PDA

View Full Version : Gooooogle Redirect Problem



Aussie1
2007-10-18, 06:20
Hi,

Following a google search, when I click on the results my browser (IE) is redirected to shopping sites. It seems a bit random in it's application - that is, some results are redirected, others are not.

I've followed the sticky instructions - I've run kaspersky, booted in Safe and run Spybot, rebooted and run HJT.

I regularly (weekly or so) update and run adaware, spybot, and symantec antivirus, though kaspersky said it found two viruses.

Logs follow - any suggestions???

Cheers.

Aussie1
2007-10-18, 06:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:40 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 7008 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 18, 2007 12:32:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/10/2007
Kaspersky Anti-Virus database records: 437505
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 65906
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:41:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007101820071019\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\sch16.dll Infected: Trojan.Win32.Delf.aht skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\div.dll Infected: Trojan.Win32.Delf.aif skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba
2007-10-21, 12:22
Hi Aussie

Download win32delfkil.exe (http://users.telenet.be/marcvn/tools/win32delfkil.exe).
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt, along with a new hijackthislog.

Aussie1
2007-10-22, 13:24
Hi Shaba,

Thanks so much for replying. That's awsome. Windelfkil.exe behaved a bit strangely when i double clicked - a red dos window opened, it prompted me to hit any key to continue, then said "file not found" five times, then automatically rebooted the computer, then automatically prompted me to run the .exe file again. Anyway, it has produced a log in c: :alien:

windelfkil and HJT logs follow...

WIN32DELFKIL LOGFILE - by Marckie


version 3.131
Mon 22/10/2007 20:08:50.14
running from: "C:\Documents and Settings\Owner\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:21 PM, on 22/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 7008 bytes

Shaba
2007-10-22, 18:07
Hi

Let's check this next, awf might or might not be present, too:


Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) and save it to your desktop

* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**

Aussie1
2007-10-23, 12:57
Hi Shaba,

I've run the programme (log follows). I'm not redirected to shopping sites anymore :D:, but I'm still redirected, though the pages don't seem to load (they remain blank) :scratch:

I noticed that the IP was the same, though the address following it changes with different IE sessions. Here's a sample in case it is useful...

http://201.218.196.152/click.php?c=c2203bfd0e55c8b2c66f4002&r=1
http://201.218.196.152/click.php?c=c2203bfd0e55c8b2c66f4002&r=4

http://201.218.196.152/click.php?c=c2ffd7940126b9b2c66f4002&r=1
http://201.218.196.152/click.php?c=c38a19060e356fb2c66f4002&r=1


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 23/10/2007
The current time is: 19:37:25.45


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

18/10/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

26/10/2005 08:25 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

17/07/2003 06:26 AM 13,312 ctfmon.exe
02/10/2003 01:19 PM 118,784 hkcmd.exe
02/10/2003 01:37 PM 155,648 igfxtray.exe
09/07/2001 10:50 AM 155,648 NeroCheck.exe
4 File(s) 443,392 bytes

Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK

14/04/2005 03:56 PM 1,957,888 NBJ.exe
1 File(s) 1,957,888 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

22/12/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

21/05/2003 02:21 AM 90,112 vptray.exe
1 File(s) 90,112 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

270648 10 Jul 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 18 Oct 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 16 Jul 2007 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}

\iTunesIco.exe"
116024 10 Jul 2007 "C:\Documents and Settings\All Users\Application Data\Apple

Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
286720 29 Jun 2007 "C:\Program Files\QuickTime\QTTask.exe"
155648 26 Oct 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 4 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 17 Jul 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
118784 2 Oct 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 2 Oct 2003 "C:\DELL\drivers\R70267\Graphics\Win2000\hkcmd.exe"
155648 2 Oct 2003 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 2 Oct 2003 "C:\DELL\drivers\R70267\Graphics\Win2000\igfxtray.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
1957888 14 Apr 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe"
241664 22 Dec 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
90112 21 May 2003 "C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\VPTray.exe"
90112 21 May 2003 "C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\bak\vptray.exe"


end of report

Shaba
2007-10-23, 17:32
Hi

Double-click FindAWF.exe to start the tool.

Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up. Please copy/paste the following bolded text into the text file:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"

Close the .txt file and click 'Yes' to save the changes.
When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.

Aussie1
2007-10-24, 13:22
Hi, done. Log follows...


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 24/10/2007
The current time is: 20:14:14.04


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

18/10/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

26/10/2005 08:25 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

17/07/2003 06:26 AM 13,312 ctfmon.exe
02/10/2003 01:19 PM 118,784 hkcmd.exe
02/10/2003 01:37 PM 155,648 igfxtray.exe
09/07/2001 10:50 AM 155,648 NeroCheck.exe
4 File(s) 443,392 bytes

Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK

14/04/2005 03:56 PM 1,957,888 NBJ.exe
1 File(s) 1,957,888 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

22/12/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

21/05/2003 02:21 AM 90,112 vptray.exe
1 File(s) 90,112 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

278528 18 Oct 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 18 Oct 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 16 Jul 2007 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 10 Jul 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
155648 26 Oct 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 26 Oct 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 4 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 17 Jul 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
118784 2 Oct 2003 "C:\WINDOWS\system32\hkcmd.exe"
118784 2 Oct 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 2 Oct 2003 "C:\DELL\drivers\R70267\Graphics\Win2000\hkcmd.exe"
155648 2 Oct 2003 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 2 Oct 2003 "C:\DELL\drivers\R70267\Graphics\Win2000\igfxtray.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
1957888 14 Apr 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe"
241664 22 Dec 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
90112 21 May 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe"
90112 21 May 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"


end of report

Shaba
2007-10-24, 18:01
Hi

Double-click FindAWF.exe to start the tool.

Select option #3 - Remove bak folders by typing 3 and press 'Enter'
A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak

Close the .txt file and click 'Yes' to save the changes.
When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.

Aussie1
2007-10-24, 18:18
Hi Shaba,

Done......


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 25/10/2007
The current time is: 1:12:56.21


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

17/07/2003 06:26 AM 13,312 ctfmon.exe
02/10/2003 01:19 PM 118,784 hkcmd.exe
02/10/2003 01:37 PM 155,648 igfxtray.exe
09/07/2001 10:50 AM 155,648 NeroCheck.exe
4 File(s) 443,392 bytes

Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK

14/04/2005 03:56 PM 1,957,888 NBJ.exe
1 File(s) 1,957,888 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

22/12/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

21/05/2003 02:21 AM 90,112 vptray.exe
1 File(s) 90,112 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 4 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 17 Jul 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
118784 2 Oct 2003 "C:\WINDOWS\system32\hkcmd.exe"
118784 2 Oct 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 2 Oct 2003 "C:\DELL\drivers\R70267\Graphics\Win2000\hkcmd.exe"
155648 2 Oct 2003 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 2 Oct 2003 "C:\DELL\drivers\R70267\Graphics\Win2000\igfxtray.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
1957888 14 Apr 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe"
241664 22 Dec 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
90112 21 May 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe"
90112 21 May 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"


end of report

Shaba
2007-10-24, 18:21
Hi

Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Open HijackThis, click do a system scan only and checkmark this:

O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll

Close all windows including browser and press fix checked.

Reboot

Delete if present:

C:\WINDOWS\system32\atmf.dll

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

Aussie1
2007-10-25, 14:55
Hi Shabba,

Ran ATF Cleaner. Couldn't delete atmf.dll as "access denied". There were also some similar files in system32 - atmf.1, atmfd.dll, atmlib.dll, atmpvcno.dll.

Checked and clicked 'fix selected' as instructed.

Kaspersky still found 2 viruses :(

No change in google - though i've noticed if i click the link, then click back, then click link etc, three times then IE hyperlinks to the correct page.

Kaspersky & HJT logs follow...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 25, 2007 9:45:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/10/2007
Kaspersky Anti-Virus database records: 444439
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 54129
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:26:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\atmf.1 Infected: Trojan-Spy.Win32.BZub.btd skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\div.dll Infected: Trojan.Win32.Delf.aif skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:48 PM, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 6880 bytes

Shaba
2007-10-25, 17:42
Hi

Next step is this:

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\atmf.1
C:\WINDOWS\system32\atmf.dll
C:\WINDOWS\system32\div.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Post back a fresh HijackThis log.

Aussie1
2007-10-26, 15:11
Hi Shabba,

I've run KillBox as per instructions. I didn't get a 'pending operation' prompt though, but the machine rebooted automatically.

I've checked c:\windows\system32 and atmf.1 is gone, but atmf.dll is still there. Persistent little creature!

Thanks very much for your continuing attention.

Cheers.

HJT log follows...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:33 PM, on 26/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 6971 bytes

Aussie1
2007-10-26, 15:17
PS. It also looks like div.dll is also gone from the sys32 folder...

Shaba
2007-10-27, 12:07
Hi

Ok, more brute force:

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\atmf.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Aussie1
2007-10-27, 14:56
Hey Shaba,

They should build aeroplanes out of that atmf.dll file!

Avenger & HJT logs follow...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\^cooimmm

*******************

Script file located at: \??\C:\WINDOWS\system32\genpr^vl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\atmf.dll for deletion
Deletion of file C:\WINDOWS\system32\atmf.dll failed!

Could not process line:
C:\WINDOWS\system32\atmf.dll
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:05 PM, on 27/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef

/Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2

\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2

\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-

A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} -

http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) -

http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Inst

all3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) -

http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain =

nsw.bigpond.net.au
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 7003 bytes

Shaba
2007-10-27, 15:10
Hi

Yes, it seems super-resistant.

Let's research more:

Create a Startup List
Open HiJackThis
Click Open the Misc tools section
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

Aussie1
2007-10-27, 15:15
Hi

Startup list follows...

StartupList report, 27/10/2007, 10:12:52 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Free WebSite Tools.lnk = ?
HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\atmf.dll - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Aussie1
2007-10-27, 15:18
Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265

[{76A2A0AB-38B7-46DB-8E47-F10CDE4D7920}]
CODEBASE = http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Virtools WebPlayer Class]
InProcServer32 = C:\Program Files\Virtools Web Player 3.5\WebPlayer.ocx
CODEBASE = http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Multidownx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MULTID~1.OCX
CODEBASE = http://bigpondmusic.com/activex/multidownx.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Advanced SCSI Programming Interface Driver: \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys (manual start)
ASPI32: System32\drivers\aspi32.sys (system)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DefWatch: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Speedstream Ethernet USB Adapter: System32\DRIVERS\enethusb.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071025.021\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071025.021\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec AntiVirus Client: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
ProtexisLicensing: C:\WINDOWS\system32\PSIService.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Digital Camera Driver: System32\DRIVERS\smalusb.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SAMSUNG USB Composite Device driver (WDM): System32\DRIVERS\sscdbus.sys (manual start)
SAMSUNG CDMA Modem Filter: System32\DRIVERS\sscdmdfl.sys (manual start)
SAMSUNG CDMA Modem Drivers: System32\DRIVERS\sscdmdm.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D66FBF4B-16A4-467E-AE01-2A6C1367C278} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Aussie1
2007-10-27, 15:19
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
yzphlims: system32\drivers\ioeqfxec.dat (system)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*--------------------------------------------------

End of report, 36,081 bytes
Report generated in 0.422 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Shaba
2007-10-27, 15:32
Hi

I think windows recovery console is then the best way to delete that file.

Do you have windows CD?

Aussie1
2007-10-27, 15:36
Hi,

I've got XP SP1a CD...

Shaba
2007-10-27, 15:41
Hi

Just found a bad driver from startuplist, let's try this first:

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to unload:
yzphlims

Files to delete:
C:\Windows\system32\drivers\ioeqfxec.dat
C:\WINDOWS\system32\atmf.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Aussie1
2007-10-27, 15:49
Hi,

I checked the properties on that atmf file, and it was created on 13/10/07, fyi.

Avenger and HJT logs follow...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mowynktq

*******************

Script file located at: \??\C:\oaldsnyg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open registry key \Registry\Machine\System\CurrentControlSet\Services\yzphlims for deletion
Unload of driver yzphlims failed!

Could not process line:
yzphlims
Status: 0xc0000022



Could not open file C:\Windows\system32\drivers\ioeqfxec.dat for deletion
Deletion of file C:\Windows\system32\drivers\ioeqfxec.dat failed!

Could not process line:
C:\Windows\system32\drivers\ioeqfxec.dat
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\atmf.dll for deletion
Deletion of file C:\WINDOWS\system32\atmf.dll failed!

Could not process line:
C:\WINDOWS\system32\atmf.dll
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:47 PM, on 27/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 7004 bytes

Shaba
2007-10-27, 16:04
Hi

Ok, no go.

Let's hope that SP1a CD is no problem.

Here (http://support.microsoft.com/kb/307654)
are instructions for recovery console; you should print out them and also this post.

You should run these commands in recovery console (press enter after each line):

cd\
cd C:\Windows\system32\drivers
attrib -h -r -s ioeqfxec.dat
del /a /f /q ioeqfxec.dat
cd..
attrib -h -r -s atmf.dll
del /a /f /q atmf.dll
exit

Computer will reboot.

Post a fresh HijackThis log.

If any questions, please ask them before proceeding :)

Aussie1
2007-10-28, 06:35
Hi Shaba,

I've hit a wall. Because my cd is sp1 and the pc is sp2 the recovery console can't be installed from the cd.

So, i've had to copy the cd files to c:xpcd, download sp2 to c:xpsp2 and then try to integrate the sp2 files into the xpcd directory...so that i can install the Recovery Console.

I hit a wall. I've tried both of these...
1. WindowsXP-KB835935-SP2-ENU.exe /integrate:C:\XPCD
2. WindowsXP-KB835935-SP2-ENU.exe -x [enter] [ok] C:XPSP2\i386\update\update /s:C:\XPCD.

I get the follow error message with both methods...
"This Srevice Pack cannot be integrated into a destination that also has integrated Software Updates. Consult the Service Pack documentation for more details about supported integration scenarios."

Shaba, I'm a bit out of my depth here...

Is there anything left to try??

Shaba
2007-10-28, 11:48
Hi

Well does some of your friends have SP2 CD?

Aussie1
2007-10-28, 12:30
I'll find one. It might take a day or two, so please leave the thread open, i'll be back as soon as poss.

Is the malware malicious?

Cheers.

Shaba
2007-10-28, 12:31
Hi

Sure I will keep this open :)

Not very malicious but seems to be super-resistant for removal attempts.

Aussie1
2007-10-31, 15:15
Hi Shabba,

Okay, back on track...:)

I did some research :cool: and managed to create an xpsp2 cd (in a folder) - there was a work around.

I've installed recovery console and booted using it. when i typed "cd\" it wasn't very happy, but I then changed the directory to ...system32\drivers anyway.

From that prompt i typed the third line "attrib -h -r -s ioeqfxec.dat" and it returned the following error..."the parameter is not valid. Try \? for Help". I checked my typing and re-tried it, though with the same result...

Cheers.

Shaba
2007-10-31, 16:05
Hi

Ok, then perform just these:

cd C:\Windows\system32\drivers
del /a /f /q ioeqfxec.dat
cd..
del /a /f /q atmf.dll
exit

And tell me if that worked :)

Aussie1
2007-11-05, 14:32
Hi

(have been away with work - back now)

it still doesn't like the command "del /a /f /q ioeqfxec.dat"

it returns "The parameter is not valid. Try /? for help".

I tried the /a/f/q without spaces, but got the same result...

cheers.

Shaba
2007-11-05, 14:52
Hi

Try then without /a /f /q.

I really hope that this -> ioeqfxec.dat doesn't mutate on reboot.

Aussie1
2007-11-05, 15:26
Hi :)

Okay, "...system32\drivers>del ioeqfxec.dat" seemed to be accepted!

But it didn't like "cd.." it said "The command is not recognised. Type HELP for a list of supported commands".

I'm fairly certain that cd.. tells it to go up one directory level (eg. windows\system 32>), but thought i'd better check before typing
"cd c:\windows\system32
del atmf.dll"

cheers.

Shaba
2007-11-05, 15:30
Hi

That's great :)

This should be fine:

"cd c:\windows\system32
del atmf.dll"

After performing that please post a fresh HijackThis log and a fresh startuplist, please :)

Aussie1
2007-11-06, 11:08
Hi Shaba,

Google's working!! woo hoo.

I ran ...system32\del atmf.dll

HJT log follows...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:04 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 6935 bytes

Shaba
2007-11-06, 11:11
Hi

Yes it looks good :bigthumb:

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B} - C:\WINDOWS\system32\atmf.dll (file missing)
O20 - AppInit_DLLs:

Close all windows including browser and press fix checked.

Reboot.

Post:

- a fresh HijackThis log
- a fresh startuplist

Aussie1
2007-11-06, 11:12
StartupList report, 6/11/2007, 8:10:44 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Free WebSite Tools.lnk = ?
HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Aussie1
2007-11-06, 11:12
Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\atmf.dll (file missing) - {5DBD9A01-488D-4179-BFCD-CDB9FB6B067B}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265

[{76A2A0AB-38B7-46DB-8E47-F10CDE4D7920}]
CODEBASE = http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Virtools WebPlayer Class]
InProcServer32 = C:\Program Files\Virtools Web Player 3.5\WebPlayer.ocx
CODEBASE = http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Multidownx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MULTID~1.OCX
CODEBASE = http://bigpondmusic.com/activex/multidownx.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Aussie1
2007-11-06, 11:13
Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Advanced SCSI Programming Interface Driver: \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys (manual start)
ASPI32: System32\drivers\aspi32.sys (system)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DefWatch: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Speedstream Ethernet USB Adapter: System32\DRIVERS\enethusb.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071102.016\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071102.016\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec AntiVirus Client: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
ProtexisLicensing: C:\WINDOWS\system32\PSIService.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Digital Camera Driver: System32\DRIVERS\smalusb.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SAMSUNG USB Composite Device driver (WDM): System32\DRIVERS\sscdbus.sys (manual start)
SAMSUNG CDMA Modem Filter: System32\DRIVERS\sscdmdfl.sys (manual start)
SAMSUNG CDMA Modem Drivers: System32\DRIVERS\sscdmdm.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D66FBF4B-16A4-467E-AE01-2A6C1367C278} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
yzphlims: system32\drivers\ioeqfxec.dat (system)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 36,127 bytes
Report generated in 0.313 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Aussie1
2007-11-06, 11:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:06 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 6747 bytes

Aussie1
2007-11-06, 11:22
StartupList report, 6/11/2007, 8:17:31 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Free WebSite Tools.lnk = ?
HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Aussie1
2007-11-06, 11:22
Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265

[{76A2A0AB-38B7-46DB-8E47-F10CDE4D7920}]
CODEBASE = http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Virtools WebPlayer Class]
InProcServer32 = C:\Program Files\Virtools Web Player 3.5\WebPlayer.ocx
CODEBASE = http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Multidownx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MULTID~1.OCX
CODEBASE = http://bigpondmusic.com/activex/multidownx.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Aussie1
2007-11-06, 11:23
Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Advanced SCSI Programming Interface Driver: \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys (manual start)
ASPI32: System32\drivers\aspi32.sys (system)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DefWatch: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Speedstream Ethernet USB Adapter: System32\DRIVERS\enethusb.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071102.016\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071102.016\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec AntiVirus Client: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
ProtexisLicensing: C:\WINDOWS\system32\PSIService.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Digital Camera Driver: System32\DRIVERS\smalusb.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SAMSUNG USB Composite Device driver (WDM): System32\DRIVERS\sscdbus.sys (manual start)
SAMSUNG CDMA Modem Filter: System32\DRIVERS\sscdmdfl.sys (manual start)
SAMSUNG CDMA Modem Drivers: System32\DRIVERS\sscdmdm.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D66FBF4B-16A4-467E-AE01-2A6C1367C278} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
yzphlims: system32\drivers\ioeqfxec.dat (system)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 35,979 bytes
Report generated in 0.218 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Shaba
2007-11-06, 12:10
Hi

Driver is still there so that's the next step:


1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to unload:
yzphlims


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Aussie1
2007-11-07, 11:53
Hi,

Seemed to work??

Cheers.

Avenger and HJT logs follow...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xafqvffg

*******************

Script file located at: \??\C:\Program Files\kaykbduk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver yzphlims unloaded successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:19 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 6837 bytes

Shaba
2007-11-07, 11:55
Hi

Yes it did :)

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

Aussie1
2007-11-07, 13:56
Hi

Kaspersky found 2 viruses - virtually as soon as i started the scan.

And Symantec popped-up a warning during the Kaspersky scan (i'm not sure how to insert the pic). But it was blank??

Cheers.

HJT & Kaspersky logs follow...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:20 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sideprojectregister.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186656681671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186656661265
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/93ea68328519c4/player.virtools.com/downloads/player/Install3.5/Installer.exe
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D3500BC-C51A-45A3-AB66-63385A06350F}: Domain = nsw.bigpond.net.au
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: (no name) - http://www.abc.net.au/sydney/702stream.asx

--
End of file - 6764 bytes

Aussie1
2007-11-07, 13:57
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 07, 2007 10:43:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/11/2007
Kaspersky Anti-Virus database records: 452722
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 62335
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:38:58

Infected Object Name / Virus Name / Last Action
C:\!KillBox\atmf.1 Infected: Trojan-Spy.Win32.BZub.btd skipped
C:\!KillBox\div.dll Infected: Trojan.Win32.Delf.aif skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007110720071108\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tom\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Application Data\FontCreator\bookmarks.txt Object is locked skipped
C:\Documents and Settings\Tom\Application Data\FontCreator\guidelines.dat Object is locked skipped
C:\Documents and Settings\Tom\Application Data\FontCreator\previewtext.dat Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\PUTJ7DHH\clubpenguin.com\SaveGame.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\PUTJ7DHH\graphics.millsberry.com\buddy\buddy_featured.swf\backup.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\PUTJ7DHH\graphics.millsberry.com\buddy\buddy_nav_v15.swf\backup.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\PUTJ7DHH\graphics.millsberry.com\site_gfx\interiors\home.swf\backup.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\PUTJ7DHH\millsberry.com\gamingsystem\flash_loader_v10_18.swf\#gmi\homerun_derby\userdata.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#clubpenguin.com\settings.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#graphics.millsberry.com\settings.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#millsberry.com\settings.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Clip Organizer\mstore10.mgc Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Clip Organizer\Offic10.MGC Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1644491937-1637723038-725345543-1005\6b29ae44e85efac3c72ff4d1865d73f1_b4a9f381-c74d-46b8-ab8f-392aeb625f56 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\IMJP8_1\imjp81u.dic Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\fbc7C.tmp Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\MSO1033.acl Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\MSO3081.acl Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2006 Jan 9 Snake cnr Clarence & Bacon Grafton 001.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2006 Jan 9 Snake cnr Clarence & Bacon Grafton 007.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2006 Jan 9 Snake.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2006 May 28 Susan Island.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2006 May Susan Island 019.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2006 Sept.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2006 September 001.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\2007 Pictures.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\bridge.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\Doc1.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\Doc2.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\Doc3.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\Doc4.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\homework.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\My Documents.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\SUMMER.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\Templates.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\truck.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Recent\Web Pages.LNK Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Office\Word11.pip Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Proof\CUSTOM.DIC Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Protect\S-1-5-21-1644491937-1637723038-725345543-1005\db78c2db-b0a1-466d-a55d-884c30f393e4 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Protect\S-1-5-21-1644491937-1637723038-725345543-1005\Preferred Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Microsoft\Windows\Themes\Custom.theme Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\0\9beac0-2b14d71e Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\0\9beac0-2b14d71e.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\0\9beac0-4de4cad5 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\0\9beac0-4de4cad5.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\0\9beac0-790c881c Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\0\9beac0-790c881c.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\17\1f42a9d1-7e05a113 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\17\1f42a9d1-7e05a113.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\28\a776f1c-1d454d19 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\28\a776f1c-1d454d19.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\3\fba04c3-2ad3180f Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\3\fba04c3-2ad3180f.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\30\3a1b6f9e-6f2df724 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\30\3a1b6f9e-6f2df724.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\31\8bc2f1f-5458c88d Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\31\8bc2f1f-5458c88d.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\40\10ba1ca8-3e2bf547 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\40\10ba1ca8-3e2bf547.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\40\4c981da8-215838ab Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\40\4c981da8-215838ab.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\47\75b6a12f-5755080e Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\47\75b6a12f-5755080e.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\56\5e6fd8b8-226ad885 Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\56\5e6fd8b8-226ad885.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\62\7b63007e-1907284f Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\62\7b63007e-1907284f.idx Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\host\12006d6d-794f9722.hst Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\host\37e3b1db-649b48d7.hst Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\host\7048f3f2-79355797.hst Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\deployment.properties Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\security\auth.dat Object is locked skipped
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\security\trusted.certs Object is locked skipped
C:\Documents and Settings\Tom\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@201.218.196[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@2o7[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@a.javaworld[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@about[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@ad.yieldmanager[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@adopt.euroclick[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@ads.realtechnetwork[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@adtech[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@atdmt[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@burstnet[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@google.com[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@google[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@java.about[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@javaworld[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@media.sensis.com[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@netbeans[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@nytimes[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@quantserve[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@realtechnetwork[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@runescape[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@tacoda[1].txt Object is locked skipped

Aussie1
2007-11-07, 13:58
C:\Documents and Settings\Tom\Cookies\tom@www.abc.net[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@www.burstnet[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@www.dgmaustralia[1].txt Object is locked skipped
C:\Documents and Settings\Tom\Cookies\tom@www.javaworld[2].txt Object is locked skipped
C:\Documents and Settings\Tom\Desktop\Font1.ttf Object is locked skipped
C:\Documents and Settings\Tom\Desktop\FontCreator.lnk Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Club Penguin.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Favorites\First Java Program - HelloWorld.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Links\Customize Links.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Links\Free Hotmail.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Links\Windows Marketplace.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Links\Windows Media.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Links\Windows.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Millsberry .url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\MSN.com.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\Radio Station Guide.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\RuneScape - the massive online adventure game by Jagex Ltd.url Object is locked skipped
C:\Documents and Settings\Tom\Favorites\RuneScape.url Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\ApplicationHistory\hpqselsk.exe.a048b05c.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\fusioncache.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\all_skins.xml Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\db\ImageCatalog.mdb Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\db\ImageCatalog.mdb.bak Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\devices.xml Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\help.xml Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\hp1_skindef.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\settings.xml Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\HP\Digital Imaging\ThumbnailPrefs.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\IsolatedStorage\2ykx40et.ac4\ptqtexm2.4it\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\AssemFiles\framePref.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\IsolatedStorage\2ykx40et.ac4\ptqtexm2.4it\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\identity.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\IsolatedStorage\2ykx40et.ac4\ptqtexm2.4it\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\info.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\IsolatedStorage\2ykx40et.ac4\ptqtexm2.4it\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles\MyImagesPrefs.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\IsolatedStorage\2ykx40et.ac4\ptqtexm2.4it\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\identity.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\IsolatedStorage\2ykx40et.ac4\ptqtexm2.4it\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\info.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Office\ONetConfig\e30102f61584f5a798509aacfc9c73d5.sig Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Office\ONetConfig\e30102f61584f5a798509aacfc9c73d5.xml Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\History\History.IE5\MSHist012007110620071107\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\History\History.IE5\MSHist012007110720071108\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIO1.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIO2.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIO3.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIO4.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIO5.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIO6.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIO7.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIOB.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\DIOC.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\java_install_reg.log Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\jusched.log Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\temp_AiRules0.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\temp_buildlist0.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\temp_CityPlan0.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\0729bind_90[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\160x600_squidoku[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\210x179_alibabaslots[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\210x179_needformadness2[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\340x155_expressyourself[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\5000010204[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\728x90_Q3_WK13_AU_1520[1].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\728x90_Q3_WK13_AU_1520[2].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\817-grey[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\a1_cartandarrow[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\a2_bg_sun_search[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\a2_corner_tr[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\a2_menu_corners[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\abckids[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\adx[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\applynow[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\arrow_down[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\beginjavatutor[2].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\bg_subheader_gradient[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\bg_sunorange[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\blank[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\BL_aab6c6_5482a3[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\BR_fff[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\button[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\button_xml[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\CA3QU9BV.swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\CA8LQ58Z.1193388099&ga_sid=1193388099&ga_hid=748752513&flash=9&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=600&u_his=9&u_java=true Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\CAD1HWRQ.htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\CAKFSJMH.htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\CAMR4DAF.1193392445&ga_sid=1193392445&ga_hid=2020377906&flash=9&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=600&u_his=8&u_java=true Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\canadaflag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\CAWSC5JM.htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\checkout_000000[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\common[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\config[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\corner-right[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\co[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\D-E1-savetab-left[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\d7_tab_bg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\de1-tanbg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\default[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\default[2].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\default_developer[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\delicious[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\detail-2[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\developer[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\digman[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\dir[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\dot_clea[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\download_button_home_page[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\dukeszone_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\dwnld_netbeans_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\e19_java_ee_sdk[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\e8_free-openoffice[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\e8_javaserverfaces[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\ebay_xp[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\fdbck06-icon[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\finflag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\fo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\generic_tl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\getres[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\globalNav[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\google.com[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\gtu[1].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\g[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\hbx[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\ic_ar_up[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\index[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\index[2].htm Object is locked skipped

Aussie1
2007-11-07, 13:59
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\installed[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\java.sun[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\java101_fig1[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\javalessons[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\java_bar_bl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\jo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\jw-logo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\l1_dev_javaee-sdk_com[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\l2_ort_strobl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\lnk[1] Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\lnk[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\logo_sun_small_sdn[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\lookup_topic[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\lvl_ep117[1].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\maya[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\media[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\mobile_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\mobile_off[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\navbar_mainmenu[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\navbar_rules[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\oo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\paulus[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\pc4_guptaort[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\penduke[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\ping[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\popUp[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\pr_r[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\questionmark_green[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\rc-border[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\rounded3darrow_small[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\ro[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\r[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\r[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\sd2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\search-button[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\search[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\shade-right2[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\simpy-icon-16x16[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\slf[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\stripe[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\tab_green_bg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\tab_green_rt[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\tagline[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\tl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\tool-bot-bar[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\TR_fff[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\ul_bullet[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\urchin[2].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\vo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\windows_ie[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\xml[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DGPYJGB\zo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\001[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\6020010212[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\728x90_fluxtime[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\728x90_needformadness[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\a1_topline[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\a2_bttn_search[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\a2_corner_br[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\a2_corner_tr[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\add-icon[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\adsonar[2].js Object is locked skipped

Aussie1
2007-11-07, 14:00
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\alibabaslots_stamp[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\alph[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\ar-down2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\arrow-right-gray[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\a[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_art_dot[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_bluecurves[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_dksunblue[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_download[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_globalNav[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_sunblue[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_titlebar2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\bg_titlebar[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\blank[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\block[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\BL_fff[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\body-bg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\BR_aab6c6_5482a3[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\CA2I8OY4.htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\CAHCOVXL.swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\catalogue-off[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\CAUFYBE9.swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\cj017x14t345[2].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\common[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\config[2].php Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\create[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\D-E1-savetab-right[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\de1-whtbg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\default[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\detectFlash[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\dotomiNet[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\do[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\e8_tangoDuke02[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\everywhere_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\everywhere_off[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\expressyourself[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\footer-floating-corner-r[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\games_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\games_off[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\generic_bl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\generic_tr[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\getjava_med[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\getres[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\go[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\gtu[1].xml Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\highdetail[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\home-off[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\home[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\icon-feed[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\ic_feed_16x[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\ie[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\java-se[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\java-tutorial-free-intro[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\java-tutorials-index[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\java_bar[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\java_bar_tr[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\jl[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\kb-on[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\ko[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\l2_SXDE_bball[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\learn-java[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\lesson-viewer[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\lessonview[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\lnk[1] Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\lnk[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\lnk[2] Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\logo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\logo_footer[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\logo_footer[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\logo_scurvejava[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\logo_sun_small_sdn[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\lowdetail[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\lw-search-button[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\main-tabs[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\MB-EN-sm[1].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\membership_benefits[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\menucontent[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\mobilegmaps[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\navbar_members[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\navbar_worldmap[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\nb-logo2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\no2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\onlineTraining[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\open_projectglassfish_rtnav[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\othero[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\pc4_haaseort[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\pg_bananas[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\pixel[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\popUp[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\po[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\products-off[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\quant[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\r[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\r[2].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\search[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\search[2].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\sepbar-1[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\show_ads[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\so[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\tab_green_lft[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\te2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\tigris[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\TL_aab6c6_5482a3[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\TL_fff[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\topbg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\tp2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\trythis[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\tvguide[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\ukflag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\up.about[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\verify_install_button[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\vlag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\wo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0DYBKPMV\y1[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\160x600_mobilegamesonpc[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\210x179_maya[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\210x179_openofficeorg[1].jpg Object is locked skipped

Aussie1
2007-11-07, 14:01
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\21AY67HCGXL._SL110_[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\300x250_Q3_WK13_AU_xps[1].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\728x90_Q3_WK13_AU_1520[1].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\728x90_runescape3[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\8[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\;pos=n1;sz=120x90;ptile=2;type=news;ord=052732[2] Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a2_bttn_search[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a2_corner_bl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a2_corner_bl[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a2_corner_tl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a2_corner_tl[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a2_menu_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\aa_hel_wrld_1[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\abckids[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\abg-en-100c-000000[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\alert-activex[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ao[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\arrow_up[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ar[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ar_dbl_blue[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ar_dbl_blue[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ar_lg_red_r[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\a[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\backup_728x90[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\basic-3[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\bg_bluecurves[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\bg_long_subheader_gradient_650[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\bg_navblue[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\blank[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\body-bg[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\bo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\CACFU7E1.1193392477&ga_sid=1193392477&ga_hid=260055865&flash=9&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=600&u_his=9&u_java=true Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\CAEBC5Y7.htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\CAIBKBJ8.gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\CAQNYTGT.htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\CAZYGJJT.swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\corner_navblue_tr[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\corner_navblue_tr[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\css[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\D-E1-tstab-left[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\D-E1-tstab-right[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\desktop_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\desktop_off[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\detail[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\disk[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\download_nb6[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\e8_mobile-dilbert[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\email-06-icon[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\en[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\FFFFFF[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\footer-floating-bg[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\furl[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\generic_bl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\generic_br[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\generic_br[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\getres[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\getres[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\graphics[2].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\gtu[1].flv Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\header-corner2[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\hline_d0d0d0[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\homepage[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\icon-pdf[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ic_print[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ii[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\ii[2].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\index[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\io[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\java-tutorials-main[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\java101[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\java_bar_br[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\jw-0331-java101[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\jw-main[2].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\lang-pulldown[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\lnk[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\lnk[2].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\logo_sun_small_sdn[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\lvl_ep117[1].flv Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\l[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\maddennfl08[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\mca4[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\navbar[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\navbar_jagex[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\nav_logo3[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\nl-inputbg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\no[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\par_kids[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\pc4_jbloch[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\pc4_reckstein[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\pr_l[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\qo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\reskin[2].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\sb[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\search_button[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\search_button[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\server-4[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\shade-left[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\share-page-bgs[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\sidenav_corners[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\sniff[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\storytool-bg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\swedenflag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\switcher[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\s_code_remote[1].js Object is locked skipped

Aussie1
2007-11-07, 14:02
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\s_code_remote[2].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\tabs-bg[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\tab_b[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\tab_orange_bg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\tab_orange_lft[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\technorati-16x15[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\TR_aab6c6_5482a3[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\tutorial[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\uo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\usflag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\v5[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\47SRS7QH\yo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\120x600-2[1].swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\160x600_crystalsolitaire[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\6020010216[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\;pos=de5;sz=336x175;tile=5;ord=052732[2] Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\a2_corner_br[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\a2_menu_on[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\abckids[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\abg-en-100c-ffffff[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\adstyles[2].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\advanced[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\advanced[2].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\amazon[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\auflag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\azprograms[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\a[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\a[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\a[3].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\a[4].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\a[5].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\banr[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bg2[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bg_dksunblue[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bg_long_subheader_gradient2[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bg_navblue[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bg_sunorange[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bg_titlebar[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bg_white_to_grey[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\book_icon[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\bottombg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\button_podcast[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\buy-from-tan[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\CA6FCDIJ.swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\CARAK3V5.swf Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\CAT7SEIE.1193388061&ga_sid=1193388061&ga_hid=304688473&flash=9&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=600&u_his=7&u_java=true Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\choosebutton_free4[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\choosebutton_gold_members4[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\community-off2[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\config[2].php Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\cookie_get[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\cookie_set[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\corner-left[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\d7_tab_bg[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\dukeszone_off[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\DukeWave[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\e8_ruby-blog[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\eo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\footer-floating-corner-l[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\functions[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\generic_tr[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\getres[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\harrow_down[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\head-scripts[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\hm-but-bot[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\hm-but-tp[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ho[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\icon_mini_desktop[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\icon_mini_phone[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ic_feed_16x[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ic_open_win[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ic_open_win[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ii[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ii[2].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\image[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\imgad[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\javaIcon[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\javase-intro[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\java_bar_tl[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\jw-logo-tagline[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\l2_askxprt[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\l2_duke_javase6uN[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\leftarrow[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\lmc_728x90[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\lnk[1] Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\loginbox[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\Logo_50wht[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\logo_openoffice[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\logo_scurvejava[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\lo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\lvl_ep117[1].xml Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\MenuBar[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\menucode[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\mo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\navbar_manual[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\navS6[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\netbeans[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\newsletter_signup[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\nextlink[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\nlflag[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\override[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\parenting[1].gif Object is locked skipped

Aussie1
2007-11-07, 14:02
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\partners-off[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\par_logo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\path-bg[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ping[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\print06-icon[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\print[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\ps8[2].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\pspwinners[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\p[1].css Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\rc-tool-fade[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\rc_logo[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\rslogo3[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\r[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\r[2].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\search[1].htm Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\sidenav_corners[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\slashdot-13x13[1].png Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\slf[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\spreadtheword[1].jpg Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\s[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\s_code_remote[1].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\s_code_remote[2].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\s_code_remote[3].js Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\tab_orange_rt[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\tab_t[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\tagline[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\toolbarsmall[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\to[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\vline[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\vnv1_bg_logo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\v_line[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\v_line[2].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\xo[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\FRLRU6FZ\_[1].gif Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\My Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\My Documents\homework\bridge.doc Object is locked skipped
C:\Documents and Settings\Tom\My Documents\homework\homework.doc Object is locked skipped
C:\Documents and Settings\Tom\My Documents\homework\SUMMER.doc Object is locked skipped
C:\Documents and Settings\Tom\My Documents\homework\Thumbs.db Object is locked skipped
C:\Documents and Settings\Tom\My Documents\homework\truck.doc Object is locked skipped
C:\Documents and Settings\Tom\My Documents\homework\~$truck.doc Object is locked skipped
C:\Documents and Settings\Tom\My Documents\homework\~WRL0004.tmp Object is locked skipped
C:\Documents and Settings\Tom\My Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\My Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\My Documents\My Pictures\Sample Pictures.lnk Object is locked skipped
C:\Documents and Settings\Tom\My Documents\My Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\Tom\My Documents\My Scans\2007-10 (Oct)\scan.jpg Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Web Pages\Doc1.htm Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Web Pages\Doc1_files\filelist.xml Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Web Pages\Doc1_files\image001.jpg Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Web Pages\Doc1_files\Thumbs.db Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Web Pages\Doc2.mht Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Web Pages\Doc3.mht Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Web Pages\Doc4.mht Object is locked skipped
C:\Documents and Settings\Tom\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tom\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tom\ntuser.ini Object is locked skipped
C:\Documents and Settings\Tom\Recent\2007 June Bollywood Night 002.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\2007 June.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\2007-10 (Oct).lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\bridge.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Recent\Doc1 (2).lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Doc1.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Doc2.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Doc3 (2).lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Doc3.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Doc4.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Font1.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\HelloWorld.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\homework (2).lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\homework.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\LG MP3 FM33 (F).lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\My Pictures.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\my%20little%20pony.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\scan.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\src.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\SUMMER.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\truck.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\Web Pages.lnk Object is locked skipped
C:\Documents and Settings\Tom\Recent\WMPInfo.lnk Object is locked skipped
C:\Documents and Settings\Tom\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Tom\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Tom\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Tom\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\Tom\SendTo\Palm Powered(TM) Handheld.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Internet Explorer.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Tom\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Tom\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Tom\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Tom\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Tom\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Tom\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Tom\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Tom\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Tom\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Tom\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Tom\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Tom\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Tom\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\Tom\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Tom\UserData\K5YV21E3\oXMLStoreUnit[1].xml Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba
2007-11-07, 14:49
Hi

Empty this folder:

C:\!KillBox

Empty Recycle Bin

Still problems?

Aussie1
2007-11-08, 10:09
You're a legend, that's fantastic.
and thankyou!! :bigthumb::bigthumb::bigthumb:

I run and keep updated Symantec antivirus, Spybot and Adaware, i don't surf suspect sites - i'm not sure how i got this malware in the first place?

Cheers.

Shaba
2007-11-08, 11:22
Hi

"I run and keep updated Symantec antivirus, Spybot and Adaware, i don't surf suspect sites - i'm not sure how i got this malware in the first place?"

Not sure but check my instructions below in order to avoid malware in the future.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
3) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
4) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

You can remove all tools we used.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Aussie1
2007-11-08, 13:58
Done. Thanks for your help, its just a fantastic service.
:)

THANKYOU!!!!!!!!

Shaba
2007-11-10, 11:59
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.