Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: Please Help


  • This topic is locked This topic is locked
22 replies to this topic

#1 thebigh87

thebigh87

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 23 November 2006 - 12:22 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:16:35 PM, on 11/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aryeh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125036968\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard....rueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B268B5F9-A7A5-4D5A-A049-1E99BB39DE9E}: NameServer = 69.50.188.180,195.225.176.31
O20 - AppInit_DLLs: C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 23 November 2006 - 10:07 PM

Hi,

There are two domains showing in your log. One is Intercage, Inc. in CA; the other is NetcatHosting in the Ukraine. If you do not recognize one or both, let me know in your next reply.

Next, please do the following.
  • Please click Start > Run > and type Regedit
  • Click OK and wait for the Registry Editor to open
  • Now, click on File and then Export
  • This will bring up the Export Registry File window
  • At the bottom of which you will see an option for Export range
  • Click the option for Selected branch and in the field underneath that, copy and paste:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  • Enter a file name of DLLnames, and save the file to your Desktop
  • Now go to your Desktop, right-click on the file you have created, select "Open With" and choose "Notepad"
Copy the contents of that file into this thread.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 thebigh87

thebigh87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 23 November 2006 - 10:26 PM

Thanks for the help....i do not know either of those 2 you mentioned. here is the info u wanted



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"="C:\\WINDOWS\\"

#4 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 23 November 2006 - 11:28 PM

Hi,

Open Notepad and copy and paste the text inside the codebox into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

- Save this as fix.reg -> choose to save as *all files -> and place it on your desktop.
- It should look like this: Posted Image
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

Reboot your computer.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard....rueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B268B5F9-A7A5-4D5A-A049-1E99BB39DE9E}: NameServer = 69.50.188.180,195.225.176.31
O20 - AppInit_DLLs: C:\WINDOWS\


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

Reboot your computer.

I see you used msconfig so, in case you disabled some entries, I want to know what they are because they don't show in HijackThis now. So perform this next:

Open Notepad and copy and paste the text inside the codebox into Notepad:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt

- Save this as look.bat, choose to save as *all files and place it on your Desktop.
- Double-click on look.bat and post back with the contents in your reply.

Post back with the contents of look.bat and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 thebigh87

thebigh87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 24 November 2006 - 08:13 AM

Below is the new Hihackthis log, when i tried opening the look.bat it only opened for a second and then went straight to startup.txt not leaving enough time to copy the content




Logfile of HijackThis v1.99.1
Scan saved at 8:08:47 AM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Aryeh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125036968\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 24 November 2006 - 01:22 PM

Hi,

Sorry if my instructions were not clear. Startup.txt is what I want you to post.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 thebigh87

thebigh87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 24 November 2006 - 01:29 PM

The startup.txt is empty, nothign written in it

#8 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 24 November 2006 - 02:58 PM

Hi,

Okay. You have an outdated version of Java which, because of security reasons, needs to be updated. To update Java:
- Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 and save it to your Desktop.
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel > Add/Remove Programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the coffee cup icon next to it.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your Desktop, double-click on the downloaded Java file to install the newest version.

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Post back with a new HijackThis log. Also, let me know how your computer is running now.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 thebigh87

thebigh87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 24 November 2006 - 04:28 PM

I downloaded it from the desktop.....i went back to control panel and i was unable to double click it. My computer is still the same as before

#10 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 24 November 2006 - 05:43 PM

Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Do not proceed with the rest of the fix if you fail to run combofix
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100

Post back with the combofix.txt log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 thebigh87

thebigh87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 25 November 2006 - 05:52 PM

Here is the comboFix Log:

Aryeh - 06-11-25 17:42:17.54 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Aryeh\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-25 to 2006-11-25 ))))))))))))))))))))))))))))))))))


2006-11-24 16:08 <DIR> d-------- C:\Sun
2006-11-23 10:32 <DIR> d-------- C:\Program Files\a-squared Free
2006-11-23 10:17 <DIR> d-------- C:\Program Files\MySpyProtector
2006-11-23 10:00 <DIR> d-------- C:\Program Files\NoAdware4
2006-11-17 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-17 03:02 <DIR> d-------- C:\4a87c0b89fc51f5745dd96
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-24 15:39 -------- d-a------ C:\Program Files\Common Files
2006-11-23 10:58 -------- d-------- C:\Program Files\AWS
2006-11-18 17:47 -------- d-------- C:\Program Files\Norton Utilities
2006-11-17 03:01 -------- d-------- C:\Program Files\Internet Explorer
2006-10-20 15:56 -------- d-------- C:\Program Files\TrueSwitch
2006-10-13 07:35 142336 --a------ C:\WINDOWS\SYSTEM32\nwprovau.dll
2006-10-11 13:53 55272 --a------ C:\Documents and Settings\Aryeh\Application Data\GDIPFONTCACHEV1.DAT
2006-10-03 15:15 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe /0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1125036968\\ee\\AOLHostManager.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Exif Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Exif Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FINEPI~1\\QuickDCF.exe "
"item"="Exif Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton System Doctor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Norton System Doctor.lnk"
"backup"="C:\\WINDOWS\\pss\\Norton System Doctor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NORTON~1\\SYSDOC32.EXE /STARTUP"
"item"="Norton System Doctor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSentry"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\DSentry.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcregwiz.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKCU"
"command"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe /0"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysupd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sysupd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-25 17:45:26.62
C:\ComboFix.txt ... 06-11-25 17:45



Here is the Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:47:50 PM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLHostManager.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1125036968\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\I386\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Aryeh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125036968\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#12 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 26 November 2006 - 10:17 PM

Hi,

Please post the contents of:
C:\4a87c0b89fc51f5745dd96
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#13 thebigh87

thebigh87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 26 November 2006 - 10:31 PM

Here is what you asked for Part 1 bc it was too big for a single post:

=== Verbose logging started: 11/17/2006 3:02:22 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI © (80:B0) [03:02:22:590]: Resetting cached policy values
MSI © (80:B0) [03:02:22:590]: Machine policy value 'Debug' is 0
MSI © (80:B0) [03:02:22:590]: ******* RunEngine:
******* Product: c:\4a87c0b89fc51f5745dd96\msxml.msi
******* Action:
******* CommandLine: **********
MSI © (80:B0) [03:02:22:605]: Client-side and UI is none or basic: Running entire install on the server.
MSI © (80:B0) [03:02:22:605]: Grabbed execution mutex.
MSI © (80:B0) [03:02:23:746]: Cloaking enabled.
MSI © (80:B0) [03:02:23:746]: Attempting to enable all disabled priveleges before calling Install on Server
MSI © (80:B0) [03:02:23:746]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (40:4C) [03:02:24:027]: Grabbed execution mutex.
MSI (s) (40:D0) [03:02:24:027]: Resetting cached policy values
MSI (s) (40:D0) [03:02:24:027]: Machine policy value 'Debug' is 0
MSI (s) (40:D0) [03:02:24:027]: ******* RunEngine:
******* Product: c:\4a87c0b89fc51f5745dd96\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (40:D0) [03:02:24:355]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (40:D0) [03:02:24:871]: File will have security applied from OpCode.
MSI (s) (40:D0) [03:02:25:199]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'c:\4a87c0b89fc51f5745dd96\msxml.msi' against software restriction policy
MSI (s) (40:D0) [03:02:25:199]: SOFTWARE RESTRICTION POLICY: c:\4a87c0b89fc51f5745dd96\msxml.msi has a digital signature
MSI (s) (40:D0) [03:02:27:652]: SOFTWARE RESTRICTION POLICY: c:\4a87c0b89fc51f5745dd96\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (40:D0) [03:02:27:699]: End dialog not enabled
MSI (s) (40:D0) [03:02:27:699]: Original package ==> c:\4a87c0b89fc51f5745dd96\msxml.msi
MSI (s) (40:D0) [03:02:27:699]: Package we're running from ==> c:\WINDOWS\Installer\8d6ae9fb.msi
MSI (s) (40:D0) [03:02:27:808]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (40:D0) [03:02:27:808]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (40:D0) [03:02:27:824]: MSCOREE not loaded loading copy from system32
MSI (s) (40:D0) [03:02:28:136]: Machine policy value 'TransformsSecure' is 0
MSI (s) (40:D0) [03:02:28:136]: User policy value 'TransformsAtSource' is 0
MSI (s) (40:D0) [03:02:28:152]: Machine policy value 'DisablePatch' is 0
MSI (s) (40:D0) [03:02:28:152]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (40:D0) [03:02:28:152]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (40:D0) [03:02:28:152]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (40:D0) [03:02:28:152]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (40:D0) [03:02:28:152]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (40:D0) [03:02:28:152]: Transforms are not secure.
MSI (s) (40:D0) [03:02:28:152]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=c:\4a87c0b89fc51f5745dd96 CLIENTUILEVEL=3 CLIENTPROCESSID=2944
MSI (s) (40:D0) [03:02:28:152]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
MSI (s) (40:D0) [03:02:28:152]: Product Code passed to Engine.Initialize: ''
MSI (s) (40:D0) [03:02:28:152]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (40:D0) [03:02:28:152]: Product Code from property table after transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (40:D0) [03:02:28:152]: Product not registered: beginning first-time install
MSI (s) (40:D0) [03:02:28:152]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (40:D0) [03:02:28:152]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (40:D0) [03:02:28:152]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (40:D0) [03:02:28:152]: Adding new sources is allowed.
MSI (s) (40:D0) [03:02:28:152]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (40:D0) [03:02:28:152]: Package name extracted from package path: 'msxml.msi'
MSI (s) (40:D0) [03:02:28:152]: Package to be registered: 'msxml.msi'
MSI (s) (40:D0) [03:02:28:152]: Note: 1: 2729
MSI (s) (40:D0) [03:02:28:168]: Note: 1: 2729
MSI (s) (40:D0) [03:02:28:168]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (40:D0) [03:02:28:168]: Machine policy value 'DisableMsi' is 0
MSI (s) (40:D0) [03:02:28:168]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (40:D0) [03:02:28:168]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (40:D0) [03:02:28:168]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (40:D0) [03:02:28:168]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
MSI (s) (40:D0) [03:02:28:168]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (40:D0) [03:02:28:168]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'c:\4a87c0b89fc51f5745dd96'.
MSI (s) (40:D0) [03:02:28:168]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (40:D0) [03:02:28:168]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '2944'.
MSI (s) (40:D0) [03:02:28:168]: TRANSFORMS property is now:
MSI (s) (40:D0) [03:02:28:168]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (40:D0) [03:02:28:183]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Application Data
MSI (s) (40:D0) [03:02:28:183]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (s) (40:D0) [03:02:28:183]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\NetHood
MSI (s) (40:D0) [03:02:28:183]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents
MSI (s) (40:D0) [03:02:28:199]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\PrintHood
MSI (s) (40:D0) [03:02:28:199]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Recent
MSI (s) (40:D0) [03:02:28:199]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\SendTo
MSI (s) (40:D0) [03:02:28:199]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Templates
MSI (s) (40:D0) [03:02:28:215]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (40:D0) [03:02:28:215]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (40:D0) [03:02:28:215]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (40:D0) [03:02:28:308]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (40:D0) [03:02:28:355]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (40:D0) [03:02:28:355]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (40:D0) [03:02:28:371]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (40:D0) [03:02:28:371]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (40:D0) [03:02:28:371]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
MSI (s) (40:D0) [03:02:28:371]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (40:D0) [03:02:28:371]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
MSI (s) (40:D0) [03:02:28:386]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu
MSI (s) (40:D0) [03:02:28:386]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Desktop
MSI (s) (40:D0) [03:02:28:386]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Templates
MSI (s) (40:D0) [03:02:28:386]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts
MSI (s) (40:D0) [03:02:28:386]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (40:D0) [03:02:28:386]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (40:D0) [03:02:28:386]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (40:D0) [03:02:28:386]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Aryeh '.
MSI (s) (40:D0) [03:02:28:386]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (40:D0) [03:02:28:386]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'c:\WINDOWS\Installer\8d6ae9fb.msi'.
MSI (s) (40:D0) [03:02:28:386]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'c:\4a87c0b89fc51f5745dd96\msxml.msi'.
MSI (s) (40:D0) [03:02:28:386]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (40:D0) [03:02:28:386]: Machine policy value 'DisableRollback' is 0
MSI (s) (40:D0) [03:02:28:386]: User policy value 'DisableRollback' is 0
MSI (s) (40:D0) [03:02:28:402]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
=== Logging started: 11/17/2006 3:02:28 ===
MSI (s) (40:D0) [03:02:28:402]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (40:D0) [03:02:28:402]: Doing action: INSTALL
MSI (s) (40:D0) [03:02:28:433]: Running ExecuteSequence
MSI (s) (40:D0) [03:02:28:433]: Doing action: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action start 3:02:28: INSTALL.
MSI (s) (40:D0) [03:02:28:433]: PROPERTY CHANGE: Adding DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'C:\Documents and Settings\All Users\Desktop\'.
Action start 3:02:28: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (40:D0) [03:02:28:433]: Doing action: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action ended 3:02:28: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901. Return value 1.
MSI (s) (40:D0) [03:02:28:433]: PROPERTY CHANGE: Adding ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'C:\Documents and Settings\All Users\Start Menu\Programs\'.
Action start 3:02:28: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (40:D0) [03:02:28:433]: Doing action: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 3:02:28: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901. Return value 1.
MSI (s) (40:D0) [03:02:28:433]: PROPERTY CHANGE: Adding WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\'.
Action start 3:02:28: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (40:D0) [03:02:28:433]: Doing action: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 3:02:28: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (40:D0) [03:02:28:433]: PROPERTY CHANGE: Adding SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\system32\'.
Action start 3:02:28: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (40:D0) [03:02:28:433]: Doing action: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 3:02:28: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (40:D0) [03:02:28:433]: PROPERTY CHANGE: Adding WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\'.
Action start 3:02:28: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
MSI (s) (40:D0) [03:02:28:433]: Doing action: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 3:02:28: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (40:D0) [03:02:28:433]: PROPERTY CHANGE: Adding SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\system32\'.
Action start 3:02:28: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
MSI (s) (40:D0) [03:02:28:433]: Doing action: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
Action ended 3:02:28: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (40:D0) [03:02:28:433]: PROPERTY CHANGE: Adding WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\'.
Action start 3:02:28: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537.
MSI (s) (40:D0) [03:02:28:449]: Doing action: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
Action ended 3:02:28: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (40:D0) [03:02:28:449]: PROPERTY CHANGE: Adding SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\system32\'.
Action start 3:02:28: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537.
MSI (s) (40:D0) [03:02:28:449]: Doing action: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB
Action ended 3:02:28: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (40:D0) [03:02:28:449]: PROPERTY CHANGE: Adding SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB property. Its value is 'C:\WINDOWS\system32\'.
Action start 3:02:28: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB.
MSI (s) (40:D0) [03:02:28:449]: Doing action: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1
Action ended 3:02:28: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB. Return value 1.
MSI (s) (40:D0) [03:02:28:449]: PROPERTY CHANGE: Adding SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 property. Its value is 'C:\WINDOWS\system32\'.
Action start 3:02:28: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1.
MSI (s) (40:D0) [03:02:28:449]: Doing action: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7
Action ended 3:02:28: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1. Return value 1.
MSI (s) (40:D0) [03:02:28:449]: PROPERTY CHANGE: Adding SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 property. Its value is 'C:\WINDOWS\system32\'.
Action start 3:02:28: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7.
MSI (s) (40:D0) [03:02:28:449]: Doing action: LaunchConditions
Action ended 3:02:28: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7. Return value 1.
Action start 3:02:28: LaunchConditions.
MSI (s) (40:D0) [03:02:28:449]: Doing action: FindRelatedProducts
Action ended 3:02:28: LaunchConditions. Return value 1.
Action start 3:02:28: FindRelatedProducts.
MSI (s) (40:D0) [03:02:28:496]: Doing action: AppSearch
Action ended 3:02:28: FindRelatedProducts. Return value 1.
Action start 3:02:28: AppSearch.
MSI (s) (40:D0) [03:02:28:496]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (s) (40:D0) [03:02:28:511]: PROPERTY CHANGE: Adding WINHTTP_51 property. Its value is 'WinHttpRequest Component version 5.1'.
MSI (s) (40:D0) [03:02:28:511]: Skipping action: CCPSearch (condition is false)
MSI (s) (40:D0) [03:02:28:511]: Skipping action: RMCCPSearch (condition is false)
MSI (s) (40:D0) [03:02:28:511]: Doing action: ValidateProductID
Action ended 3:02:28: AppSearch. Return value 1.
Action start 3:02:28: ValidateProductID.
MSI (s) (40:D0) [03:02:28:511]: Doing action: CostInitialize
Action ended 3:02:28: ValidateProductID. Return value 1.
MSI (s) (40:D0) [03:02:28:511]: Machine policy value 'MaxPatchCacheSize' is 10
Action start 3:02:28: CostInitialize.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'c:\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2205 2: 3: Patch
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2205 2: 3: __MsiPatchFileList
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`
MSI (s) (40:D0) [03:02:28:590]: Doing action: FileCost
Action ended 3:02:28: CostInitialize. Return value 1.
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2262 2: Extension 3: -2147287038
Action start 3:02:28: FileCost.
MSI (s) (40:D0) [03:02:28:590]: Doing action: CostFinalize
Action ended 3:02:28: FileCost. Return value 1.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (s) (40:D0) [03:02:28:590]: Note: 1: 2205 2: 3: Patch
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'c:\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Modifying WindowsFolder property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Modifying CommonFilesFolder property. Its current value is 'C:\Program Files\Common Files\'. Its new value: 'c:\Program Files\Common Files\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding MicrosoftShared.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 property. Its value is 'c:\Program Files\Common Files\Microsoft Shared\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding MSDN.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 property. Its value is 'c:\Program Files\Common Files\Microsoft Shared\MSDN\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Modifying WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Modifying SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding WinSxsDirectory.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\'.
MSI (s) (40:D0) [03:02:28:590]: PROPERTY CHANGE: Adding policydir_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding payload.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsManifests.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Manifests\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsPolicies.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding policydir.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding payload_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsDirectory.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding policydir_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsPolicies.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding policydir.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\x86_Microsoft.MSXML2R_6bd6b9abf345378f_x-ww_f529d679\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsManifests.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Manifests\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding payload_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsDirectory.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding policydir_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsPolicies.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding policydir.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\x86_Microsoft.MSXML2_6bd6b9abf345378f_x-ww_b261cf09\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding WinSxsManifests.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Manifests\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding payload_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying DesktopFolder property. Its current value is 'C:\Documents and Settings\All Users\Desktop\'. Its new value: 'c:\Documents and Settings\All Users\Desktop\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying ProgramFilesFolder property. Its current value is 'C:\Program Files\'. Its new value: 'c:\Program Files\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding MSXML property. Its value is 'c:\Program Files\MSXML 4.0\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding INC.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\inc\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding LIB.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\lib\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding DOC.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\doc\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its current value is 'C:\Documents and Settings\All Users\Start Menu\Programs\'. Its new value: 'c:\Documents and Settings\All Users\Start Menu\Programs\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Adding MenuMSXML.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Documents and Settings\All Users\Start Menu\Programs\MSXML 4.0\'.
MSI (s) (40:D0) [03:02:28:605]: PROPERTY CHANGE: Modifying DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its current value is 'C:\Documents and Settings\All Users\Desktop\'. Its new value: 'c:\Documents and Settings\All Users\Desktop\'.
MSI (s) (40:D0) [03:02:28:605]: Target path resolution complete. Dumping Directory table...
MSI (s) (40:D0) [03:02:28:605]: Note: target paths subject to change (via custom actions or browsing)
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: TARGETDIR , Object: c:\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WindowsFolder , Object: c:\WINDOWS\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: CommonFilesFolder , Object: c:\Program Files\Common Files\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: MicrosoftShared.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 , Object: c:\Program Files\Common Files\Microsoft Shared\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: MSDN.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 , Object: c:\Program Files\Common Files\Microsoft Shared\MSDN\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\system32\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsDirectory.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: policydir_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: payload.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsManifests.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Manifests\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsPolicies.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Policies\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: policydir.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: payload_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\system32\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsDirectory.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: policydir_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsPolicies.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Policies\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: policydir.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Policies\x86_Microsoft.MSXML2R_6bd6b9abf345378f_x-ww_f529d679\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsManifests.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Manifests\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: payload_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\system32\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsDirectory.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: policydir_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsPolicies.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Policies\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: policydir.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Policies\x86_Microsoft.MSXML2_6bd6b9abf345378f_x-ww_b261cf09\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: WinSxsManifests.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\Manifests\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: payload_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINDOWS\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB , Object: c:\WINDOWS\system32\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 , Object: c:\WINDOWS\system32\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 , Object: c:\WINDOWS\system32\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: DesktopFolder , Object: c:\Documents and Settings\All Users\Desktop\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: ProgramFilesFolder , Object: c:\Program Files\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: MSXML , Object: c:\Program Files\MSXML 4.0\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: INC.4576A2F1_959E_4BCA_94A9_596523761901 , Object: c:\Program Files\MSXML 4.0\inc\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: LIB.4576A2F1_959E_4BCA_94A9_596523761901 , Object: c:\Program Files\MSXML 4.0\lib\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: DOC.4576A2F1_959E_4BCA_94A9_596523761901 , Object: c:\Program Files\MSXML 4.0\doc\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 , Object: c:\Documents and Settings\All Users\Start Menu\Programs\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: MenuMSXML.4576A2F1_959E_4BCA_94A9_596523761901 , Object: c:\Documents and Settings\All Users\Start Menu\Programs\MSXML 4.0\
MSI (s) (40:D0) [03:02:28:605]: Dir (target): Key: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 , Object: c:\Documents and Settings\All Users\Desktop\
Action start 3:02:28: CostFinalize.
MSI (s) (40:D0) [03:02:28:746]: Doing action: SetODBCFolders
Action ended 3:02:28: CostFinalize. Return value 1.
MSI (s) (40:D0) [03:02:28:746]: Note: 1: 2205 2: 3: ODBCDriver
MSI (s) (40:D0) [03:02:28:746]: Note: 1: 2228 2: 3: ODBCDriver 4: SELECT `ComponentId`,`Description`,`Directory_`, `ActionRequest`, `Installed`, `Attributes` FROM `ODBCDriver`, `Component` WHERE `ODBCDriver`.`Component_` = `Component` AND (`ActionRequest` = 1 OR `ActionRequest` = 2)
MSI (s) (40:D0) [03:02:28:746]: Note: 1: 2205 2: 3: ODBCTranslator
MSI (s) (40:D0) [03:02:28:746]: Note: 1: 2228 2: 3: ODBCTranslator 4: SELECT `ComponentId`,`Description`,`Directory_`, `ActionRequest`, `Installed`, `Attributes` FROM `ODBCTranslator`, `Component` WHERE `ODBCTranslator`.`Component_` = `Component` AND (`ActionRequest` = 1 OR `ActionRequest` = 2)
Action start 3:02:28: SetODBCFolders.
MSI (s) (40:D0) [03:02:28:746]: Doing action: MigrateFeatureStates
Action ended 3:02:28: SetODBCFolders. Return value 0.
Action start 3:02:28: MigrateFeatureStates.
MSI (s) (40:D0) [03:02:28:746]: Doing action: InstallValidate
Action ended 3:02:28: MigrateFeatureStates. Return value 0.
MSI (s) (40:D0) [03:02:28:746]: Feature: MSXML; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Feature: MSXMLSYS; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Feature: MSXMLSUPP; Installed: Absent; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Feature: MSXMLSUPP2; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Feature: MSXMLSXS; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Feature: XMLSDK; Installed: Absent; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: RememberInstallFolder; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: QKBKEY; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: MSXML4_System.246EB7AD_459A_4FA8_83D1_41A46D7634B7; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: MSXML4_SystemRes.246EB7AD_459A_4FA8_83D1_41A46D7634B7; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: MSXML4_ANSI.246EB7AD_459A_4FA8_83D1_41A46D7634B7; Installed: Absent; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: WINHTTP50_COMPONENT.781A0624_31FF_4712_BFFD_31C829FFDBF1; Installed: Absent; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: PROXYCFG_COMPONENT.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB; Installed: Absent; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: uplevel.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: downlevel_manifest.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: downlevel_payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: uplevel.DA6654F6_456F_3658_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: downlevel_manifest.DA6654F6_456F_3658_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: downlevel_payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: uplevel.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: downlevel_manifest.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537; Installed: Absent; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: XMLSDK_Docs.4576A2F1_959E_4BCA_94A9_596523761901; Installed: Absent; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: XMLSDK_LIB.4576A2F1_959E_4BCA_94A9_596523761901; Installed: Absent; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: XMLSDK_INC.4576A2F1_959E_4BCA_94A9_596523761901; Installed: Absent; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: CookDoc_dll.3FB7DAB3_19E7_40A0_8730_4482CE77AC59; Installed: Absent; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: __uplevel.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF365; Installed: Null; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: __uplevel.DA6654F6_456F_3658_FF6B_D6B9ABF365; Installed: Null; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: __uplevel.0E9F98FC_A692_A6DF_FF6B_D6B9ABF365; Installed: Null; Request: Local; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: __QKBKEY65; Installed: Null; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: __MSXML4_System.246EB7AD_459A_4FA8_83D1_4165; Installed: Null; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: __downlevel_payload.7B2FCEFF_0F22_B7E1_FF665; Installed: Null; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: __downlevel_manifest.7B2FCEFF_0F22_B7E1_FF65; Installed: Null; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: __downlevel_payload.DA6654F6_456F_3658_FF665; Installed: Null; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: __downlevel_manifest.DA6654F6_456F_3658_FF65; Installed: Null; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: __downlevel_manifest.0E9F98FC_A692_A6DF_FF65; Installed: Null; Request: Local; Action: Local
MSI (s) (40:D0) [03:02:28:746]: Component: __CookDoc_dll.3FB7DAB3_19E7_40A0_8730_448265; Installed: Null; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:746]: Component: __XMLSDK_Docs.4576A2F1_959E_4BCA_94A9_596565; Installed: Null; Request: Null; Action: Null
MSI (s) (40:D0) [03:02:28:777]: Note: 1: 2205 2: 3: BindImage
MSI (s) (40:D0) [03:02:28:777]: Note: 1: 2262 2: PublishComponent 3: -2147287038
MSI (s) (40:D0) [03:02:28:777]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:777]: Note: 1: 2205 2: 3: Font
Action start 3:02:28: InstallValidate.
MSI (s) (40:D0) [03:02:28:777]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2205 2: 3: BindImage
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: PublishComponent 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2205 2: 3: Font
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2727 2:
MSI (s) (40:D0) [03:02:28:902]: Note: 1: 2727 2:
MSI (s) (40:D0) [03:02:28:902]: Doing action: InstallInitialize
Action ended 3:02:28: InstallValidate. Return value 1.
MSI (s) (40:D0) [03:02:28:902]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (40:D0) [03:02:28:902]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (40:D0) [03:02:28:902]: BeginTransaction: Locking Server
MSI (s) (40:D0) [03:02:28:918]: SRSetRestorePoint skipped for this transaction.
MSI (s) (40:D0) [03:02:28:918]: Server not locked: locking for product {37477865-A3F1-4772-AD43-AAFC6BCFF99F}
Action start 3:02:28: InstallInitialize.
MSI (s) (40:D0) [03:02:30:246]: Doing action: SxsInstallCA
Action ended 3:02:30: InstallInitialize. Return value 1.
MSI (s) (40:E4) [03:02:30:293]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSIEDB.tmp, Entrypoint: CustomAction_SxsMsmInstall
MSI (s) (40:A0) [03:02:30:293]: Generating random cookie.
MSI (s) (40:A0) [03:02:30:308]: Created Custom Action Server with PID 1696 (0x6A0).
MSI (s) (40:34) [03:02:30:511]: Running as a service.
MSI (s) (40:34) [03:02:30:527]: Hello, I'm your 32bit Elevated custom action server.
Action start 3:02:30: SxsInstallCA.
1: sxsdelca 2: traceop 3: 1256 4: 0
1: sxsdelca 2: traceop 3: 1257 4: 0
1: sxsdelca 2: traceop 3: 1258 4: 0
1: sxsdelca 2: traceop 3: 1284 4: 0
1: sxsdelca 2: traceop 3: 1288 4: 0
1: sxsdelca 2: traceop 3: 1289 4: 0
1: sxsdelca 2: traceop 3: 1290 4: 0
1: sxsdelca 2: traceop 3: 1292 4: 0
1: sxsdelca 2: traceop 3: 1306 4: 0
1: sxsdelca 2: traceop 3: 1307 4: 0
1: sxsdelca 2: traceop 3: 796 4: 0
1: sxsdelca 2: traceop 3: 801 4: 0
1: sxsdelca 2: traceop 3: 802 4: 0
1: sxsdelca 2: traceop 3: 803 4: 0
1: sxsdelca 2: traceop 3: 805 4: 0
1: sxsdelca 2: traceop 3: 812 4: 0
1: sxsdelca 2: traceop 3: 813 4: 0
1: sxsdelca 2: traceop 3: 814 4: 0
1: sxsdelca 2: traceop 3: 819 4: 0
1: sxsdelca 2: traceop 3: 820 4: 0
1: sxsdelca 2: traceop 3: 821 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 259
1: sxsdelca 2: traceop 3: 1311 4: 0
1: sxsdelca 2: traceop 3: 1312 4: 0
1: sxsdelca 2: traceop 3: 1077 4: 0
1: sxsdelca 2: traceop 3: 1081 4: 0
1: sxsdelca 2: traceop 3: 1083 4: 0
1: sxsdelca 2: traceop 3: 1087 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1097 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1101 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1105 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1109 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1113 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1117 4: 0
1: sxsdelca 2: traceop 3: 1121 4: 0
1: sxsdelca 2: traceop 3: 1313 4: 0
1: sxsdelca 2: traceop 3: 1314 4: 0
1: sxsdelca: Added reg value for 2: downlevel_manifest.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
1: sxsdelca 2: traceop 3: 1284 4: 0
1: sxsdelca 2: traceop 3: 1288 4: 0
1: sxsdelca 2: traceop 3: 1289 4: 0
1: sxsdelca 2: traceop 3: 1290 4: 0
1: sxsdelca 2: traceop 3: 1292 4: 0
1: sxsdelca 2: traceop 3: 796 4: 0
1: sxsdelca 2: traceop 3: 801 4: 0
1: sxsdelca 2: traceop 3: 802 4: 0
1: sxsdelca 2: traceop 3: 803 4: 0
1: sxsdelca 2: traceop 3: 805 4: 0
1: sxsdelca 2: traceop 3: 812 4: 0
1: sxsdelca 2: traceop 3: 813 4: 0
1: sxsdelca 2: traceop 3: 814 4: 0
1: sxsdelca 2: traceop 3: 819 4: 0
1: sxsdelca 2: traceop 3: 820 4: 0
1: sxsdelca 2: traceop 3: 821 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 259
1: sxsdelca 2: traceop 3: 1311 4: 0
1: sxsdelca 2: traceop 3: 1312 4: 0
1: sxsdelca 2: traceop 3: 1077 4: 0
1: sxsdelca 2: traceop 3: 1081 4: 0
1: sxsdelca 2: traceop 3: 1083 4: 0
1: sxsdelca 2: traceop 3: 1087 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1097 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1101 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1105 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1109 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1113 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1117 4: 0
1: sxsdelca 2: traceop 3: 1121 4: 0
1: sxsdelca 2: traceop 3: 1313 4: 0
1: sxsdelca 2: traceop 3: 1314 4: 0
1: sxsdelca: Added reg value for 2: downlevel_payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
1: sxsdelca 2: traceop 3: 1284 4: 0
1: sxsdelca 2: traceop 3: 1288 4: 0
1: sxsdelca 2: traceop 3: 1289 4: 0
1: sxsdelca 2: traceop 3: 1290 4: 0
1: sxsdelca 2: traceop 3: 1292 4: 0
1: sxsdelca 2: traceop 3: 796 4: 0
1: sxsdelca 2: traceop 3: 801 4: 0
1: sxsdelca 2: traceop 3: 802 4: 0
1: sxsdelca 2: traceop 3: 803 4: 0
1: sxsdelca 2: traceop 3: 805 4: 0
1: sxsdelca 2: traceop 3: 812 4: 0
1: sxsdelca 2: traceop 3: 813 4: 0
1: sxsdelca 2: traceop 3: 814 4: 0
1: sxsdelca 2: traceop 3: 819 4: 0
1: sxsdelca 2: traceop 3: 820 4: 0
1: sxsdelca 2: traceop 3: 821 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 259
1: sxsdelca 2: traceop 3: 1311 4: 0
1: sxsdelca 2: traceop 3: 1312 4: 0
1: sxsdelca 2: traceop 3: 1077 4: 0
1: sxsdelca 2: traceop 3: 1081 4: 0
1: sxsdelca 2: traceop 3: 1083 4: 0
1: sxsdelca 2: traceop 3: 1087 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1097 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1101 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1105 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1109 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1113 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1117 4: 0
1: sxsdelca 2: traceop 3: 1121 4: 0
1: sxsdelca 2: traceop 3: 1313 4: 0
1: sxsdelca 2: traceop 3: 1314 4: 0
1: sxsdelca: Added reg value for 2: downlevel_manifest.DA6654F6_456F_3658_FF6B_D6B9ABF34537
1: sxsdelca 2: traceop 3: 1284 4: 0
1: sxsdelca 2: traceop 3: 1288 4: 0
1: sxsdelca 2: traceop 3: 1289 4: 0
1: sxsdelca 2: traceop 3: 1290 4: 0
1: sxsdelca 2: traceop 3: 1292 4: 0
1: sxsdelca 2: traceop 3: 796 4: 0
1: sxsdelca 2: traceop 3: 801 4: 0
1: sxsdelca 2: traceop 3: 802 4: 0
1: sxsdelca 2: traceop 3: 803 4: 0
1: sxsdelca 2: traceop 3: 805 4: 0
1: sxsdelca 2: traceop 3: 812 4: 0
1: sxsdelca 2: traceop 3: 813 4: 0
1: sxsdelca 2: traceop 3: 814 4: 0
1: sxsdelca 2: traceop 3: 819 4: 0
1: sxsdelca 2: traceop 3: 820 4: 0
1: sxsdelca 2: traceop 3: 821 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 259
1: sxsdelca 2: traceop 3: 1311 4: 0
1: sxsdelca 2: traceop 3: 1312 4: 0
1: sxsdelca 2: traceop 3: 1077 4: 0
1: sxsdelca 2: traceop 3: 1081 4: 0
1: sxsdelca 2: traceop 3: 1083 4: 0
1: sxsdelca 2: traceop 3: 1087 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1097 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1101 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1105 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1109 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1113 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1117 4: 0
1: sxsdelca 2: traceop 3: 1121 4: 0
1: sxsdelca 2: traceop 3: 1313 4: 0
1: sxsdelca 2: traceop 3: 1314 4: 0
1: sxsdelca: Added reg value for 2: downlevel_payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537
1: sxsdelca 2: traceop 3: 1284 4: 0
1: sxsdelca 2: traceop 3: 1288 4: 0
1: sxsdelca 2: traceop 3: 1289 4: 0
1: sxsdelca 2: traceop 3: 1290 4: 0
1: sxsdelca 2: traceop 3: 1292 4: 0
1: sxsdelca 2: traceop 3: 796 4: 0
1: sxsdelca 2: traceop 3: 801 4: 0
1: sxsdelca 2: traceop 3: 802 4: 0
1: sxsdelca 2: traceop 3: 803 4: 0
1: sxsdelca 2: traceop 3: 805 4: 0
1: sxsdelca 2: traceop 3: 812 4: 0
1: sxsdelca 2: traceop 3: 813 4: 0
1: sxsdelca 2: traceop 3: 814 4: 0
1: sxsdelca 2: traceop 3: 819 4: 0
1: sxsdelca 2: traceop 3: 820 4: 0
1: sxsdelca 2: traceop 3: 821 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 0
1: sxsdelca 2: traceop 3: 831 4: 0
1: sxsdelca 2: traceop 3: 827 4: 259
1: sxsdelca 2: traceop 3: 1311 4: 0
1: sxsdelca 2: traceop 3: 1312 4: 0
1: sxsdelca 2: traceop 3: 1077 4: 0
1: sxsdelca 2: traceop 3: 1081 4: 0
1: sxsdelca 2: traceop 3: 1083 4: 0
1: sxsdelca 2: traceop 3: 1087 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1097 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1101 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1105 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1109 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1113 4: 0
1: sxsdelca 2: traceop 3: 1093 4: 0
1: sxsdelca 2: traceop 3: 1117 4: 0
1: sxsdelca 2: traceop 3: 1121 4: 0
1: sxsdelca 2: traceop 3: 1313 4: 0
1: sxsdelca 2: traceop 3: 1314 4: 0
1: sxsdelca: Added reg value for 2: downlevel_manifest.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
1: sxsdelca 2: traceop 3: 1284 4: 259
1: sxsdelca 2: SxsMsmInstall completed 3: 0 4: 0
MSI (s) (40:D0) [03:02:30:683]: Doing action: AllocateRegistrySpace
Action ended 3:02:30: SxsInstallCA. Return value 1.
Action start 3:02:30: AllocateRegistrySpace.
MSI (s) (40:D0) [03:02:30:699]: Doing action: ProcessComponents
Action ended 3:02:30: AllocateRegistrySpace. Return value 1.
MSI (s) (40:D0) [03:02:30:699]: Note: 1: 2205 2: 3: MsiPatchCertificate
MSI (s) (40:D0) [03:02:30:699]: LUA patching is disabled: missing MsiPatchCertificate table
MSI (s) (40:D0) [03:02:30:699]: Resolving source.
MSI (s) (40:D0) [03:02:30:699]: Resolving source to launched-from source.
MSI (s) (40:D0) [03:02:30:699]: Setting launched-from source as last-used.
MSI (s) (40:D0) [03:02:30:699]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'c:\4a87c0b89fc51f5745dd96\'.
MSI (s) (40:D0) [03:02:30:699]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'c:\4a87c0b89fc51f5745dd96\'.
MSI (s) (40:D0) [03:02:30:699]: PROPERTY CHANGE: Adding SourcedirProduct property. Its value is '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (40:D0) [03:02:30:699]: SOURCEDIR ==> c:\4a87c0b89fc51f5745dd96\
MSI (s) (40:D0) [03:02:30:699]: SOURCEDIR product ==> {37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSI (s) (40:D0) [03:02:30:699]: Determining source type
MSI (s) (40:D0) [03:02:30:699]: Source type from package 'msxml.msi': 2
Action start 3:02:30: ProcessComponents.
MSI (s) (40:D0) [03:02:30:699]: Source path resolution complete. Dumping Directory table...
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: TARGETDIR , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WindowsFolder , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: CommonFilesFolder , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: MicrosoftShared.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Microsoft Shared\ , ShortSubPath: MICROS~1\
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: MSDN.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Microsoft Shared\MSDN\ , ShortSubPath: MICROS~1\MSDN\
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\system32\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsDirectory.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: policydir_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\k0r1wg7y.dqe\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: payload.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\h0r1wg7y.dqe\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsManifests.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Manifests\ , ShortSubPath: Windows\winsxs\manifest\
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsPolicies.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Policies\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: policydir.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Policies\i0r1wg7y.dqe\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: payload_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\j0r1wg7y.dqe\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\system32\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsDirectory.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: policydir_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\8n0mtfut.k85\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsPolicies.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Policies\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: policydir.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Policies\6n0mtfut.k85\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsManifests.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Manifests\ , ShortSubPath: Windows\winsxs\manifest\
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\5n0mtfut.k85\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: payload_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\7n0mtfut.k85\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\system32\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsDirectory.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: policydir_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\wl34x2va.rt8\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsPolicies.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Policies\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: policydir.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Policies\ul34x2va.rt8\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: WinSxsManifests.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\Manifests\ , ShortSubPath: Windows\winsxs\manifest\
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\tl34x2va.rt8\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: payload_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: Windows\winsxs\vl34x2va.rt8\ , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 , Object: c:\4a87c0b89fc51f5745dd96\ , LongSubPath: , ShortSubPath:
MSI (s) (40:D0) [03:02:30:699]: Dir (source): Key: S

#14 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 26 November 2006 - 11:18 PM

Okay. That's just the install log for MSXML 4.0.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Double-click the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#15 thebigh87

thebigh87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 27 November 2006 - 12:19 PM

Here is the report:

spysweeper.exe;c:\program files\webroot\spy sweeper;Probably DLOADER.Trojan;Incurable.Will be moved after reboot.;
AboutBuster.exe;C:\Documents and Settings\Aryeh\Desktop\AboutBuster;Probably BACKDOOR.Trojan;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
SpySweeper.exe;C:\Program Files\Webroot\Spy Sweeper;Probably DLOADER.Trojan;Incurable.Moved.;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Trojan.StartPage.68;Deleted.;
tmp.hta;C:\WINDOWS;Trojan.DownLoader.588;Deleted.;




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users