|
|
|
KotaGuy please would you help virus/trojan
|
|
|
ozsurfie
Suspended due to non-functional email address
|
21. February 2007 @ 17:24 |
Link to this message
|
I have had strange things happening since i inadvertently opened an email that had a link supposedly to the Australian newspaper it is reportedly containing a trojan - it may be coincidence but since then all sorts of weird and wonderful things have been happening. I am wary of checking online banking in case there is a keystroke logger as reported in it if anyone can check the hijack log and advise i would be most grateful - cheers
Logfile of HijackThis v1.99.1
Scan saved at 1:14:21 PM, on 22/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal firewall 4\kpf4ss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal firewall 4\kpf4gui.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\ca pestcontrol\PPActiveDetection.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stuart\Desktop\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: iiBar - {8AA99D86-978D-4963-A845-24AF39FB0CF2} - C:\Program Files\iiBar\iiBar.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "D:\Program Files\ca pestcontrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DVD43] D:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{508E4915-A314-4CB7-A874-7DE57659CAAE}: NameServer = 203.0.178.191
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
|
|
Advertisement
|
 |
|
|
|
KotaGuy
Member
|
22. February 2007 @ 03:55 |
Link to this message
|
Hi ozsurfie... don't see anything bad in your HijackThis log.
What kind of things are going on with your computer that make you suspect an infection?
|
|
ozsurfie
Suspended due to non-functional email address
|
22. February 2007 @ 04:19 |
Link to this message
|
|
i've run everything that you suggest in various of your threads and removed anything that comes up,
The reason i think something might be there is that i opened an email that contained a story reportedly from a national paper that the oz pm had had a heart attack , the link it was reported later in the day linked to a trojan . since then pg2 even when no d'l etc etc is taking place goes off with a range of ip addresses listed as IBM corporation which made me think that something was inside trying to "dial home "
When i checked the task mgr the only thing using any amount of cpu was Explorer.exe which when you google gives you all sorts of stories
so there you go - i could just be paranoid :) i will defer to your expertise !! look fwd to receiving your thoughts
|
|
KotaGuy
Member
|
22. February 2007 @ 05:43 |
Link to this message
|
Ok.... I hesitate to say you're infected... especially seeing as how you are running NOD32. Along with Kaspersky... its one of the best AV's out there... in my opinion anyways.
But we can take a deeper look into your system just to make sure.
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
|
|
ozsurfie
Suspended due to non-functional email address
|
22. February 2007 @ 10:53 |
Link to this message
|
|
many thanks - when you say a long time r u talking hours??? i have to go to airport soon for a flight so might pick this up when i get back
hope you can help me then
Thanks again
|
|
KotaGuy
Member
|
22. February 2007 @ 15:39 |
Link to this message
|
|
It shouldn't take hours to complete... but if you need to head out... just do the scan when you get back.
|
|
kateman
Senior Member
|
22. February 2007 @ 21:54 |
Link to this message
|
@ozsurfie: iam pretty sure your not infected with a dialer.
as for your HijackThis log...
i'am sus as to this entry. do you know ip address 203.0.178.191? if not delete this:
O17 - HKLM\System\CCS\Services\Tcpip\..\{508E4915-A314-4CB7-A874-7DE57659CAAE}: NameServer = 203.0.178.191
delete these as they'll make your internet faster:
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
kateman
Senior Member
|
22. February 2007 @ 21:55 |
Link to this message
|
|
@kotaguy: since when has Kaspersky been a good scanner?
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
KotaGuy
Member
|
23. February 2007 @ 04:12 |
Link to this message
|
|
@Kateman - That 017 is his ISP... so he doesn't need to fix that.
The 02's and 03's... I don't think fixing them would make much of a difference to the speed of his internet connection. May make a tiny bit of difference in how fast web pages are rendered... but his connection speed would remain the same.
And, in my opinion(and many others), Kaspersky(along with NOD32) have been two of the best AV's out there for the past couple years. Their detection rates for Malware are tops and they are both super fast to add signatures/definitions for new or 0-day stuff.
Myself, along with others, who are considered experts on the various malware related forums work very close with them and other Vendors at a private forum ripping apart malware and getting their definition files updated as quickly as possible.
Though there are other very good AV's out there... I consider KAV and NOD32 to be the best.
|
|
kateman
Senior Member
|
23. February 2007 @ 13:15 |
Link to this message
|
Quote:
That 017 is his ISP
no its not. i've never seen an isp on a HijackThis log.
people have quite safly delted them before.
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
KotaGuy
Member
|
23. February 2007 @ 14:51 |
Link to this message
|
Yes... it is his ISP. In the literally thousands of of HijackThis logs I've done over about 4 years... I've seen many ISP entries(mainly DNS Servers) show up as 017's.
WhoIs for 203.0.178.191...
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 203.0.178.0 - 203.0.178.255
netname: IINET-TECH-AU
descr: iiNet Limited
descr: Level 6, Durack Centre
descr: 263 Adelaide Terrace
descr: Perth WA 6000
country: AU
admin-c: NO20-AP
tech-c: NO20-AP
mnt-by: APNIC-HM
status: ALLOCATED PORTABLE
changed: ******@aunic.net 19950811
changed: **************@apnic.net 20010525
changed: **********@apnic.net 20041224
source: APNIC
person: Network Operations
nic-hdl: NO20-AP
e-mail: ***********@staff.iinet.net.au
address: iiNet Limited
address: Level 6, Durack Centre
address: 263 Adelaide Terrace
address: Perth WA 6000
phone: +61 8 9214 2222
fax-no: +61 8 9214 2211
country: AU
changed: ****@staff.iinet.net.au 20061117
mnt-by: MAINT-AU-IINET
source: APNIC
http://www.iinet.net.au/
203.0.178.191 resolves to dns.iinet.net.au
Its his ISP's DNS server.
|
|
kateman
Senior Member
|
23. February 2007 @ 18:27 |
Link to this message
|
|
:P
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
KotaGuy
Member
|
23. February 2007 @ 19:03 |
Link to this message
|
|
;)
|
|
ozsurfie
Suspended due to non-functional email address
|
28. February 2007 @ 04:33 |
Link to this message
|
hi kotaguy
just got back off plane and first thing i wanted to do was run these tasks you set - i didnt delete any of those other lines as you suggested it wouldnt help.
when i first turned on the computer and it connected up to my isp pg2 started going crazy again - Firefox wasnt connected but here are a few examples of what was reported. thats why i suspect something is going on because as far as i understood and please correct me if i am talking rubbish :) that pg2 stopped outward connections from your computer to others something had to be trying to "phone home" ??
IBM corp 10.255.255.255.137 or 138
Moodys 141.161.20.33.8080
and seem to be coming from my ports 137 or 138 and 52035 or 1153 through to 1171
if that makes sense ??
thanks for your help
|
|
KotaGuy
Member
|
28. February 2007 @ 04:41 |
Link to this message
|
Could be something going on that HjT hasn't detected.
Post the WinPFInd3 log when you can.
Thanks.
|
|
ozsurfie
Suspended due to non-functional email address
|
28. February 2007 @ 15:42 |
Link to this message
|
here is the log as requested - i am in admiration of your abilities even to decipher all of this so my thanks for your time. I changed to comodo firewall - one of your recommendations but it keeps blocking my outlook email , another thing it keeps reporting is that dvd regionfree is adding dvdsys.dll to the program and comodo says that it could be used by hijackers - any logic in that ? and any idea why it is trying to use so many programs ??
thanks
WinPFind3 logfile created on: 1/03/2007 11:28:09 AM
WinPFind3U by OldTimer - Version 1.0.19 Folder = C:\Documents and Settings\Stuart\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
1047340 Kb Total Physical Memory | 595976 Kb Available Physical Memory | 56.90% Memory free
1735536 Kb Paging File | 1445600 Kb Available in Paging File | 83.29% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39070048 Kb Total Space | 8510596 Kb Free Space | 21.78% Space Free
Drive D: | 117218240 Kb Total Space | 13008296 Kb Free Space | 11.10% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded
[Processes - Non-Microsoft Only]
cmdagent.exe -> %ProgramFiles%\Comodo\Firewall\cmdagent.exe -> COMODO [Ver = 2.4.0.20 | Size = 361040 bytes | Modified Date = 22/02/2007 2:23:12 PM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 29/09/2006 12:13:20 AM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 323584 bytes | Modified Date = 23/02/2006 4:45:06 PM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 278528 bytes | Modified Date = 23/02/2006 4:45:20 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_11\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75520 bytes | Modified Date = 15/12/2006 3:23:28 AM | Attr = ]
lexbces.exe -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 7.4 | Size = 299008 bytes | Modified Date = 15/08/2002 8:26:26 PM | Attr = ]
lexpps.exe -> %System32%\LEXPPS.EXE -> Lexmark International, Inc. [Ver = 7.4 | Size = 174592 bytes | Modified Date = 15/08/2002 8:26:26 PM | Attr = ]
msgplus.exe -> %ProgramFiles%\Messenger Plus! 3\MsgPlus.exe -> Patchou [Ver = 3, 62, 0, 146 | Size = 190024 bytes | Modified Date = 7/02/2006 10:31:50 PM | Attr = ]
nod32krn.exe -> %ProgramFiles%\ESET\nod32krn.exe -> Eset [Ver = 2, 50, 25 | Size = 495616 bytes | Modified Date = 5/07/2005 7:27:12 AM | Attr = ]
nod32kui.exe -> %ProgramFiles%\ESET\nod32kui.exe -> Eset [Ver = 2, 50, 25 | Size = 917504 bytes | Modified Date = 5/07/2005 7:27:12 AM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 81920 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
ppactivedetection.exe -> D:\Program Files\ca pestcontrol\PPActiveDetection.exe -> Computer Associates [Ver = 5, 0, 0, 0 | Size = 106496 bytes | Modified Date = 27/09/2004 7:09:06 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 18/08/2006 5:52:40 PM | Attr = ]
servicelayer.exe -> %ProgramFiles%\PC Connectivity Solution\ServiceLayer.exe -> Nokia. [Ver = 6, 82, 69, 3 | Size = 210432 bytes | Modified Date = 6/11/2006 2:21:10 PM | Attr = ]
w3dbsmgr.exe -> %SystemDrive%\PVSW\Bin\w3dbsmgr.exe -> [Ver = | Size = 106546 bytes | Modified Date = 9/06/2005 10:16:34 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.19.0 | Size = 310784 bytes | Modified Date = 25/02/2007 7:40:22 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> [Ver = 2.41.000 | Size = 68096 bytes | Modified Date = 7/12/2005 10:08:28 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 29/09/2006 12:13:20 AM | Attr = ]
(CmdAgent) Comodo Application Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Comodo\Firewall\cmdagent.exe -> COMODO [Ver = 2.4.0.20 | Size = 361040 bytes | Modified Date = 22/02/2007 2:23:12 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 4/08/2004 12:56:50 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/04/2005 12:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 323584 bytes | Modified Date = 23/02/2006 4:45:06 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 7.4 | Size = 299008 bytes | Modified Date = 15/08/2002 8:26:26 PM | Attr = ]
(NOD32krn) NOD32 Kernel Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ESET\nod32krn.exe -> Eset [Ver = 2, 50, 25 | Size = 495616 bytes | Modified Date = 5/07/2005 7:27:12 AM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 81920 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
(ServiceLayer) ServiceLayer [Win32_Own | On_Demand | Running] -> %ProgramFiles%\PC Connectivity Solution\ServiceLayer.exe -> Nokia. [Ver = 6, 82, 69, 3 | Size = 210432 bytes | Modified Date = 6/11/2006 2:21:10 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 7/10/2006 10:20:00 PM | Attr = ]
Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.49815 | Size = 57344 bytes | Modified Date = 6/06/2005 11:46:24 PM | Attr = ]
COMODO firewall Pro -> %ProgramFiles%\Comodo\Firewall\cpf.exe -> COMODO [Ver = 2.4.0.58 | Size = 1115728 bytes | Modified Date = 22/02/2007 2:23:12 PM | Attr = ]
DAEMON Tools-1033 -> %ProgramFiles%\D-Tools\daemon.exe -> DAEMON'S HOME [Ver = 3.44.0.0 | Size = 81920 bytes | Modified Date = 27/12/2003 8:43:26 PM | Attr = ]
DVD43 -> D:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe -> Fengtao Software Inc. [Ver = 5, 9, 6, 85 | Size = 267264 bytes | Modified Date = 1/05/2006 11:54:00 AM | Attr = ]
eTrust PestPatrol Active Protection -> D:\Program Files\ca pestcontrol\PPActiveDetection.exe -> Computer Associates [Ver = 5, 0, 0, 0 | Size = 106496 bytes | Modified Date = 27/09/2004 7:09:06 AM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 278528 bytes | Modified Date = 23/02/2006 4:45:20 PM | Attr = ]
MessengerPlus3 -> %ProgramFiles%\Messenger Plus! 3\MsgPlus.exe -> Patchou [Ver = 3, 62, 0, 146 | Size = 190024 bytes | Modified Date = 7/02/2006 10:31:50 PM | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 9/07/2001 10:50:42 AM | Attr = ]
nod32kui -> %ProgramFiles%\ESET\nod32kui.exe -> Eset [Ver = 2, 50, 25 | Size = 917504 bytes | Modified Date = 5/07/2005 7:27:12 AM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 5058560 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 741376 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
PCSuiteTrayApplication -> %ProgramFiles%\Nokia\Nokia PC Suite 6\LaunchApplication.exe -> Nokia [Ver = 6, 82, 70, 1 | Size = 222208 bytes | Modified Date = 8/11/2006 1:27:54 PM | Attr = ]
Ptipbmf -> %System32%\ptipbmf.dll [rundll32.exe ptipbmf.dll,SetWriteCacheMode] -> [Ver = 1, 0, 0, 2 | Size = 118784 bytes | Modified Date = 5/06/2003 4:49:36 PM | Attr = R ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1 | Size = 282624 bytes | Modified Date = 21/05/2006 12:59:50 PM | Attr = ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.0.27 | Size = 67072 bytes | Modified Date = 14/05/2004 3:47:18 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_11\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75520 bytes | Modified Date = 15/12/2006 3:23:28 AM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 18/08/2006 5:52:40 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\Program Files\NetMeter\NetMeter.exe -> %ProgramFiles%\NetMeter\NetMeter.exe -> [Ver = | Size = 266240 bytes | Modified Date = 4/03/2004 2:47:30 PM | Attr = ]
MessengerPlus3 -> %ProgramFiles%\Messenger Plus! 3\MsgPlus.exe -> Patchou [Ver = 3, 62, 0, 146 | Size = 190024 bytes | Modified Date = 7/02/2006 10:31:50 PM | Attr = ]
PeerGuardian -> %ProgramFiles%\PeerGuardian2\pg2.exe -> Methlabs [Ver = 1, 0, 6, 4 | Size = 1421824 bytes | Modified Date = 18/09/2005 6:40:42 PM | Attr = ]
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe -> [Ver = | Size = 20058152 bytes | Modified Date = 13/10/2006 5:20:08 PM | Attr = ]
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 30/03/2006 4:45:08 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 4/11/1999 3:06:48 PM | Attr = ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 24/09/2005 4:05:26 PM | Attr = ]
%AllUsersStartup%\MaxAlarm.lnk -> %ProgramFiles%\Maximizer\MxAlarm.exe -> Maximizer Software Inc. [Ver = 9.0.1604.620 | Size = 147456 bytes | Modified Date = 6/02/2006 4:04:00 PM | Attr = ]
%AllUsersStartup%\MaxFinder.lnk -> %ProgramFiles%\Maximizer\MxFinder.exe -> Maximizer Software Inc. [Ver = 9.0.1604.620 | Size = 274432 bytes | Modified Date = 6/02/2006 4:04:00 PM | Attr = ]
%AllUsersStartup%\Pervasive.SQL Workgroup Engine.lnk -> %SystemDrive%\PVSW\Bin\w3dbsmgr.exe -> [Ver = | Size = 106546 bytes | Modified Date = 9/06/2005 10:16:34 PM | Attr = ]
< User Startup > -> C:\Documents and Settings\Stuart\Start Menu\Programs\Startup
%UserStartup%\HotSync Manager.lnk -> %SystemDrive%\Palm\HOTSYNC.EXE -> Palm, Inc. [Ver = 4.0.4 | Size = 299008 bytes | Modified Date = 22/04/2003 3:46:44 PM | Attr = ]
< File Associations > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.html [@ = FirefoxHTML] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found ->
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found ->
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found ->
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found ->
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found ->
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found ->
< Registry Shell Spawning > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
batfile [open] -> "%1" %* ->
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
cmdfile [open] -> "%1" %* ->
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
comfile [open] -> "%1" %* ->
cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 20/12/2006 7:52:18 AM | Attr = ]
exefile [open] -> "%1" %* ->
htafile [open] -> %System32%\mshta.exe "%1" %* -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 29184 bytes | Modified Date = 4/08/2004 12:56:54 AM | Attr = ]
htmlfile [edit] -> Reg Data - Key not found ->
htmlfile [open] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" -nohome -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 4/08/2004 12:56:52 AM | Attr = ]
htmlfile [opennew] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" %1 -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 4/08/2004 12:56:52 AM | Attr = ]
htmlfile [print] -> rundll32.exe %SystemRoot%\System32\mshtml.dll,PrintHTML "%1" -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272 bytes | Modified Date = 5/01/2007 12:05:30 AM | Attr = ]
http [open] -> %SystemDrive%\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending -> Mozilla Corporation [Ver = 1.8.1.2: 2007021917 | Size = 7633008 bytes | Modified Date = 1/03/2007 10:14:28 AM | Attr = ]
https [open] -> %SystemDrive%\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending -> Mozilla Corporation [Ver = 1.8.1.2: 2007021917 | Size = 7633008 bytes | Modified Date = 1/03/2007 10:14:28 AM | Attr = ]
inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33280 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1498112 bytes | Modified Date = 5/01/2007 12:05:30 AM | Attr = ]
InternetShortcut [print] -> rundll32.exe %SystemRoot%\System32\mshtml.dll,PrintHTML "%1" -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272 bytes | Modified Date = 5/01/2007 12:05:30 AM | Attr = ]
jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 12:56:58 AM | Attr = ]
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 12:56:58 AM | Attr = ]
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
piffile [open] -> "%1" %* ->
regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
regfile [open] -> regedit.exe "%1" -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 146432 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
regfile [merge] -> Reg Data - Key not found ->
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
scrfile [config] -> "%1" ->
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Modified Date = 4/08/2004 12:56:58 AM | Attr = ]
scrfile [open] -> "%1" /S ->
txtfile [edit] -> Reg Data - Key not found ->
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 12:56:58 AM | Attr = ]
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 12:56:58 AM | Attr = ]
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 12:56:58 AM | Attr = ]
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 4/08/2004 12:56:56 AM | Attr = ]
wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes | Modified Date = 4/08/2004 12:56:58 AM | Attr = ]
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 20/12/2006 7:52:18 AM | Attr = ]
Directory [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 12:56:50 AM | Attr = ]
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 12:56:50 AM | Attr = ]
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 12:56:50 AM | Attr = ]
Drive [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 4/08/2004 12:56:50 AM | Attr = ]
Applications\iexplore.exe [open] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" %1 -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 4/08/2004 12:56:52 AM | Attr = ]
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 4/08/2004 12:56:52 AM | Attr = ]
< ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -> ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ->
{4b218e3e-bc98-4770-93d3-2731b9329278} -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf ->
{5945c046-1e7d-11d1-bc44-00c04fd912be} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub ->
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} -> ->
{7790769C-0471-11d2-AF11-00C04FA35D02} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ->
{89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll ->
{89820200-ECBD-11cf-8B85-00AA005B4383} -> %SystemRoot%\system32\ie4uinit.exe ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install ->
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP ->
>{26923b43-4d38-484f-9b9e-de460746276c} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ->
< WOW Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
cmdline -> %SystemRoot%\system32\ntvdm.exe ->
wowcmdline -> %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 ->
< Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute -> autocheck autochk *; ->
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 29/09/2006 12:13:28 AM | Attr = ]
{93994DE8-8239-4655-B1D1-5F4E91300429} [HKLM] -> D:\Program Files\DVD Region+CSS Free\DVDShell.dll [] -> Fengtao Software Inc. [Ver = 5, 5, 0, 8 | Size = 49152 bytes | Modified Date = 9/10/2004 2:18:02 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\ -> ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll...B_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\System32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://ninemsn.com.au/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 12/01/2006 8:38:22 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 15/12/2006 3:23:24 AM | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{8AA99D86-978D-4963-A845-24AF39FB0CF2} [HKLM] -> %ProgramFiles%\iiBar\iiBar.dll [iiBar] -> Polymorpheus [Ver = 2.0.15.21 | Size = 240128 bytes | Modified Date = 5/09/2006 9:26:42 PM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 4/08/2005 9:54:42 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{8AA99D86-978D-4963-A845-24AF39FB0CF2} [HKLM] -> %ProgramFiles%\iiBar\iiBar.dll [iiBar] -> Polymorpheus [Ver = 2.0.15.21 | Size = 240128 bytes | Modified Date = 5/09/2006 9:26:42 PM | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 4/08/2005 9:54:42 PM | Attr = ]
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8197 - Sun Java Console ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> 8194 - Reg Data - Value does not exist ->
{A75C6120-9B36-11d4-A3F0-009027427750} -> 8195 - Reg Data - Key not found ->
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -> 8196 - Reg Data - Key not found ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8193 - Windows Messenger ->
NextId -> 8198 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_11\bin\npjpi150_11.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75528 bytes | Modified Date = 15/12/2006 3:23:26 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 15/12/2006 3:23:24 AM | Attr = ]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&xport to Microsoft Excel -> -> File not found
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
{1CDB2949-8F65-4355-8456-263E7C208A5D} [HKLM] -> %System32%\nvshell.dll [Desktop Explorer] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 430152 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} [HKLM] -> %System32%\nvshell.dll [Desktop Explorer Menu] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 430152 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} [HKLM] -> %System32%\nvshell.dll [nView Desktop Context Menu] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 430152 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Media Band] -> File not found
{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} [HKLM] -> %ProgramFiles%\Nokia\Nokia PC Suite 6\PhoneBrowser.dll [PhoneBrowser] -> Nokia [Ver = 6, 82, 63, 9 | Size = 566784 bytes | Modified Date = 10/11/2006 9:29:30 AM | Attr = ]
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{4EB37360-49E8-11D3-95B5-004033382980} [HKLM] -> %ProgramFiles%\ESTsoft\ALZip\AZCTM.dll [ALZip 4.0 Context Menu Shell Extension] -> ESTsoft [Ver = 5.11.17.38 | Size = 167936 bytes | Modified Date = 18/11/2005 8:52:18 AM | Attr = ]
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
{7F1CF152-04F8-453A-B34C-E609530A9DC8} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalPropSheetHandler] -> Nero AG [Ver = 1.1.1.1 | Size = 1515520 bytes | Modified Date = 4/04/2005 12:06:02 PM | Attr = ]
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 23/08/2001 10:00:00 PM | Attr = ]
{8AA99D86-978D-4963-A845-24AF39FB0CF2} [HKLM] -> %ProgramFiles%\iiBar\iiBar.dll [iiBar] -> Polymorpheus [Ver = 2.0.15.21 | Size = 240128 bytes | Modified Date = 5/09/2006 9:26:42 PM | Attr = ]
{B089FE88-FB52-11d3-BDF1-0050DA34150D} [HKLM] -> %ProgramFiles%\ESET\nodshex.dll [NOD32 Context Menu Shell Extension] -> Eset [Ver = 2, 50, 25 | Size = 57344 bytes | Modified Date = 5/07/2005 7:27:12 AM | Attr = ]
{B327765E-D724-4347-8B16-78AE18552FC3} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalIconHandler] -> Nero AG [Ver = 1.1.1.1 | Size = 1515520 bytes | Modified Date = 4/04/2005 12:06:02 PM | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR shell extension] -> [Ver = | Size = 125440 bytes | Modified Date = 3/08/2005 10:32:08 PM | Attr = ]
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} [HKLM] -> %ProgramFiles%\iTunes\iTunesMiniPlayer.dll [iTunes] -> Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 102400 bytes | Modified Date = 23/02/2006 4:56:34 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZIP Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 11/02/2004 9:00:00 AM | Attr = ]
{E0D79305-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZIP Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 11/02/2004 9:00:00 AM | Attr = ]
{E0D79306-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZIP Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 11/02/2004 9:00:00 AM | Attr = ]
{E0D79307-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZIP Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 11/02/2004 9:00:00 AM | Attr = ]
{ECF35B62-EF2B-484F-BDB2-0973BAF4C740} [HKLM] -> %ProgramFiles%\iiBar\iiBar.dll [iiBar] -> Polymorpheus [Ver = 2.0.15.21 | Size = 240128 bytes | Modified Date = 5/09/2006 9:26:42 PM | Attr = ]
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} [HKLM] -> %ProgramFiles%\Real\RealPlayer\rpshell.dll [Shell Extensions for RealOne Player] -> RealNetworks, Inc. [Ver = 1.0.1.2237 | Size = 49198 bytes | Modified Date = 18/08/2006 5:52:44 PM | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{4EB37360-49E8-11D3-95B5-004033382980} [HKLM] -> %ProgramFiles%\ESTsoft\ALZip\AZCTM.dll [ALZip] -> ESTsoft [Ver = 5.11.17.38 | Size = 167936 bytes | Modified Date = 18/11/2005 8:52:18 AM | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 6/10/2006 9:40:48 PM | Attr = ]
{B089FE88-FB52-11d3-BDF1-0050DA34150D} [HKLM] -> %ProgramFiles%\ESET\nodshex.dll [NOD32 Context Menu Shell Extension] -> Eset [Ver = 2, 50, 25 | Size = 57344 bytes | Modified Date = 5/07/2005 7:27:12 AM | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 125440 bytes | Modified Date = 3/08/2005 10:32:08 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZIP Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 11/02/2004 9:00:00 AM | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{4EB37360-49E8-11D3-95B5-004033382980} [HKLM] -> %ProgramFiles%\ESTsoft\ALZip\AZCTM.dll [ALZip] -> ESTsoft [Ver = 5.11.17.38 | Size = 167936 bytes | Modified Date = 18/11/2005 8:52:18 AM | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 6/10/2006 9:40:48 PM | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 125440 bytes | Modified Date = 3/08/2005 10:32:08 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZIP Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 11/02/2004 9:00:00 AM | Attr = ]
< ContextMenuHandlers - Directory\Background [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
{4EB37360-49E8-11D3-95B5-004033382980} [HKLM] -> %ProgramFiles%\ESTsoft\ALZip\AZCTM.dll [ALZip] -> ESTsoft [Ver = 5.11.17.38 | Size = 167936 bytes | Modified Date = 18/11/2005 8:52:18 AM | Attr = ]
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} [HKLM] -> %System32%\nvshell.dll [nView] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 430152 bytes | Modified Date = 6/10/2003 2:16:00 PM | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{4EB37360-49E8-11D3-95B5-004033382980} [HKLM] -> %ProgramFiles%\ESTsoft\ALZip\AZCTM.dll [ALZip] -> ESTsoft [Ver = 5.11.17.38 | Size = 167936 bytes | Modified Date = 18/11/2005 8:52:18 AM | Attr = ]
{B089FE88-FB52-11d3-BDF1-0050DA34150D} [HKLM] -> %ProgramFiles%\ESET\nodshex.dll [NOD32 Context Menu Shell Extension] -> Eset [Ver = 2, 50, 25 | Size = 57344 bytes | Modified Date = 5/07/2005 7:27:12 AM | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 125440 bytes | Modified Date = 3/08/2005 10:32:08 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZIP Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 11/02/2004 9:00:00 AM | Attr = ]
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalColumnHandler Class] -> Nero AG [Ver = 1.1.1.1 | Size = 1515520 bytes | Modified Date = 4/04/2005 12:06:02 PM | Attr = ]
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 14/12/2004 2:20:02 AM | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{508E4915-A314-4CB7-A874-7DE57659CAAE} -> 203.0.178.191 (Realtek RTL8169/8110 Family Gigabit Ethernet NIC) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
{9D190AE6-C81E-4039-8061-978EBAD10073} -> F-Secure Online Scanner 3.0 - CodeBase = http://support.f-secure.com/ols/fscax.cab ->
{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_01 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shock...ash/swflash.cab ->
[Files - Created Within 30 days]
boot.ini.comodofirewall -> %SystemDrive%\boot.ini.comodofirewall -> [Ver = | Size = 211 bytes | Created Date = 22/02/2007 2:24:07 PM | Attr = ]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 849 bytes | Created Date = 22/02/2007 5:46:58 PM | Attr = ]
COMODO firewall Pro.lnk -> %AllUsersDesktop%\COMODO firewall Pro.lnk -> [Ver = | Size = 1588 bytes | Created Date = 22/02/2007 2:24:07 PM | Attr = ]
Second Life.lnk -> %AllUsersDesktop%\Second Life.lnk -> [Ver = | Size = 710 bytes | Created Date = 31/01/2007 12:21:00 AM | Attr = ]
1F330627.gif -> %UserDesktop%\1F330627.gif -> [Ver = | Size = 46685 bytes | Created Date = 5/02/2007 9:01:00 AM | Attr = ]
avgas-setup-7.5.0.50.exe -> %UserDesktop%\avgas-setup-7.5.0.50.exe -> [Ver = | Size = 6469352 bytes | Created Date = 22/02/2007 5:40:55 PM | Attr = ]
HijackThis_v1.99.1.exe -> %UserDesktop%\HijackThis_v1.99.1.exe -> Soeperman Enterprises Ltd. [Ver = 1.99.0001 | Size = 218112 bytes | Created Date = 22/02/2007 1:13:18 PM | Attr = ]
Invite-To-Sydney-Fair.gif -> %UserDesktop%\Invite-To-Sydney-Fair.gif -> [Ver = | Size = 187880 bytes | Created Date = 19/02/2007 11:32:00 AM | Attr = ]
lps.zip -> %UserDesktop%\lps.zip -> [Ver = | Size = 575138 bytes | Created Date = 21/02/2007 2:47:19 PM | Attr = ]
Sprite_Love_cute__commercial.mpg -> %UserDesktop%\Sprite_Love_cute__commercial.mpg -> [Ver = | Size = 4040708 bytes | Created Date = 19/02/2007 9:54:00 PM | Attr = ]
spywaredetectorb.exe -> %UserDesktop%\spywaredetectorb.exe -> Max Secure Software [Ver = 19.0.0.029 | Size = 6425672 bytes | Created Date = 21/02/2007 8:37:04 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 344820 bytes | Created Date = 1/03/2007 12:47:24 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 16/02/2007 8:23:34 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 16/02/2007 8:23:34 PM | Attr = H ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 49248 bytes | Created Date = 15/02/2007 7:01:27 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 53346 bytes | Created Date = 15/02/2007 7:01:27 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 127078 bytes | Created Date = 15/02/2007 7:01:27 PM | Attr = ]
SDRemoveDB.db -> %System32%\SDRemoveDB.db -> [Ver = | Size = 179 bytes | Created Date = 21/02/2007 8:42:27 PM | Attr = ]
VchReg.dll -> %System32%\VchReg.dll -> Max Secure Software [Ver = 6, 0, 2, 2 | Size = 1032192 bytes | Created Date = 21/02/2007 8:39:39 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 22/02/2007 5:46:57 PM | Attr = ]
cmdmon.sys -> %System32%\drivers\cmdmon.sys -> Comodo Research Lab., Inc. [Ver = 2.3.035 built by: WinDDK | Size = 75520 bytes | Created Date = 22/02/2007 2:23:32 PM | Attr = ]
inspect.sys -> %System32%\drivers\inspect.sys -> COMODO [Ver = 2, 0, 0, 1 | Size = 51328 bytes | Created Date = 22/02/2007 2:23:32 PM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Created Date = 22/02/2007 12:23:24 PM | Attr = ]
hosts.backup -> %System32%\drivers\etc\hosts.backup -> [Ver = | Size = 734 bytes | Created Date = 21/02/2007 8:39:38 PM | Attr = ]
[Files - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 212 bytes | Modified Date = 22/02/2007 2:24:08 PM | Attr = HS]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %LocalAppData%\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [Ver = | Size = 165888 bytes | Modified Date = 21/02/2007 2:58:20 PM | Attr = ]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 849 bytes | Modified Date = 22/02/2007 5:47:00 PM | Attr = ]
COMODO firewall Pro.lnk -> %AllUsersDesktop%\COMODO firewall Pro.lnk -> [Ver = | Size = 1588 bytes | Modified Date = 22/02/2007 2:24:08 PM | Attr = ]
Second Life.lnk -> %AllUsersDesktop%\Second Life.lnk -> [Ver = | Size = 710 bytes | Modified Date = 31/01/2007 12:21:02 AM | Attr = ]
100206.pst -> %UserDesktop%\100206.pst -> [Ver = | Size = 1479033856 bytes | Modified Date = 1/03/2007 10:50:24 AM | Attr = ]
1F330627.gif -> %UserDesktop%\1F330627.gif -> [Ver = | Size = 46685 bytes | Modified Date = 5/02/2007 9:01:00 AM | Attr = ]
avgas-setup-7.5.0.50.exe -> %UserDesktop%\avgas-setup-7.5.0.50.exe -> [Ver = | Size = 6469352 bytes | Modified Date = 22/02/2007 5:41:22 PM | Attr = ]
HijackThis_v1.99.1.exe -> %UserDesktop%\HijackThis_v1.99.1.exe -> Soeperman Enterprises Ltd. [Ver = 1.99.0001 | Size = 218112 bytes | Modified Date = 22/02/2007 1:13:14 PM | Attr = ]
Invite-To-Sydney-Fair.gif -> %UserDesktop%\Invite-To-Sydney-Fair.gif -> [Ver = | Size = 187880 bytes | Modified Date = 19/02/2007 11:32:00 AM | Attr = ]
lps.zip -> %UserDesktop%\lps.zip -> [Ver = | Size = 575138 bytes | Modified Date = 21/02/2007 2:47:14 PM | Attr = ]
Sprite_Love_cute__commercial.mpg -> %UserDesktop%\Sprite_Love_cute__commercial.mpg -> [Ver = | Size = 4040708 bytes | Modified Date = 19/02/2007 9:54:00 PM | Attr = ]
spywaredetectorb.exe -> %UserDesktop%\spywaredetectorb.exe -> Max Secure Software [Ver = 19.0.0.029 | Size = 6425672 bytes | Modified Date = 21/02/2007 8:37:38 PM | Attr = ]
Thumbs.db -> %UserDesktop%\Thumbs.db -> [Ver = | Size = 90624 bytes | Modified Date = 21/02/2007 2:58:20 PM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %UserDesktop%\Thumbs.db:encryptable ->
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 344820 bytes | Modified Date = 1/03/2007 12:47:20 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 1/03/2007 12:11:30 AM | Attr = S]
DVDRegionFree.INI -> %SystemRoot%\DVDRegionFree.INI -> [Ver = | Size = 101 bytes | Modified Date = 1/03/2007 1:50:40 AM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 116 bytes | Modified Date = 1/03/2007 10:37:48 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 16/02/2007 8:23:36 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 1/03/2007 11:23:36 AM | Attr = H ]
SDRemoveDB.db -> %System32%\SDRemoveDB.db -> [Ver = | Size = 179 bytes | Modified Date = 21/02/2007 8:42:28 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2262 bytes | Modified Date = 1/03/2007 12:11:34 AM | Attr = ]
cmdmon.sys -> %System32%\drivers\cmdmon.sys -> Comodo Research Lab., Inc. [Ver = 2.3.035 built by: WinDDK | Size = 75520 bytes | Modified Date = 22/02/2007 2:23:24 PM | Attr = ]
Dvd43.sys -> %System32%\drivers\Dvd43.sys -> Fengtao Software Inc. [Ver = 2, 6, 0, 28 | Size = 35296 bytes | Modified Date = 1/03/2007 1:50:36 AM | Attr = ]
inspect.sys -> %System32%\drivers\inspect.sys -> COMODO [Ver = 2, 0, 0, 1 | Size = 51328 bytes | Modified Date = 22/02/2007 2:23:24 PM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Modified Date = 22/02/2007 12:18:26 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
File scan skipped for file %UserDocuments%\backup.pst -> File size too big (1204765696 bytes) ->
UPX! , UPX0 , -> %UserDocuments%\daemon344.exe -> [Ver = | Size = 501248 bytes | Modified Date = 1/02/2004 6:51:40 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\getmsg.htm:Zone.Identifier ->
File scan skipped for file %UserDocuments%\gmtrial2.dbf -> File size too big (155260609 bytes) ->
@Alternate Data Stream - 26 bytes -> %UserDocuments%\MsgPlus-325.exe:Zone.Identifier ->
@Alternate Data Stream - 0 bytes -> %UserDocuments%\Thumbs.db:encryptable ->
File scan skipped for file %UserDesktop%\100206.pst -> File size too big (1479033856 bytes) ->
UPX0 , -> %UserDesktop%\adsl.test -> [Ver = | Size = 13631488 bytes | Modified Date = 31/10/2006 4:14:36 PM | Attr = ]
UPX! , UPX0 , -> %UserDesktop%\HijackThis_v1.99.1.exe -> Soeperman Enterprises Ltd. [Ver = 1.99.0001 | Size = 218112 bytes | Modified Date = 22/02/2007 1:13:14 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\ndntenst.exe:Zone.Identifier ->
UPX! , PEC2 , WSUD , UPX0 , -> %UserDesktop%\ndntenst.exe -> [Ver = | Size = 8446517 bytes | Modified Date = 4/07/2005 10:03:32 PM | Attr = ]
Thawte Consulting , -> %UserDesktop%\spywaredetectorb.exe -> Max Secure Software [Ver = 19.0.0.029 | Size = 6425672 bytes | Modified Date = 21/02/2007 8:37:38 PM | Attr = ]
@Alternate Data Stream - 0 bytes -> %UserDesktop%\Thumbs.db:encryptable ->
@Alternate Data Stream - 26 bytes -> %UserDesktop%\zmatrixsetupnt_1_5_2.exe:Zone.Identifier ->
FSG! , -> %UserDesktop%\zmatrixsetupnt_1_5_2.exe -> [Ver = | Size = 2071626 bytes | Modified Date = 2/04/2005 11:57:06 PM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\daemon.dll -> [Ver = 3.44.0.0 | Size = 68608 bytes | Modified Date = 27/12/2003 8:43:24 PM | Attr = ]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.26 | Size = 14268928 bytes | Modified Date = 14/05/2004 5:26:34 PM | Attr = ]
aspack , -> %System32%\ALZALZ.BIN -> [Ver = | Size = 62464 bytes | Modified Date = 1/08/2005 7:46:08 PM | Attr = ]
aspack , -> %System32%\ALZZip.BIN -> [Ver = | Size = 42496 bytes | Modified Date = 1/08/2005 7:46:48 PM | Attr = ]
UPX! , UPX0 , -> %System32%\avisynth.dll -> The Public [Ver = 2, 0, 7, 0 | Size = 123904 bytes | Modified Date = 23/11/2002 1:21:28 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 23/08/2001 10:00:00 PM | Attr = ]
Umonitor , -> %System32%\ipebase12.dll -> Hewlett-Packard Company [Ver = 1, 2, 0, 3 | Size = 331776 bytes | Modified Date = 28/04/1999 3:01:12 PM | Attr = ]
PTech , -> %System32%\LegitCheckControl.dll -> Microsoft® Corporation [Ver = 1.3.0254.0 | Size = 520456 bytes | Modified Date = 12/07/2005 6:04:22 PM | Attr = ]
@Alternate Data Stream - 0 bytes -> %System32%\Thumbs.db:encryptable ->
UPX! , UPX0 , -> %System32%\UninstXviDDec.exe -> [Ver = | Size = 22782 bytes | Modified Date = 21/11/2005 3:38:26 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 23/08/2001 10:00:00 PM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 23/08/2001 10:00:00 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 3/08/2004 10:41:38 PM | Attr = ]
< End of report >
|
|
KotaGuy
Member
|
28. February 2007 @ 17:34 |
Link to this message
|
Nothing bad in the WinPFind log. So thats good.
As for what PeerGuardian was detecting... I'm not sure... I don't use the program.
As for Comodo... I tested the firewall when it first came out for a bit. Seemed like a good alternative to ZoneAlarm if one didn't like ZA. So I'm not sure about that either.
May want to ask about those at the program's respective forums.
|
|
ozsurfie
Suspended due to non-functional email address
|
28. February 2007 @ 18:33 |
Link to this message
|
ok well i will continue on using the programs you suggested to keep the nasties at bay - many thanks for your help again -
one last thing is i have AVG anti spyware, ad aware , spy bot and ca e pest and nod 32 running are any conflicting with each other ??
cheers and thanks again for your help
|
|
KotaGuy
Member
|
28. February 2007 @ 18:56 |
Link to this message
|
|
Shouldn't be any conflicts between those, I don't think.
|
|
ozsurfie
Suspended due to non-functional email address
|
26. March 2007 @ 02:49 |
Link to this message
|
Hi Kotaguy
Dont seem to have had any major problems since you helped out so again thanks. In using AVG i stumbled upon the "program " trying to dial out to IBM corp that pg2 kept alerting me to it was listed as SYSTEM and UDO protocol ? can anyone suggest what is going on and if i try and delete the application it that going to cause me grief :)
thanks to all
|
|
ozsurfie
Suspended due to non-functional email address
|
26. March 2007 @ 02:58 |
Link to this message
|
|
sorry typo there udp protocol :) and this systen application is also trying to contact sc research 203.26.51.50 Could this be some sort of tracker and anyone know how i get rid of it if hijack this doesnt show it
|
|
KotaGuy
Member
|
26. March 2007 @ 10:05 |
Link to this message
|
WhoIs for 203.26.51.50...
Quote:
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 203.26.51.0 - 203.26.51.255
netname: JOHNFAIRFAX-AU
country: AU
descr: John Fairfax Holdings
descr: 201 Sussex St.
descr: Sydney
descr: NSW 2000
admin-c: SR61-AP
tech-c: PP106-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
changed: *******@fairfax.com.au 20040219
changed: **********@apnic.net 20041214
source: APNIC
person: Stephen Rath
nic-hdl: SR61-AP
e-mail: *****@fairfax.com.au
address: John Fairfax Holdings Limited
address: PO Box 506
address: GPO
address: Sydney
address: NSW 2001
phone: +61 2 9282 2621
fax-no: +61 2 9282 2182
changed: *****@fairfax.com.au 20030204
mnt-by: MAINT-AU-SR61-AP
source: APNIC
person: Paul Prokop
nic-hdl: PP106-AP
e-mail: *******@fairfax.com.au
address: John Fairfax Holdings Ltd
address: 250 Spencer Street
address: Melbourne
address: Victoria 3000
phone: +61 3 9604 1916
fax-no: +61 3 9601 2856
country: AU
changed: *******@fairfax.com.au 20021111
mnt-by: MAINT-AU-PP106-AP
source: APNIC
Last IP to respond to a traceroute is 202.168.24.2 which resolves to johnfairfax-link.syd.static.comindico.com.au.
Seems to be related to this...
http://www.fxj.com.au/
Any of that look familiar to you?
|
|
ozsurfie
Suspended due to non-functional email address
|
26. March 2007 @ 13:10 |
Link to this message
|
i look at smh.com everyday and have it as a rss feed on my Firefox
could they be that interested in my browsing ??
|
|
KotaGuy
Member
|
26. March 2007 @ 14:04 |
Link to this message
|
|
No... I suspect its the RSS function doing it.
Don't think its anything to worry about :)
|
|
Advertisement
|
|
|
|
ozsurfie
Suspended due to non-functional email address
|
26. March 2007 @ 19:11 |
Link to this message
|
|
ok thanks again - it is a sad state of affairs that we are all so paranoid that people are trying to f us over by way of spyware etc etc :)
|
|
