Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Micro Bill Pop Up


  • Please log in to reply
12 replies to this topic

#1 rmonty

rmonty

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:united kingdom
  • Local time:10:12 AM

Posted 08 February 2007 - 10:10 AM

Hi There ,

I have been reading your data on this problem as I have just started getting this problem ,How do I rid my computer of this.any help on this one.

thanks

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 08 February 2007 - 12:29 PM

Hi rmonty,

We'll need to see a HijackThis log in order to be able to help you. Please click on the following link and follow all the relevant instructions for precleaning and getting a log posted:

Preparation Guide For Use Before Posting A Hijackthis Log

Please confirm that you have run the required cleanup steps and if you have any problems or questions at all don't hesitate to post back in this topic (using the Add Reply button--do not start a new Topic) and I'll do my best to help you. Use Add Reply to post your log in this topic as well.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 rmonty

rmonty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:united kingdom
  • Local time:10:12 AM

Posted 09 February 2007 - 10:46 AM

thanks mate,

Yes I have covered the steps previous,tried all the spyware and also tried to delete in Sys32,but it still returns,here is the log requested.I tried to dele the mbs....file but will not delete.

Logfile of HijackThis v1.99.1
Scan saved at 15:58:02, on 08/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\mbsrm32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX08.218\HijackThis.exe
c:\windows\system32\mbssm32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161346027187
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



thanks

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 09 February 2007 - 01:32 PM

Thanks for posting back rmonty. This thing is fairly new and doesn't seem to be all that hard to get rid of, but we're still looking into what else it does besides what shows up in logs so we can let the security vendors know how to fix it more easily. The following should get you fixed up and help us to help others as well.

First we need to get HijackThis set up properly as you are running it from within the zip folder. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Now click this link to go to the BC submissions page:
http://www.bleepingcomputer.com/submit-malware.php

1. Fill in the required fields and then click the Browse button.
2. Navigate to C:\WINDOWS\system32\mbssm32.exe and click the Send File button. Then repeat the process for c:\windows\system32\mbsrm32.exe.

Now please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files I've just listed above, then click Submit. You will only be able to have one file scanned at a time. Please post back the results of the scan in your next post.

Do the same at Virustotal. You may need to go here first as jotti is often very busy.

Now please reboot your computer into Safe Mode.

Scan again with HijackThis and put a checkmark next to the following entry:

O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe

Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

Then using My Computer/Windows Explorer, navigate to these files and delete them:

C:\WINDOWS\system32\mbssm32.exe
c:\windows\system32\mbsrm32.exe


Reboot back into normal mode, scan again with HijackThis and post that fresh log in your next reply. Let me know if the popup goes away and if there were any problems carrying out the instructions.

Then download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Click on 30 days under the Files created and modified sections toward the bottom.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:12 AM

Posted 11 February 2007 - 05:07 AM

Hi rmonty,

Do you have any idea where and how you got infected with this one?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 rmonty

rmonty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:united kingdom
  • Local time:10:12 AM

Posted 12 February 2007 - 04:34 AM

Hi Miekiemoes,

I have no idea where this pop up came from,my son has been surfin regularly,I saw the desktop icon and tried to delete it ,sure enough it re-appeared.Do you think it could be deleted via DOS mode?

thanks

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:12 AM

Posted 12 February 2007 - 07:41 AM

Hi rmonty,

Just perform the instructions Papakid posted and you'll be able to delete that icon afterwards. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 rmonty

rmonty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:united kingdom
  • Local time:10:12 AM

Posted 12 February 2007 - 12:40 PM

Hi all,

I have followed your guidance , the logs from jotti and virustotal are attached and the last hijack log is shown.I have deleted the files and used WinpFind3.I will let you know if the problem is gone.Thanks again.

Scan taken on 12 Feb 2007 10:07:39 (GMT)
AntiVir Found TR/Agent.afi.1
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Agent.afi
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Agent.afi
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Agent.afi


Antivirus Version Update Result
AntiVir 7.3.1.36 02.12.2007 TR/Agent.afi
Authentium 4.93.8 02.12.2007 no virus found
Avast 4.7.936.0 02.11.2007 no virus found
AVG 386 02.11.2007 no virus found
BitDefender 7.2 02.12.2007 Application.Sexxxport.A
CAT-QuickHeal 9.00 02.12.2007 no virus found
ClamAV devel-20060426 02.12.2007 no virus found
DrWeb 4.33 02.12.2007 no virus found
eSafe 7.0.14.0 02.12.2007 no virus found
eTrust-Vet 30.4.3391 02.12.2007 no virus found
Ewido 4.0 02.11.2007 no virus found
Fortinet 2.85.0.0 02.12.2007 no virus found
F-Prot 4.2.1.29 02.12.2007 no virus found
F-Secure 6.70.13030.0 02.12.2007 Trojan.Win32.Agent.afi
Ikarus T3.1.0.31 02.12.2007 no virus found
Kaspersky 4.0.2.24 02.12.2007 Trojan.Win32.Agent.afi
McAfee 4960 02.09.2007 no virus found
Microsoft 1.2204 02.12.2007 no virus found
NOD32v2 2054 02.12.2007 no virus found
Norman 5.80.02 02.09.2007 no virus found
Panda 9.0.0.4 02.12.2007 Suspicious file
Prevx1 V2 02.12.2007 Dropper.Payload
Sophos 4.13.0 02.12.2007 no virus found
Sunbelt 2.2.907.0 02.09.2007 no virus found
Symantec 10 02.12.2007 no virus found
TheHacker 6.1.6.056 02.11.2007 Trojan/Agent.afi
UNA 1.83 02.09.2007 no virus found
VBA32 3.11.2 02.11.2007 no virus found
VirusBuster 4.3.19:9 02.11.2007 no virus found


Aditional Information
File size: 91648 bytes

Logfile of HijackThis v1.99.1
Scan saved at 17:11:14, on 12/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161346027187
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



WinPFind3 logfile created on: 12/02/2007 17:15:12
WinPFind3U by OldTimer - Version 1.0.17 Folder = C:\temp\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

1048116 Kb Total Physical Memory | 662464 Kb Available Physical Memory | 63.21% Memory free
2520032 Kb Paging File | 2183660 Kb Available in Paging File | 86.65% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 244187968 Kb Total Space | 233751736 Kb Free Space | 95.73% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded


[Processes - Non-Microsoft Only]
apdproxy.exe -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.49815 | Size = 57344 bytes | Modified Date = 06/06/2005 23:46:24 | Attr = ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,365 | Size = 336896 bytes | Modified Date = 20/10/2006 11:48:40 | Attr = ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,406 | Size = 369664 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,400 | Size = 281088 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,349 | Size = 84480 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 103.0.3.8 | Size = 58992 bytes | Modified Date = 13/12/2004 15:30:00 | Attr = ]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 103.0.3.8 | Size = 198256 bytes | Modified Date = 13/12/2004 15:30:04 | Attr = ]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 103.0.3.8 | Size = 165488 bytes | Modified Date = 13/12/2004 15:30:10 | Attr = ]
gearsec.exe -> %System32%\gearsec.exe -> GEAR Software [Ver = 1, 0, 0, 6 | Size = 53248 bytes | Modified Date = 09/09/2005 19:09:10 | Attr = ]
ghosttray.exe -> %ProgramFiles%\Norton Ghost\Agent\GhostTray.exe -> Symantec Corporation [Ver = 10.0.0.8400 | Size = 1537648 bytes | Modified Date = 09/09/2005 19:09:24 | Attr = ]
guard.exe -> %ProgramFiles%\ewido anti-spyware 4.0\guard.exe -> Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 172032 bytes | Modified Date = 16/06/2006 14:38:44 | Attr = ]
hpobnz08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 323646 bytes | Modified Date = 06/04/2003 00:37:10 | Attr = ]
hpoevm08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 286720 bytes | Modified Date = 06/04/2003 00:45:10 | Attr = ]
hposts08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hposts08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 311296 bytes | Modified Date = 06/04/2003 00:55:04 | Attr = ]
hpotdd01.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> Hewlett-Packard [Ver = 1, 0, 0, 1 | Size = 28672 bytes | Modified Date = 06/04/2003 01:06:58 | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.1.8 | Size = 451136 bytes | Modified Date = 25/09/2006 13:54:22 | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.1.8 | Size = 229952 bytes | Modified Date = 25/09/2006 13:54:24 | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 09/11/2006 15:07:30 | Attr = ]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.44.1 | Size = 53248 bytes | Modified Date = 22/09/2005 15:01:54 | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9131 | Size = 155715 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5a38 | Size = 282624 bytes | Modified Date = 08/12/2006 15:43:06 | Attr = ]
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.0.39 | Size = 77824 bytes | Modified Date = 17/05/2005 10:48:32 | Attr = R ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1, 8, 54, 534 | Size = 822424 bytes | Modified Date = 23/11/2006 14:51:20 | Attr = ]
vprosvc.exe -> %ProgramFiles%\Norton Ghost\Agent\VProSvc.exe -> Symantec Corporation [Ver = 10.0.0.8400 | Size = 2066024 bytes | Modified Date = 23/11/2006 14:59:40 | Attr = ]
wincinemamgr.exe -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = 1.7.1 | Size = 114688 bytes | Modified Date = 14/04/2004 23:43:46 | Attr = ]
winpfind3u.exe -> %SystemDrive%\temp\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.17.0 | Size = 308736 bytes | Modified Date = 11/02/2007 12:42:18 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,365 | Size = 336896 bytes | Modified Date = 20/10/2006 11:48:40 | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,349 | Size = 84480 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,400 | Size = 281088 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 103.0.3.8 | Size = 198256 bytes | Modified Date = 13/12/2004 15:30:04 | Attr = ]
(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\ccPwdSvc.exe -> Symantec Corporation [Ver = 103.0.3.8 | Size = 79472 bytes | Modified Date = 13/12/2004 15:30:08 | Attr = ]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 103.0.3.8 | Size = 165488 bytes | Modified Date = 13/12/2004 15:30:10 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 28/02/2006 12:00:00 | Attr = ]
(ewido anti-spyware 4.0 guard) ewido anti-spyware 4.0 guard [Win32_Own | Auto | Running] -> %ProgramFiles%\ewido anti-spyware 4.0\guard.exe -> Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 172032 bytes | Modified Date = 16/06/2006 14:38:44 | Attr = ]
(GEARSecurity) GEARSecurity [Win32_Own | Auto | Running] -> %System32%\gearsec.exe -> GEAR Software [Ver = 1, 0, 0, 6 | Size = 53248 bytes | Modified Date = 09/09/2005 19:09:10 | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.1.8 | Size = 451136 bytes | Modified Date = 25/09/2006 13:54:22 | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.44.1 | Size = 53248 bytes | Modified Date = 22/09/2005 15:01:54 | Attr = ]
(Norton Ghost) Norton Ghost [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton Ghost\Agent\VProSvc.exe -> Symantec Corporation [Ver = 10.0.0.8400 | Size = 2066024 bytes | Modified Date = 23/11/2006 14:59:40 | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9131 | Size = 155715 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 6, 0, 0, 0 | Size = 65795 bytes | Modified Date = 09/03/2003 04:31:02 | Attr = R ]
(Symantec Core LC) Symantec Core LC [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1, 8, 54, 534 | Size = 822424 bytes | Modified Date = 23/11/2006 14:51:20 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.49815 | Size = 57344 bytes | Modified Date = 06/06/2005 23:46:24 | Attr = ]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7,1,0,406 | Size = 369664 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
ccApp -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 103.0.3.8 | Size = 58992 bytes | Modified Date = 13/12/2004 15:30:00 | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.1.8 | Size = 229952 bytes | Modified Date = 25/09/2006 13:54:24 | Attr = ]
My Web Search Bar Search Scope Monitor -> %SystemDrive%\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe -> File not found
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 10:50:42 | Attr = ]
Norton Ghost 10.0 -> %ProgramFiles%\Norton Ghost\Agent\GhostTray.exe -> Symantec Corporation [Ver = 10.0.0.8400 | Size = 1537648 bytes | Modified Date = 09/09/2005 19:09:24 | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.9131 | Size = 7618560 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
NvMediaCenter -> %System32%\nvmctray.dll [RunDLL32.exe NvMCTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.9131 | Size = 86016 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
nwiz -> %System32%\nwiz.exe -> [Ver = | Size = 1519616 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5a38 | Size = 282624 bytes | Modified Date = 08/12/2006 15:43:06 | Attr = ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.0.39 | Size = 77824 bytes | Modified Date = 17/05/2005 10:48:32 | Attr = R ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 09/11/2006 15:07:30 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 22:05:26 | Attr = ]
%AllUsersStartup%\hp psc 2000 Series.lnk -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 323646 bytes | Modified Date = 06/04/2003 00:37:10 | Attr = ]
%AllUsersStartup%\hpoddt01.exe.lnk -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> Hewlett-Packard [Ver = 1, 0, 0, 1 | Size = 28672 bytes | Modified Date = 06/04/2003 01:06:58 | Attr = ]
%AllUsersStartup%\InterVideo WinCinema Manager.lnk -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = 1.7.1 | Size = 114688 bytes | Modified Date = 14/04/2004 23:43:46 | Attr = ]
< Registry Shell Spawning > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
regfile [merge] -> Reg Data - Key not found ->
scrfile [open] -> "%1" /S ->
scrfile [config] -> "%1" ->
*Command* -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\\Command ->
NewLinkHere -> -> File not found
%1 -> -> File not found
*Command* -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\\Command ->
Briefcase_Create -> -> File not found
%2!d! -> -> File not found
%1 -> -> File not found
< ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -> ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ->
{5945c046-1e7d-11d1-bc44-00c04fd912be} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub ->
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} -> ->
{7790769C-0471-11d2-AF11-00C04FA35D02} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ->
{89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll ->
{89820200-ECBD-11cf-8B85-00AA005B4383} -> C:\WINDOWS\system32\ie4uinit.exe -BaseSettings ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install ->
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} -> C:\WINDOWS\system32\ieudinit.exe
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP ->
>{26923b43-4d38-484f-9b9e-de460746276c} -> C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ->
< WOW Command Line [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
*wowcmdline* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\\wowcmdline ->
-a -> -> File not found
< Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute -> autocheck autochk *; ->
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\ewido anti-spyware 4.0\shellexecutehook.dll [ewido anti-spyware 4.0] -> Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 73728 bytes | Modified Date = 16/06/2006 14:38:50 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
-> HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer not found. ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.google.co.uk/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 18/12/2006 04:16:42 | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 00:04:00 | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 440056 bytes | Modified Date = 09/11/2006 15:21:52 | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2120768 bytes | Modified Date = 17/10/2006 15:04:08 | Attr = R ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2120768 bytes | Modified Date = 17/10/2006 15:04:08 | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2120768 bytes | Modified Date = 17/10/2006 15:04:08 | Attr = R ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8193 - Sun Java Console ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8192 - Windows Messenger ->
NextId -> 8194 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\npjpi150_10.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 75528 bytes | Modified Date = 09/11/2006 15:21:54 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_10\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 440056 bytes | Modified Date = 09/11/2006 15:21:52 | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&Search -> http:\edits.mywebsearch.com\toolbaredits\menusearch.jht -> File not found
E&xport to Microsoft Excel -> -> File not found
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} [HKLM] -> Reg Data - Key not found [Autoplay for SlideShow] -> File not found
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
{1CDB2949-8F65-4355-8456-263E7C208A5D} [HKLM] -> %System32%\nvshell.dll [Desktop Explorer] -> [Ver = | Size = 466944 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} [HKLM] -> %System32%\nvshell.dll [Desktop Explorer Menu] -> [Ver = | Size = 466944 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} [HKLM] -> %System32%\nvshell.dll [nView Desktop Context Menu] -> [Ver = | Size = 466944 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 28/02/2006 12:00:00 | Attr = ]
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7,1,0,354 | Size = 40960 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Find Extension] -> GRISOFT, s.r.o. [Ver = 7,1,0,354 | Size = 40960 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
{A70C977A-BF00-412C-90B7-034C51DA2439} [HKLM] -> %System32%\nvcpl.dll [NvCpl DesktopContext Class] -> NVIDIA Corporation [Ver = 6.14.10.9131 | Size = 7618560 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR shell extension] -> [Ver = | Size = 124416 bytes | Modified Date = 10/05/2005 18:08:44 | Attr = ]
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} [HKLM] -> %ProgramFiles%\iTunes\iTunesMiniPlayer.dll [iTunes] -> Apple Computer, Inc. [Ver = 7.0.1.8 | Size = 132672 bytes | Modified Date = 25/09/2006 13:54:26 | Attr = ]
{E0D79300-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLEXT.DLL [WinZip] -> [Ver = | Size = 33792 bytes | Modified Date = 17/10/1998 07:00:00 | Attr = ]
{E0D79301-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLEXT.DLL [WinZip] -> [Ver = | Size = 33792 bytes | Modified Date = 17/10/1998 07:00:00 | Attr = ]
{E0D79302-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLEXT.DLL [WinZip] -> [Ver = | Size = 33792 bytes | Modified Date = 17/10/1998 07:00:00 | Attr = ]
{FFB699E0-306A-11d3-8BD1-00104B6F7516} [HKLM] -> %System32%\nvcpl.dll [Play on my TV helper] -> NVIDIA Corporation [Ver = 6.14.10.9131 | Size = 7618560 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7,1,0,354 | Size = 40960 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\ewido anti-spyware 4.0\context.dll [ewido anti-spyware] -> Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Modified Date = 16/06/2006 14:38:38 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 124416 bytes | Modified Date = 10/05/2005 18:08:44 | Attr = ]
{E0D79300-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLEXT.DLL [WinZip] -> [Ver = | Size = 33792 bytes | Modified Date = 17/10/1998 07:00:00 | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\ewido anti-spyware 4.0\context.dll [ewido anti-spyware] -> Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Modified Date = 16/06/2006 14:38:38 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 124416 bytes | Modified Date = 10/05/2005 18:08:44 | Attr = ]
{E0D79300-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLEXT.DLL [WinZip] -> [Ver = | Size = 33792 bytes | Modified Date = 17/10/1998 07:00:00 | Attr = ]
< ContextMenuHandlers - Directory\Background [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} [HKLM] -> %System32%\nvshell.dll [00nView] -> [Ver = | Size = 466944 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
{A70C977A-BF00-412C-90B7-034C51DA2439} [HKLM] -> %System32%\nvcpl.dll [NvCplDesktopContext] -> NVIDIA Corporation [Ver = 6.14.10.9131 | Size = 7618560 bytes | Modified Date = 01/06/2006 09:22:00 | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7,1,0,354 | Size = 40960 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 124416 bytes | Modified Date = 10/05/2005 18:08:44 | Attr = ]
{E0D79300-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLEXT.DLL [WinZip] -> [Ver = | Size = 33792 bytes | Modified Date = 17/10/1998 07:00:00 | Attr = ]
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 14/12/2004 02:20:02 | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{84F0661D-7694-40C4-A01D-657532E6DD4E} -> () ->
{8EB6D4AB-830B-43F9-ADD9-77323685007F} -> (1394 Net Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/download/3/9...heckControl.cab ->
{193C772A-87BE-4B19-A7BB-445B226FE9A1} -> ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1161346027187 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} -> Get_ActiveX Control - CodeBase = https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx ->
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab ->


[Files - Created Within 30 days]
hpothb07.dat -> %SystemDrive%\hpothb07.dat -> [Ver = | Size = 1458 bytes | Created Date = 25/01/2007 14:43:55 | Attr = H ]
hpothb07.tif -> %SystemDrive%\hpothb07.tif -> [Ver = | Size = 2735 bytes | Created Date = 25/01/2007 14:43:54 | Attr = H ]
GDIPFONTCACHEV1.DAT -> %UserAppData%\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 22992 bytes | Created Date = 04/02/2007 15:45:16 | Attr = ]
HP Director.lnk -> %AllUsersDesktop%\HP Director.lnk -> [Ver = | Size = 851 bytes | Created Date = 25/01/2007 15:04:03 | Attr = ]
HP Memories Disc.lnk -> %AllUsersDesktop%\HP Memories Disc.lnk -> [Ver = | Size = 669 bytes | Created Date = 25/01/2007 15:07:47 | Attr = ]
HP Photo & Imaging.lnk -> %AllUsersDesktop%\HP Photo & Imaging.lnk -> [Ver = | Size = 851 bytes | Created Date = 25/01/2007 15:04:03 | Attr = ]
Desktop.ini -> %AllUsersDocuments%\My Videos\Desktop.ini -> [Ver = | Size = 151 bytes | Created Date = 30/01/2007 19:37:13 | Attr = HS]
AlbumArtSmall.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArtSmall.jpg -> [Ver = | Size = 2041 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Large.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Large.jpg -> [Ver = | Size = 8491 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Small.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Small.jpg -> [Ver = | Size = 2041 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
Folder.jpg -> %AllUsersDocuments%\My Music\Sample Music\Folder.jpg -> [Ver = | Size = 8491 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
01_Music_auto_rated_at_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\01_Music_auto_rated_at_5_stars.wpl -> [Ver = | Size = 1047 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
02_Music_added_in_the_last_month.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\02_Music_added_in_the_last_month.wpl -> [Ver = | Size = 1279 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
03_Music_rated_at_4_or_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\03_Music_rated_at_4_or_5_stars.wpl -> [Ver = | Size = 1267 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
04_Music_played_in_the_last_month.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\04_Music_played_in_the_last_month.wpl -> [Ver = | Size = 1284 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
05_Pictures_taken_in_the_last_month.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\05_Pictures_taken_in_the_last_month.wpl -> [Ver = | Size = 797 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
06_Pictures_rated_4_or_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\06_Pictures_rated_4_or_5_stars.wpl -> [Ver = | Size = 785 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
07_TV_recorded_in_the_last_week.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\07_TV_recorded_in_the_last_week.wpl -> [Ver = | Size = 1040 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
08_Video_rated_at_4_or_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\08_Video_rated_at_4_or_5_stars.wpl -> [Ver = | Size = 1020 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
09_Music_played_the_most.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\09_Music_played_the_most.wpl -> [Ver = | Size = 1025 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
10_All_Music.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\10_All_Music.wpl -> [Ver = | Size = 1063 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
11_All_Pictures.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\11_All_Pictures.wpl -> [Ver = | Size = 585 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
12_All_Video.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\12_All_Video.wpl -> [Ver = | Size = 1079 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
hp psc 2000 Series.lnk -> %AllUsersStartup%\hp psc 2000 Series.lnk -> [Ver = | Size = 863 bytes | Created Date = 25/01/2007 15:08:01 | Attr = ]
hpoddt01.exe.lnk -> %AllUsersStartup%\hpoddt01.exe.lnk -> [Ver = | Size = 779 bytes | Created Date = 25/01/2007 15:04:04 | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 342399 bytes | Created Date = 12/02/2007 17:13:00 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
WinPFind3U.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.17.0 | Size = 308736 bytes | Created Date = 12/02/2007 17:13:39 | Attr = ]
hpothb07.dat -> %UserDocuments%\My Pictures\hpothb07.dat -> [Ver = | Size = 2438 bytes | Created Date = 25/01/2007 14:40:04 | Attr = H ]
hpothb07.tif -> %UserDocuments%\My Pictures\hpothb07.tif -> [Ver = | Size = 406552 bytes | Created Date = 25/01/2007 14:40:04 | Attr = H ]
Thumbs.db -> %UserDocuments%\My Pictures\Thumbs.db -> [Ver = | Size = 86016 bytes | Created Date = 25/01/2007 15:22:36 | Attr = HS]
@Alternate Data Stream - 0 bytes -> %UserDocuments%\My Pictures\Thumbs.db:encryptable ->
Career Development Finance Ltd.2.doc -> %UserDocuments%\My Received Files\Career Development Finance Ltd.2.doc -> [Ver = | Size = 29696 bytes | Created Date = 23/01/2007 09:16:12 | Attr = ]
Career Development Finance Ltd.doc -> %UserDocuments%\My Received Files\Career Development Finance Ltd.doc -> [Ver = | Size = 30208 bytes | Created Date = 22/01/2007 19:29:27 | Attr = ]
HijackThis.zip -> %UserDocuments%\My Received Files\HijackThis.zip -> [Ver = | Size = 213344 bytes | Created Date = 08/02/2007 15:51:19 | Attr = ]
McafeeRootkitDetective.zip -> %UserDocuments%\My Received Files\McafeeRootkitDetective.zip -> [Ver = | Size = 1400487 bytes | Created Date = 08/02/2007 15:31:26 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\McafeeRootkitDetective.zip:Zone.Identifier ->
Questions_regarding_proposed_transfer_to_CMS.doc -> %UserDocuments%\My Received Files\Questions_regarding_proposed_transfer_to_CMS.doc -> [Ver = | Size = 31232 bytes | Created Date = 19/01/2007 18:04:41 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\Questions_regarding_proposed_transfer_to_CMS.doc:Zone.Identifier ->
RegCureSetup_46.exe -> %UserDocuments%\My Received Files\RegCureSetup_46.exe -> [Ver = | Size = 989584 bytes | Created Date = 08/02/2007 11:17:44 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\RegCureSetup_46.exe:Zone.Identifier ->
iTunes Library.itl -> %UserDocuments%\My Music\iTunes\iTunes Library.itl -> [Ver = | Size = 17546 bytes | Created Date = 06/02/2007 12:22:52 | Attr = ]
iTunes Music Library.xml -> %UserDocuments%\My Music\iTunes\iTunes Music Library.xml -> [Ver = | Size = 11333 bytes | Created Date = 04/02/2007 16:03:16 | Attr = ]
Cher - Heart Of Stone.MP3 -> %UserDocuments%\My Music\iTunes\iTunes Music\Cher\Unknown Album\Cher - Heart Of Stone.MP3 -> [Ver = | Size = 5122176 bytes | Created Date = 31/01/2007 10:06:56 | Attr = ]
02 Kingston Town.m4a -> %UserDocuments%\My Music\iTunes\iTunes Music\UB40\The Very Best Of Ub40 (1980-2000)\02 Kingston Town.m4a -> [Ver = | Size = 51359 bytes | Created Date = 21/01/2007 11:47:10 | Attr = ]
gtune553.mp3 -> %UserDocuments%\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\gtune553.mp3 -> [Ver = | Size = 17996 bytes | Created Date = 04/02/2007 16:02:35 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\gtune553.mp3:Zone.Identifier ->
hpoins01.dat -> %SystemRoot%\hpoins01.dat -> [Ver = | Size = 20475 bytes | Created Date = 25/01/2007 15:02:51 | Attr = ]
hpomdl01.dat -> %SystemRoot%\hpomdl01.dat -> [Ver = | Size = 16622 bytes | Created Date = 25/01/2007 15:02:51 | Attr = ]
945053D0.inf -> %System32%\945053D0.inf -> [Ver = | Size = 738 bytes | Created Date = 28/01/2007 19:27:25 | Attr = ]
HPZidr12.dll -> %System32%\HPZidr12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 233528 bytes | Created Date = 25/01/2007 15:06:21 | Attr = R ]
HPZinw12.exe -> %System32%\HPZinw12.exe -> HP [Ver = 6, 0, 0, 0 | Size = 61699 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
HPZipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 6, 0, 0, 0 | Size = 65795 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
HPZipr12.dll -> %System32%\HPZipr12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 167936 bytes | Created Date = 25/01/2007 15:06:21 | Attr = R ]
HPZipt12.dll -> %System32%\HPZipt12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 94208 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
HPZisn12.dll -> %System32%\HPZisn12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 57344 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49248 bytes | Created Date = 25/01/2007 11:13:50 | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 53346 bytes | Created Date = 25/01/2007 11:13:50 | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 127078 bytes | Created Date = 25/01/2007 11:13:50 | Attr = ]
nvaudio.nvu -> %System32%\nvaudio.nvu -> [Ver = | Size = 4624 bytes | Created Date = 30/01/2007 14:46:28 | Attr = ]
nvuaudio.exe -> %System32%\nvuaudio.exe -> NVIDIA Corporation [Ver = 1 , 0 , 1 , 41 | Size = 180224 bytes | Created Date = 30/01/2007 14:46:27 | Attr = ]
Sexxxpassport.ico -> %System32%\Sexxxpassport.ico -> [Ver = | Size = 2238 bytes | Created Date = 28/01/2007 19:27:22 | Attr = ]
u2g.f -> %System32%\u2g.f -> [Ver = | Size = 238 bytes | Created Date = 28/01/2007 19:28:36 | Attr = ]
UBSauthenticateAXC.ocx -> %System32%\UBSauthenticateAXC.ocx -> [Ver = 1.0.13.0 | Size = 1224512 bytes | Created Date = 28/01/2007 19:27:25 | Attr = ]
winiconmon.ico -> %System32%\winiconmon.ico -> [Ver = | Size = 22486

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 12 February 2007 - 02:59 PM

Hi rmonty,

Thanks for sending the files. We're starting to get some more info on this new variant and you've been a big help. So has the popup gone away now--it should have.

The WinpFind3 log has revealed some more files that are probably leftovers, but the log got cut off so there may be more. Could you post the rest of the log, starting at [Files - Created Within 30 days]?

I would like to get samples of these other files also. Please do the following:

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and select copy.

C:\WINDOWS\system32\u2g.f
C:\WINDOWS\system32\UBSauthenticateAXC.ocx
C:\WINDOWS\system32\Sexxxpassport.ico
C:\WINDOWS\system32\winiconmon.ico


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to rmonty.cab (for example grinler.cab). Please go to Folder Options in Control Panel and make sure file extensions are showing and that there is only one .cab extension.

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

Also look in your START menu for an icon that looks like two blue boxes, one offset from the other. Tell me if it's there and what the name of the shortcut is.

There will be more instructions but I'll wait til you post back.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#10 rmonty

rmonty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:united kingdom
  • Local time:10:12 AM

Posted 12 February 2007 - 03:16 PM

Hi Guys,

here is the rest of the log as requested,I have not had the popup for approx 2hrs since completion of instructions ,but I will carry out the other requestsand keep you posted .Thanks again


[Files - Created Within 30 days]
hpothb07.dat -> %SystemDrive%\hpothb07.dat -> [Ver = | Size = 1458 bytes | Created Date = 25/01/2007 14:43:55 | Attr = H ]
hpothb07.tif -> %SystemDrive%\hpothb07.tif -> [Ver = | Size = 2735 bytes | Created Date = 25/01/2007 14:43:54 | Attr = H ]
GDIPFONTCACHEV1.DAT -> %UserAppData%\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 22992 bytes | Created Date = 04/02/2007 15:45:16 | Attr = ]
HP Director.lnk -> %AllUsersDesktop%\HP Director.lnk -> [Ver = | Size = 851 bytes | Created Date = 25/01/2007 15:04:03 | Attr = ]
HP Memories Disc.lnk -> %AllUsersDesktop%\HP Memories Disc.lnk -> [Ver = | Size = 669 bytes | Created Date = 25/01/2007 15:07:47 | Attr = ]
HP Photo & Imaging.lnk -> %AllUsersDesktop%\HP Photo & Imaging.lnk -> [Ver = | Size = 851 bytes | Created Date = 25/01/2007 15:04:03 | Attr = ]
Desktop.ini -> %AllUsersDocuments%\My Videos\Desktop.ini -> [Ver = | Size = 151 bytes | Created Date = 30/01/2007 19:37:13 | Attr = HS]
AlbumArtSmall.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArtSmall.jpg -> [Ver = | Size = 2041 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Large.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Large.jpg -> [Ver = | Size = 8491 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Small.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Small.jpg -> [Ver = | Size = 2041 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
Folder.jpg -> %AllUsersDocuments%\My Music\Sample Music\Folder.jpg -> [Ver = | Size = 8491 bytes | Created Date = 05/02/2007 16:12:28 | Attr = HS]
01_Music_auto_rated_at_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\01_Music_auto_rated_at_5_stars.wpl -> [Ver = | Size = 1047 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
02_Music_added_in_the_last_month.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\02_Music_added_in_the_last_month.wpl -> [Ver = | Size = 1279 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
03_Music_rated_at_4_or_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\03_Music_rated_at_4_or_5_stars.wpl -> [Ver = | Size = 1267 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
04_Music_played_in_the_last_month.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\04_Music_played_in_the_last_month.wpl -> [Ver = | Size = 1284 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
05_Pictures_taken_in_the_last_month.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\05_Pictures_taken_in_the_last_month.wpl -> [Ver = | Size = 797 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
06_Pictures_rated_4_or_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\06_Pictures_rated_4_or_5_stars.wpl -> [Ver = | Size = 785 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
07_TV_recorded_in_the_last_week.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\07_TV_recorded_in_the_last_week.wpl -> [Ver = | Size = 1040 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
08_Video_rated_at_4_or_5_stars.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\08_Video_rated_at_4_or_5_stars.wpl -> [Ver = | Size = 1020 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
09_Music_played_the_most.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\09_Music_played_the_most.wpl -> [Ver = | Size = 1025 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
10_All_Music.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\10_All_Music.wpl -> [Ver = | Size = 1063 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
11_All_Pictures.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\11_All_Pictures.wpl -> [Ver = | Size = 585 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
12_All_Video.wpl -> %AllUsersDocuments%\My Music\Sync Playlists\1CBCB0\12_All_Video.wpl -> [Ver = | Size = 1079 bytes | Created Date = 30/01/2007 19:32:43 | Attr = ]
hp psc 2000 Series.lnk -> %AllUsersStartup%\hp psc 2000 Series.lnk -> [Ver = | Size = 863 bytes | Created Date = 25/01/2007 15:08:01 | Attr = ]
hpoddt01.exe.lnk -> %AllUsersStartup%\hpoddt01.exe.lnk -> [Ver = | Size = 779 bytes | Created Date = 25/01/2007 15:04:04 | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 342399 bytes | Created Date = 12/02/2007 17:13:00 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
WinPFind3U.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.17.0 | Size = 308736 bytes | Created Date = 12/02/2007 17:13:39 | Attr = ]
hpothb07.dat -> %UserDocuments%\My Pictures\hpothb07.dat -> [Ver = | Size = 2438 bytes | Created Date = 25/01/2007 14:40:04 | Attr = H ]
hpothb07.tif -> %UserDocuments%\My Pictures\hpothb07.tif -> [Ver = | Size = 406552 bytes | Created Date = 25/01/2007 14:40:04 | Attr = H ]
Thumbs.db -> %UserDocuments%\My Pictures\Thumbs.db -> [Ver = | Size = 86016 bytes | Created Date = 25/01/2007 15:22:36 | Attr = HS]
@Alternate Data Stream - 0 bytes -> %UserDocuments%\My Pictures\Thumbs.db:encryptable ->
Career Development Finance Ltd.2.doc -> %UserDocuments%\My Received Files\Career Development Finance Ltd.2.doc -> [Ver = | Size = 29696 bytes | Created Date = 23/01/2007 09:16:12 | Attr = ]
Career Development Finance Ltd.doc -> %UserDocuments%\My Received Files\Career Development Finance Ltd.doc -> [Ver = | Size = 30208 bytes | Created Date = 22/01/2007 19:29:27 | Attr = ]
HijackThis.zip -> %UserDocuments%\My Received Files\HijackThis.zip -> [Ver = | Size = 213344 bytes | Created Date = 08/02/2007 15:51:19 | Attr = ]
McafeeRootkitDetective.zip -> %UserDocuments%\My Received Files\McafeeRootkitDetective.zip -> [Ver = | Size = 1400487 bytes | Created Date = 08/02/2007 15:31:26 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\McafeeRootkitDetective.zip:Zone.Identifier ->
Questions_regarding_proposed_transfer_to_CMS.doc -> %UserDocuments%\My Received Files\Questions_regarding_proposed_transfer_to_CMS.doc -> [Ver = | Size = 31232 bytes | Created Date = 19/01/2007 18:04:41 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\Questions_regarding_proposed_transfer_to_CMS.doc:Zone.Identifier ->
RegCureSetup_46.exe -> %UserDocuments%\My Received Files\RegCureSetup_46.exe -> [Ver = | Size = 989584 bytes | Created Date = 08/02/2007 11:17:44 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\RegCureSetup_46.exe:Zone.Identifier ->
iTunes Library.itl -> %UserDocuments%\My Music\iTunes\iTunes Library.itl -> [Ver = | Size = 17546 bytes | Created Date = 06/02/2007 12:22:52 | Attr = ]
iTunes Music Library.xml -> %UserDocuments%\My Music\iTunes\iTunes Music Library.xml -> [Ver = | Size = 11333 bytes | Created Date = 04/02/2007 16:03:16 | Attr = ]
Cher - Heart Of Stone.MP3 -> %UserDocuments%\My Music\iTunes\iTunes Music\Cher\Unknown Album\Cher - Heart Of Stone.MP3 -> [Ver = | Size = 5122176 bytes | Created Date = 31/01/2007 10:06:56 | Attr = ]
02 Kingston Town.m4a -> %UserDocuments%\My Music\iTunes\iTunes Music\UB40\The Very Best Of Ub40 (1980-2000)\02 Kingston Town.m4a -> [Ver = | Size = 51359 bytes | Created Date = 21/01/2007 11:47:10 | Attr = ]
gtune553.mp3 -> %UserDocuments%\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\gtune553.mp3 -> [Ver = | Size = 17996 bytes | Created Date = 04/02/2007 16:02:35 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\gtune553.mp3:Zone.Identifier ->
hpoins01.dat -> %SystemRoot%\hpoins01.dat -> [Ver = | Size = 20475 bytes | Created Date = 25/01/2007 15:02:51 | Attr = ]
hpomdl01.dat -> %SystemRoot%\hpomdl01.dat -> [Ver = | Size = 16622 bytes | Created Date = 25/01/2007 15:02:51 | Attr = ]
945053D0.inf -> %System32%\945053D0.inf -> [Ver = | Size = 738 bytes | Created Date = 28/01/2007 19:27:25 | Attr = ]
HPZidr12.dll -> %System32%\HPZidr12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 233528 bytes | Created Date = 25/01/2007 15:06:21 | Attr = R ]
HPZinw12.exe -> %System32%\HPZinw12.exe -> HP [Ver = 6, 0, 0, 0 | Size = 61699 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
HPZipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 6, 0, 0, 0 | Size = 65795 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
HPZipr12.dll -> %System32%\HPZipr12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 167936 bytes | Created Date = 25/01/2007 15:06:21 | Attr = R ]
HPZipt12.dll -> %System32%\HPZipt12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 94208 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
HPZisn12.dll -> %System32%\HPZisn12.dll -> HP [Ver = 6, 0, 0, 0 | Size = 57344 bytes | Created Date = 25/01/2007 15:06:22 | Attr = R ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49248 bytes | Created Date = 25/01/2007 11:13:50 | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 53346 bytes | Created Date = 25/01/2007 11:13:50 | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 127078 bytes | Created Date = 25/01/2007 11:13:50 | Attr = ]
nvaudio.nvu -> %System32%\nvaudio.nvu -> [Ver = | Size = 4624 bytes | Created Date = 30/01/2007 14:46:28 | Attr = ]
nvuaudio.exe -> %System32%\nvuaudio.exe -> NVIDIA Corporation [Ver = 1 , 0 , 1 , 41 | Size = 180224 bytes | Created Date = 30/01/2007 14:46:27 | Attr = ]
Sexxxpassport.ico -> %System32%\Sexxxpassport.ico -> [Ver = | Size = 2238 bytes | Created Date = 28/01/2007 19:27:22 | Attr = ]
u2g.f -> %System32%\u2g.f -> [Ver = | Size = 238 bytes | Created Date = 28/01/2007 19:28:36 | Attr = ]
UBSauthenticateAXC.ocx -> %System32%\UBSauthenticateAXC.ocx -> [Ver = 1.0.13.0 | Size = 1224512 bytes | Created Date = 28/01/2007 19:27:25 | Attr = ]
winiconmon.ico -> %System32%\winiconmon.ico -> [Ver = | Size = 22486 bytes | Created Date = 28/01/2007 19:27:25 | Attr = ]
winiconmon.ico.bak0 -> %System32%\winiconmon.ico.bak0 -> [Ver = | Size = 22486 bytes | Created Date = 28/01/2007 19:27:25 | Attr = ]
AFS2K.SYS -> %System32%\drivers\AFS2K.SYS -> Oak Technology Inc. [Ver = 3.1.21.1103 | Size = 35840 bytes | Created Date = 25/01/2007 15:07:45 | Attr = ]
hpzid412.sys -> %System32%\drivers\hpzid412.sys -> HP [Ver = 6, 0, 0, 0 | Size = 51024 bytes | Created Date = 25/01/2007 15:06:17 | Attr = R ]
HPZipr12.sys -> %System32%\drivers\HPZipr12.sys -> HP [Ver = 6, 0, 0, 0 | Size = 16080 bytes | Created Date = 25/01/2007 15:06:21 | Attr = R ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Created Date = 08/02/2007 15:15:48 | Attr = ]

[Files - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 12/02/2007 10:59:52 | Attr = HS]
hpfr5550.xml -> %SystemDrive%\hpfr5550.xml -> [Ver = | Size = 488 bytes | Modified Date = 05/02/2007 13:56:22 | Attr = ]
hpothb07.dat -> %SystemDrive%\hpothb07.dat -> [Ver = | Size = 1458 bytes | Modified Date = 25/01/2007 14:52:20 | Attr = H ]
hpothb07.tif -> %SystemDrive%\hpothb07.tif -> [Ver = | Size = 2735 bytes | Modified Date = 25/01/2007 14:43:56 | Attr = H ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 27/01/2007 20:20:04 | Attr = H ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 268 bytes | Modified Date = 27/01/2007 21:51:18 | Attr = H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm -> [Ver = | Size = 268 bytes | Modified Date = 28/01/2007 15:00:16 | Attr = H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm -> [Ver = | Size = 268 bytes | Modified Date = 29/01/2007 15:32:10 | Attr = H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm -> [Ver = | Size = 268 bytes | Modified Date = 29/01/2007 16:58:44 | Attr = H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Modified Date = 29/01/2007 19:09:26 | Attr = H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/01/2007 12:46:46 | Attr = H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/01/2007 17:29:40 | Attr = H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/01/2007 16:12:44 | Attr = H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/01/2007 17:20:22 | Attr = H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Modified Date = 01/02/2007 13:45:50 | Attr = H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 01/02/2007 14:25:02 | Attr = H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 01/02/2007 17:02:36 | Attr = H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 03/02/2007 15:08:18 | Attr = H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 05/02/2007 17:13:08 | Attr = H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 280 bytes | Modified Date = 05/02/2007 18:22:14 | Attr = H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 06/02/2007 17:35:30 | Attr = H ]
sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Modified Date = 06/02/2007 19:10:10 | Attr = H ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Modified Date = 08/02/2007 10:22:38 | Attr = H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Modified Date = 27/01/2007 13:13:18 | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 27/01/2007 20:20:04 | Attr = H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 27/01/2007 21:51:18 | Attr = H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm -> [Ver = | Size = 244 bytes | Modified Date = 28/01/2007 15:00:14 | Attr = H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm -> [Ver = | Size = 244 bytes | Modified Date = 29/01/2007 15:32:10 | Attr = H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm -> [Ver = | Size = 244 bytes | Modified Date = 29/01/2007 16:58:44 | Attr = H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Modified Date = 29/01/2007 19:09:26 | Attr = H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/01/2007 12:46:46 | Attr = H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/01/2007 17:29:40 | Attr = H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/01/2007 16:12:44 | Attr = H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/01/2007 17:20:22 | Attr = H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 01/02/2007 13:45:50 | Attr = H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 01/02/2007 14:25:02 | Attr = H ]
sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Modified Date = 01/02/2007 17:02:36 | Attr = H ]
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 03/02/2007 15:08:18 | Attr = H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 05/02/2007 17:13:08 | Attr = H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 05/02/2007 18:22:14 | Attr = H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 06/02/2007 17:35:30 | Attr = H ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 06/02/2007 19:10:10 | Attr = H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Modified Date = 08/02/2007 10:22:38 | Attr = H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Modified Date = 27/01/2007 13:13:18 | Attr = H ]
GDIPFONTCACHEV1.DAT -> %UserAppData%\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 22992 bytes | Modified Date = 04/02/2007 15:45:18 | Attr = ]
GDIPFONTCACHEV1.DAT -> %LocalAppData%\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 20632 bytes | Modified Date = 08/02/2007 11:34:04 | Attr = ]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 4311758 bytes | Modified Date = 12/02/2007 11:02:38 | Attr = H ]
HP Director.lnk -> %AllUsersDesktop%\HP Director.lnk -> [Ver = | Size = 851 bytes | Modified Date = 25/01/2007 15:04:04 | Attr = ]
HP Memories Disc.lnk -> %AllUsersDesktop%\HP Memories Disc.lnk -> [Ver = | Size = 669 bytes | Modified Date = 25/01/2007 15:07:48 | Attr = ]
HP Photo & Imaging.lnk -> %AllUsersDesktop%\HP Photo & Imaging.lnk -> [Ver = | Size = 851 bytes | Modified Date = 25/01/2007 15:04:04 | Attr = ]
iTunes.lnk -> %AllUsersDesktop%\iTunes.lnk -> [Ver = | Size = 2137 bytes | Modified Date = 17/01/2007 15:46:34 | Attr = ]
Desktop.ini -> %AllUsersDocuments%\My Videos\Desktop.ini -> [Ver = | Size = 151 bytes | Modified Date = 30/01/2007 19:37:14 | Attr = HS]
AlbumArtSmall.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArtSmall.jpg -> [Ver = | Size = 2041 bytes | Modified Date = 05/02/2007 16:12:24 | Attr = HS]
AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Large.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Large.jpg -> [Ver = | Size = 8491 bytes | Modified Date = 05/02/2007 16:12:28 | Attr = HS]
AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Small.jpg -> %AllUsersDocuments%\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Small.jpg -> [Ver = | Size = 2041 bytes | Modified Date = 05/02/2007 16:12:24 | Attr = HS]
desktop.ini -> %AllUsersDocuments%\My Music\Sample Music\desktop.ini -> [Ver = | Size = 362 bytes | Modified Date = 05/02/2007 16:12:30 | Attr = HS]
Folder.jpg -> %AllUsersDocuments%\My Music\Sample Music\Folder.jpg -> [Ver = | Size = 8491 bytes | Modified Date = 05/02/2007 16:12:28 | Attr = HS]
New Stories (Highway Blues).wma -> %AllUsersDocuments%\My Music\Sample Music\New Stories (Highway Blues).wma -> [Ver = | Size = 765730 bytes | Modified Date = 05/02/2007 16:12:48 | Attr = ]
hp psc 2000 Series.lnk -> %AllUsersStartup%\hp psc 2000 Series.lnk -> [Ver = | Size = 863 bytes | Modified Date = 25/01/2007 15:08:02 | Attr = ]
hpoddt01.exe.lnk -> %AllUsersStartup%\hpoddt01.exe.lnk -> [Ver = | Size = 779 bytes | Modified Date = 25/01/2007 15:04:04 | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 342399 bytes | Modified Date = 12/02/2007 17:13:06 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
WinPFind3U.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.17.0 | Size = 308736 bytes | Modified Date = 11/02/2007 12:42:18 | Attr = ]
My Sharing Folders.lnk -> %UserDocuments%\My Sharing Folders.lnk -> [Ver = | Size = 595 bytes | Modified Date = 06/02/2007 19:10:20 | Attr = ]
hpothb07.dat -> %UserDocuments%\My Pictures\hpothb07.dat -> [Ver = | Size = 2438 bytes | Modified Date = 25/01/2007 15:39:26 | Attr = H ]
hpothb07.tif -> %UserDocuments%\My Pictures\hpothb07.tif -> [Ver = | Size = 406552 bytes | Modified Date = 25/01/2007 15:39:26 | Attr = H ]
Thumbs.db -> %UserDocuments%\My Pictures\Thumbs.db -> [Ver = | Size = 86016 bytes | Modified Date = 25/01/2007 15:40:46 | Attr = HS]
@Alternate Data Stream - 0 bytes -> %UserDocuments%\My Pictures\Thumbs.db:encryptable ->
Career Development Finance Ltd.2.doc -> %UserDocuments%\My Received Files\Career Development Finance Ltd.2.doc -> [Ver = | Size = 29696 bytes | Modified Date = 23/01/2007 09:20:40 | Attr = ]
Career Development Finance Ltd.doc -> %UserDocuments%\My Received Files\Career Development Finance Ltd.doc -> [Ver = | Size = 30208 bytes | Modified Date = 23/01/2007 09:19:20 | Attr = ]
HijackThis.zip -> %UserDocuments%\My Received Files\HijackThis.zip -> [Ver = | Size = 213344 bytes | Modified Date = 08/02/2007 15:59:08 | Attr = ]
McafeeRootkitDetective.zip -> %UserDocuments%\My Received Files\McafeeRootkitDetective.zip -> [Ver = | Size = 1400487 bytes | Modified Date = 08/02/2007 15:31:34 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\McafeeRootkitDetective.zip:Zone.Identifier ->
Questions_regarding_proposed_transfer_to_CMS.doc -> %UserDocuments%\My Received Files\Questions_regarding_proposed_transfer_to_CMS.doc -> [Ver = | Size = 31232 bytes | Modified Date = 19/01/2007 18:04:44 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\Questions_regarding_proposed_transfer_to_CMS.doc:Zone.Identifier ->
RegCureSetup_46.exe -> %UserDocuments%\My Received Files\RegCureSetup_46.exe -> [Ver = | Size = 989584 bytes | Modified Date = 08/02/2007 11:17:58 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\RegCureSetup_46.exe:Zone.Identifier ->
iTunes Library.itl -> %UserDocuments%\My Music\iTunes\iTunes Library.itl -> [Ver = | Size = 17546 bytes | Modified Date = 06/02/2007 12:22:54 | Attr = ]
iTunes Music Library.xml -> %UserDocuments%\My Music\iTunes\iTunes Music Library.xml -> [Ver = | Size = 11333 bytes | Modified Date = 06/02/2007 12:22:54 | Attr = ]
Cher - Heart Of Stone.MP3 -> %UserDocuments%\My Music\iTunes\iTunes Music\Cher\Unknown Album\Cher - Heart Of Stone.MP3 -> [Ver = | Size = 5122176 bytes | Modified Date = 31/01/2007 10:06:24 | Attr = ]
02 Kingston Town.m4a -> %UserDocuments%\My Music\iTunes\iTunes Music\UB40\The Very Best Of Ub40 (1980-2000)\02 Kingston Town.m4a -> [Ver = | Size = 51359 bytes | Modified Date = 21/01/2007 11:47:12 | Attr = ]
gtune553.mp3 -> %UserDocuments%\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\gtune553.mp3 -> [Ver = | Size = 17996 bytes | Modified Date = 04/02/2007 16:02:30 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\gtune553.mp3:Zone.Identifier ->
symlcrst.dll -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcrst.dll -> [Ver = | Size = 259570 bytes | Modified Date = 12/02/2007 17:08:58 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 12/02/2007 17:05:46 | Attr = S]
hpoins01.dat -> %SystemRoot%\hpoins01.dat -> [Ver = | Size = 20475 bytes | Modified Date = 25/01/2007 15:07:54 | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 30/01/2007 19:33:26 | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 12/02/2007 10:59:52 | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 940 bytes | Modified Date = 12/02/2007 17:13:58 | Attr = ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [Ver = | Size = 316640 bytes | Modified Date = 30/01/2007 19:32:40 | Attr = ]
945053D0.inf -> %System32%\945053D0.inf -> [Ver = | Size = 738 bytes | Modified Date = 01/02/2007 10:13:54 | Attr = ]
amcompat.tlb -> %System32%\amcompat.tlb -> [Ver = | Size = 16832 bytes | Modified Date = 30/01/2007 19:33:20 | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 118952 bytes | Modified Date = 08/02/2007 11:33:48 | Attr = ]
nscompat.tlb -> %System32%\nscompat.tlb -> [Ver = | Size = 23392 bytes | Modified Date = 30/01/2007 19:33:20 | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 63804 bytes | Modified Date = 12/02/2007 17:05:56 | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 52880 bytes | Modified Date = 30/01/2007 14:47:40 | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 380658 bytes | Modified Date = 30/01/2007 14:47:40 | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 439552 bytes | Modified Date = 30/01/2007 14:47:40 | Attr = ]
Sexxxpassport.ico -> %System32%\Sexxxpassport.ico -> [Ver = | Size = 2238 bytes | Modified Date = 28/01/2007 19:27:24 | Attr = ]
u2g.f -> %System32%\u2g.f -> [Ver = | Size = 238 bytes | Modified Date = 12/02/2007 10:49:06 | Attr = ]
UBSauthenticateAXC.ocx -> %System32%\UBSauthenticateAXC.ocx -> [Ver = 1.0.13.0 | Size = 1224512 bytes | Modified Date = 28/01/2007 19:27:26 | Attr = ]
winiconmon.ico -> %System32%\winiconmon.ico -> [Ver = | Size = 22486 bytes | Modified Date = 28/01/2007 19:27:26 | Attr = ]
winiconmon.ico.bak0 -> %System32%\winiconmon.ico.bak0 -> [Ver = | Size = 22486 bytes | Modified Date = 28/01/2007 19:27:26 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13646 bytes | Modified Date = 11/02/2007 10:35:18 | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Modified Date = 08/02/2007 15:15:22 | Attr = ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes -> %AllUsersDocuments%\My Pictures\Sample Pictures\Thumbs.db:encryptable ->
@Alternate Data Stream - 0 bytes -> %AllUsersDocuments%\My Pictures\Sample Pictures\stacey\Thumbs.db:encryptable ->
@Alternate Data Stream - 114 bytes -> %AllUsersAppData%\TEMP:4B7BEAFF ->
@Alternate Data Stream - 0 bytes -> %AllUsersAppData%\Symantec\hpc:468323563 ->
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
PEC2 , PECompact2 , -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.17.0 | Size = 308736 bytes | Modified Date = 11/02/2007 12:42:18 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\downloads\ABC-win32-v3.1.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\downloads\iTunesSetup.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\downloads\iview398.exe:Zone.Identifier ->
aspack , -> %UserDocuments%\downloads\iview398.exe -> [Ver = | Size = 905728 bytes | Modified Date = 01/11/2006 17:10:48 | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\gtune553.mp3:Zone.Identifier ->
@Alternate Data Stream - 0 bytes -> %UserDocuments%\My Pictures\Thumbs.db:encryptable ->
WSUD , -> %UserDocuments%\My Pictures\egypt\egypt 047.jpg -> [Ver = | Size = 1367962 bytes | Modified Date = 05/01/2007 11:59:50 | Attr = ]
@Alternate Data Stream - 0 bytes -> %UserDocuments%\My Pictures\egypt\Thumbs.db:encryptable ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\McafeeRootkitDetective.zip:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\Questions_regarding_proposed_transfer_to_CMS.doc:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\My Received Files\RegCureSetup_46.exe:Zone.Identifier ->
UPX0 , -> %UserAppData%\.ABC\torrent\09 - The Best Of My Love.ape -> [Ver = | Size = 28187000 bytes | Modified Date = 26/10/2006 10:36:12 | Attr = ]
qoologic , SAHAgent , -> %UserAppData%\Lavasoft\Ad-Aware\description.ini -> [Ver = | Size = 134418 bytes | Modified Date = 06/02/2007 20:02:16 | Attr = ]
Thawte Consulting , -> %UserAppData%\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1 -> [Ver = | Size = 35187 bytes | Modified Date = 28/01/2007 19:27:20 | Attr = S]
USERTRUST , -> %UserAppData%\Microsoft\CryptnetUrlCache\Content\561F989D166B9195191D8592AEB81CDD -> [Ver = | Size = 1107 bytes | Modified Date = 16/11/2006 19:44:56 | Attr = S]
Thawte Consulting , -> %UserAppData%\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019 -> [Ver = | Size = 332918 bytes | Modified Date = 28/01/2007 19:27:20 | Attr = S]
File scan skipped for file %UserAppData%\Video DVD Maker PRO\chapter2.mpg -> File size too big (100167680 bytes) ->
Thawte Consulting , -> %CommonProgramFiles%\Java\Update\Base Images\jre1.5.0.b64\core3.zip -> [Ver = | Size = 3290841 bytes | Modified Date = 26/07/2006 02:34:02 | Attr = ]
USERTRUST , -> %CommonProgramFiles%\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_08.b03\patchjre.exe -> Sun Microsystems, Inc. [Ver = 1, 0, 0, 1 | Size = 4482680 bytes | Modified Date = 26/07/2006 02:34:04 | Attr = ]
USERTRUST , -> %CommonProgramFiles%\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_09.b03\patchjre.exe -> Sun Microsystems, Inc. [Ver = 1, 0, 0, 1 | Size = 4490872 bytes | Modified Date = 12/10/2006 02:41:58 | Attr = ]
USERTRUST , -> %CommonProgramFiles%\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_10.b03\patchjre.exe -> Sun Microsystems, Inc. [Ver = 1, 0, 0, 1 | Size = 4650616 bytes | Modified Date = 09/11/2006 15:38:38 | Attr = ]
WSUD , -> %CommonProgramFiles%\SpeechEngines\Microsoft\SR\1033\L1033.DLM -> [Ver = | Size = 9680237 bytes | Modified Date = 02/02/2001 13:31:58 | Attr = ]
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.0.44 | Size = 18726912 bytes | Modified Date = 18/05/2005 07:17:54 | Attr = R ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 28/02/2006 12:00:00 | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.4.0.51 | Size = 635486 bytes | Modified Date = 12/12/2006 16:25:20 | Attr = ]
Thawte Consulting , -> %System32%\UBSauthenticateAXC.ocx -> [Ver = 1.0.13.0 | Size = 1224512 bytes | Modified Date = 28/01/2007 19:27:26 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 28/02/2006 12:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 28/02/2006 12:00:00 | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7,1,0,407 | Size = 778656 bytes | Modified Date = 20/10/2006 11:48:42 | Attr = ]

< End of report >

#11 rmonty

rmonty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:united kingdom
  • Local time:10:12 AM

Posted 13 February 2007 - 12:06 PM

Hi Guys ,

looks like you solved the problem,I have had no more issues in the last day.

thanks again

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 13 February 2007 - 12:32 PM

Hey rmonty,

You're welcome and thanks for submitting those files. You can delete them from your system along with this one:

C:\WINDOWS\system32\winiconmon.ico.bak0

Sorry I haven't gotten back to you sooner--I was intending to answer you last night and got suddenly ill. There are still some other things to do so hold on for a few til I wrap up some other business or miekiemoes may want to continue your help.

Could you tell me if you found that link in your Start Menu I asked you to look for?

Also it looks as if you have two antivirus programs running at the same time, which is a bad idea. But I see you have Ghost installed so it is hard to tell. In any event I would like to see a list of installed programs so please do the following:

Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#13 rmonty

rmonty
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:united kingdom
  • Local time:10:12 AM

Posted 15 February 2007 - 04:03 AM

Hi Papakid,

I have deleted the .Bak0 file as reqd,and there is no icon of your description in my start menu or in any of the programs.
Here is the list of installed data on my pc.Yes I do have Norton Ghost installed ,will that cause a Problem?

ABC (remove only)
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
Apple Software Update
AVG Free Edition
BugOff 1.10
Championship Manager 2006
Cucusoft MPEG to DVD Burner 3.11
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
ewido anti-spyware 4.0
Express Burn
GameShadow
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2170 series
hp psc 2170 series
InterVideo WinDVD
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
K-Lite Codec Pack 2.81 Full
LimeWire 4.12.6
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Magic CD/DVD Burner (C/C++) v1.20
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
MySpaceIM
Nero Suite
Norton Ghost 10.0
NVIDIA Drivers
PCI SoftV92 Modem
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip


cheers




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users