008-06-27 15:24:38 0 d--hs---- C:\WINDOWS\Installer
2008-06-27 15:24:34 0 dr------- C:\Program Files
2008-06-27 15:24:34 0 d-------- C:\Program Files\Common Files
2008-06-27 15:24:34 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-27 15:24:03 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-06-27 15:24:03 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-06-27 15:24:03 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-06-27 15:24:03 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-06-27 15:24:03 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-06-27 15:24:03 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-06-27 15:24:03 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-06-27 15:24:03 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-06-27 15:24:03 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-06-27 15:24:03 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-06-27 15:24:03 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-06-27 15:24:03 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-06-27 15:24:03 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-06-27 15:24:03 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-06-27 15:24:03 0 dr------- C:\Documents and Settings\All Users\Documents
2008-06-27 15:24:03 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-06-27 15:22:22 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-06-27 15:22:22 0 d-------- C:\WINDOWS\system32\CatRoot
2008-06-27 15:22:16 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-06-27 15:22:16 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-06-27 15:22:16 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-06-27 15:22:16 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-06-27 15:21:57 0 d--hs---- C:\System Volume Information
2008-06-27 15:21:57 0 d-------- C:\Documents and Settings
2008-06-27 15:17:12 0 d-------- C:\WINDOWS
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\WinSxS
2008-06-27 15:17:12 0 dr------- C:\WINDOWS\Web
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\twain_32
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\wins
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\wbem
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\usmt
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\spool
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\ShellExt
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\Setup
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\ras
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\oobe
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\npp
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\mui
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\inetsrv
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\IME
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\icsxml
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\ias
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\export
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\drivers
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-06-27 15:17:12 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\dhcp
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\config
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\3076
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\2052
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1054
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1042
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1041
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1037
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1033
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1031
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1028
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system32\1025
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\system
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\security
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Resources
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\repair
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Provisioning
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\PeerNet
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\pchealth
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\mui
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\msapps
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\msagent
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Media
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\java
2008-06-27 15:17:12 0 d--h----- C:\WINDOWS\inf
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\ime
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Help
2008-06-27 15:17:12 0 dr--s---- C:\WINDOWS\Fonts
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\ehome
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Driver Cache
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Debug
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Cursors
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Connection Wizard
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\Config
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\AppPatch
2008-06-27 15:17:12 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-06-27 15:24:03 62 --ahs---- C:\Documents and Settings\Forrest\Application Data\desktop.ini
2008-05-07 01:07:00 7481359 --a------ C:\WINDOWS\system32\AppSetup.exe <Not Verified; Creative Technology Ltd; Creative Self-Extracting>
2008-05-05 13:33:22 11776 --a------ C:\WINDOWS\system32\ac3api.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-05 13:32:54 9216 --a------ C:\WINDOWS\CTPRES.DLL <Not Verified; Creative Technology Ltd; CtPanel Resource>
2008-04-30 16:55:10 585326 --a------ C:\WINDOWS\system32\APOIM32.exe <Not Verified; Creative Technology Ltd; Creative Audio Processing Object Interface Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/27/2008 11:07 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [04/09/2007 12:32 PM C:\WINDOWS\system32\Ctxfihlp.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 03:28 PM C:\WINDOWS\soundman.exe]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 09:33 AM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 02:56 PM C:\WINDOWS\CTHELPER.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-202 Wireless Adapter Utility.lnk - C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [6/27/2008 9:08:29 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8756 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-29 12:36:19 ------------





















Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 3071.48 MiB / 2380.44 MiB
Pagefile Memory (total/avail): 4961.88 MiB / 4426.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.36 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 115.03 GiB total, 91.68 GiB free.
D: is Fixed (NTFS) - 115.04 GiB total, 20.86 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE2 - EPSON SP 785EPX Storage

\\.\PHYSICALDRIVE0 - HDS722512VLSA80 - 115.04 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 115.03 GiB - C:

\\.\PHYSICALDRIVE1 - HDS722512VLSA80 - 115.04 GiB - 1 partition
\PARTITION0 - Installable File System - 115.04 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Forrest\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PUTERPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Forrest
LOGONSERVER=\\PUTERPUTER
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\Forrest\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\AVG\AVG8;C:\Program Files\AVG\AVG8
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Forrest\LOCALS~1\Temp
TMP=C:\DOCUME~1\Forrest\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=PUTERPUTER
USERNAME=Forrest
USERPROFILE=C:\Documents and Settings\Forrest
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Forrest (admin)
Kelly (new local, admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Free 3.5 --> "C:\Program Files\a-squared Free\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two --> "C:\Program Files\Steam\steam.exe" steam://uninstall/420
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Logitech iTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Portal --> "C:\Program Files\Steam\steam.exe" steam://uninstall/400
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Team Fortress 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/440
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
Zune Desktop Theme --> MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}
ZyXEL G-202 Wireless Adapter Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5D78EFC-A9C1-44F3-81CB-D42C5DF8EA09}\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type277 / Warning
Event Submitted/Written: 06/29/2008 00:04:13 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type275 / Warning
Event Submitted/Written: 06/29/2008 11:23:46 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type267 / Warning
Event Submitted/Written: 06/29/2008 01:25:39 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type258 / Warning
Event Submitted/Written: 06/29/2008 01:03:32 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type255 / Error
Event Submitted/Written: 06/29/2008 00:59:19 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application YahooMessenger.exe, version 8.1.0.421, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1439 / Warning
Event Submitted/Written: 06/29/2008 00:32:20 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PUTERPUTER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PUTERPUTER27 can't undo changes that you allow.

For more information please see the following:
%PUTERPUTER275

Scan ID: {18939D5A-8B4A-47EA-AF8B-6AEBC135C418}

User: PUTERPUTER\Forrest

Name: %PUTERPUTER271

ID: %PUTERPUTER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PUTERPUTER276

Alert Type: %PUTERPUTER278

Detection Type: 1.1.1593.02

Event Record #/Type1438 / Warning
Event Submitted/Written: 06/29/2008 00:32:20 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PUTERPUTER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PUTERPUTER27 can't undo changes that you allow.

For more information please see the following:
%PUTERPUTER275

Scan ID: {62CD06C3-71D6-4FA2-A038-941F4248C1E5}

User: PUTERPUTER\Forrest

Name: %PUTERPUTER271

ID: %PUTERPUTER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PUTERPUTER276

Alert Type: %PUTERPUTER278

Detection Type: 1.1.1593.02

Event Record #/Type1437 / Warning
Event Submitted/Written: 06/29/2008 00:32:20 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PUTERPUTER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PUTERPUTER27 can't undo changes that you allow.

For more information please see the following:
%PUTERPUTER275

Scan ID: {09CADB0A-0DB4-45DE-A40B-1F4059BD8D10}

User: PUTERPUTER\Forrest

Name: %PUTERPUTER271

ID: %PUTERPUTER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PUTERPUTER276

Alert Type: %PUTERPUTER278

Detection Type: 1.1.1593.02

Event Record #/Type1436 / Warning
Event Submitted/Written: 06/29/2008 00:32:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PUTERPUTER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PUTERPUTER27 can't undo changes that you allow.

For more information please see the following:
%PUTERPUTER275

Scan ID: {0020872D-F568-45AE-9C0D-7E83A5552E75}

User: PUTERPUTER\Forrest

Name: %PUTERPUTER271

ID: %PUTERPUTER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PUTERPUTER276

Alert Type: %PUTERPUTER278

Detection Type: 1.1.1593.02

Event Record #/Type1435 / Warning
Event Submitted/Written: 06/29/2008 00:32:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PUTERPUTER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PUTERPUTER27 can't undo changes that you allow.

For more information please see the following:
%PUTERPUTER275

Scan ID: {DA111332-48C8-44B9-A413-01B7BB141A6E}

User: PUTERPUTER\Forrest

Name: %PUTERPUTER271

ID: %PUTERPUTER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PUTERPUTER276

Alert Type: %PUTERPUTER278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-06-29 12:36:19 ------------

#8 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 01 July 2008 - 04:31 PM

Hey Carolyn, I was wondering if you have any updates or more news for me at this time?

#9 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 01 July 2008 - 06:38 PM

I apologize for the delay. The forums are very busy and I am waiting for the "go ahead" to post my next set of instructions to you. It should not be too much longer.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#10 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 02 July 2008 - 06:16 AM

Hello,

P2P Warning!

IMPORTANT I notice there were signs of one or more P2P (Person to Person) File Sharing Programs on your computer in the first logs you posted.

BitTorrent, DNA, eMule, LimeWire

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you avoid P2P programs in the future.

Please do not use P2P programs until your computer is cleaned.



Scan with F-Secure Blacklight
  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic.
Install Java and scan with Kaspersky Online Scanner

Please make sure that all programs are closed when installing Java.

  • Click here to visit Java's website.
  • Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  • Select Windows from the drop-down list for Platform.
  • Select Multi-language from the drop-down list for Language.
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  • Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  • Double click on jre-6u6-windows-i586-p.exe to install Java.
  • After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Scan with HijackThis
  • Double-click on Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


Please post the following:
  • The Blacklight log
  • The Kaspersky log
  • The HijackThis log
  • A description of how your computer is behaving.

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#11 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 02 July 2008 - 12:25 PM

07/02/08 11:22:24 [Info]: BlackLight Engine 1.0.70 initialized
07/02/08 11:22:24 [Info]: OS: 5.1 build 2600 (Service Pack 3)
07/02/08 11:22:24 [Note]: 7019 4
07/02/08 11:22:24 [Note]: 7005 0
07/02/08 11:22:27 [Note]: 7006 0
07/02/08 11:22:27 [Note]: 7022 0
07/02/08 11:22:27 [Note]: 7011 192
07/02/08 11:22:27 [Note]: 7035 0
07/02/08 11:22:28 [Note]: 7026 0
07/02/08 11:22:28 [Note]: 7026 0
07/02/08 11:22:30 [Note]: FSRAW library version 1.7.1024
07/02/08 11:31:51 [Note]: 7007 0



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 02, 2008 14:55:06
Records in database: 906431
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 83943
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:27:12

No malware has been detected. The scan area is clean.

The selected area was scanned.










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:46 PM, on 7/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214619984091
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214619968168
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5774 bytes






As for how my computer is behaving? Fine I guess. The ISP hasn't disconnected me for any issues since I reinstalled the OS, but like I said I still felt like stuff was going out via the outgoing log for my router. I don't know if things should be going out or really what to look for either way. Should my router have outgoing data over the port labeled "www"? Or is that just a byproduct of surfing the web? Also Carolyn I'd like to follow up with my laptop after this debacle with the desktop is solved, should that be another thread or a continuation in this thread as it's based around the same issue.

#12 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 02 July 2008 - 12:42 PM

As for how my computer is behaving? Fine I guess. The ISP hasn't disconnected me for any issues since I reinstalled the OS, but like I said I still felt like stuff was going out via the outgoing log for my router. I don't know if things should be going out or really what to look for either way. Should my router have outgoing data over the port labeled "www"? Or is that just a byproduct of surfing the web? Also Carolyn I'd like to follow up with my laptop after this debacle with the desktop is solved, should that be another thread or a continuation in this thread as it's based around the same issue.



We will definitely want to check out your laptop. That will need to be a different thread. Let's finish working on the desktop first.

Since you re-installed the OS on your desktop, have you used the laptop at all?

What is the make and model of your router? I'll see what I can find out about port "www".

Can you look at the router logs to see what internal IP is generating all of the traffic? Is it your desktop's IP or your laptop's IP, or another IP altogether? Perhaps it would be possible for you to export the log to a text file, or copy the contents, then post it here for our review.

Edited by Carolyn, 02 July 2008 - 12:44 PM.

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#13 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 02 July 2008 - 01:18 PM

Well when using the desktop 192.168.1.100 was generating the traffic I saw and when the laptop was on it was 192.168.1.400 We have used the laptop since I reinstalled the OS, but only for a limited time and only while the desktop was completely powered down. I've tried to make sure neither had a network connection at the same exact time. Also the desktop was still having this router activity before we even used the laptop after the desktop OS reinstall.

The Router is a Linksys Wireless WRT54GL and here is the copied log currently refreshed to show most recent activity.



Outgoing Log Table
LAN IP Destination URL/IP Service/Port Number
192.168.1.100 63.144.121.149 www
192.168.1.100 74.125.47.103 www
192.168.1.100 209.17.65.20 www
192.168.1.100 207.123.37.124 www
192.168.1.100 38.99.77.43 www
192.168.1.100 208.75.185.198 www
192.168.1.100 209.17.65.28 www
192.168.1.100 66.11.49.136 www
192.168.1.100 209.17.69.10 www
192.168.1.100 209.17.69.12 www
192.168.1.100 209.17.73.6 www
192.168.1.100 205.128.84.125 www
192.168.1.100 209.17.65.22 www
192.168.1.100 67.19.173.52 www
192.168.1.100 208.109.190.220 www
192.168.1.100 81.169.145.72 www
192.168.1.100 208.109.181.24 www
192.168.1.100 195.222.29.136 www
192.168.1.100 208.78.169.230 www
192.168.1.100 207.211.21.16 www
192.168.1.100 4.71.209.3 www
192.168.1.100 208.78.169.230 www
192.168.1.100 207.211.21.16 www
192.168.1.100 74.53.127.242 www
192.168.1.100 209.85.66.220 www
192.168.1.100 74.125.65.165 www
192.168.1.100 4.71.209.3 www
192.168.1.100 69.147.76.178 www
192.168.1.100 74.125.47.127 www
192.168.1.100 69.147.76.178 www
192.168.1.100 206.190.50.59 www
192.168.1.100 4.71.209.3 www
192.168.1.100 69.147.76.178 www
192.168.1.100 206.190.50.59 www
192.168.1.100 207.211.21.16 www
192.168.1.100 69.147.76.178 www
192.168.1.100 206.190.50.59 www
192.168.1.100 4.71.209.3 www
192.168.1.100 74.53.127.242 www
192.168.1.100 209.85.66.220 www
192.168.1.100 74.125.47.101 www
192.168.1.100 209.85.239.83 www
192.168.1.100 74.125.47.113 www
192.168.1.100 209.85.239.90 www
192.168.1.100 216.213.19.27 www
192.168.1.100 74.125.47.147 www
192.168.1.100 216.213.19.27 www
192.168.1.100 74.125.47.113 www
192.168.1.100 209.85.239.91 www
192.168.1.100 74.125.47.113 www
192.168.1.100 209.85.239.90 www
192.168.1.100 216.213.19.27 www
192.168.1.100 216.213.19.28 www
192.168.1.100 216.213.19.27 www
192.168.1.101 65.59.234.163 kerberos
192.168.1.100 216.213.19.27 www

Edited by Nacire, 02 July 2008 - 01:19 PM.


#14 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 02 July 2008 - 01:37 PM

I don't think the "www" it is anything to be concerned about. it probably refers to the default port for your setup. I'll check on it though.

I haven't checked every IP on that list, but they include yahoo, google, quest communications, and the sort. Probably not atypical. What the log does not tell us is what the volume of information being sent is. I'll look up the other IP's later, to be sure there is nothing funky there. As for always seeing some traffic to and from your computer, that too is probably normal.

Let me look over your logs and consult with some folks who know more about networks than I do.

I'm at work right now, so I may not be able to post back before tomorrow morning.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#15 Nacire

Nacire
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Louisville, Ky
  • Local time:08:47 AM

Posted 02 July 2008 - 01:45 PM

Okay Carolyn, thanks for all of your help! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users