PDA

View Full Version : Services and Controller app, Vista


djbass
2007-10-21, 00:22
I am running Windows Vista Ultimate with all current updates.

The first sign of a problem started when I was intermittantly getting the message "Services and Controller app has encountered a problem and needs to close", followed by a forced restart.

I eventually noticed that this only happened when an internet connection was present, I put more agressive firewall settings into my router which has allowed me to operate the computer without crashing for the time being.

I then ran Adaware/Spybot as well as several virus scanners but none of them turned up anything. I have tried specific fixes for a lot of known worms/trojans (blaster, sober etc). I have tried rootkit scanners which also have turned up nothing.

I decided to run TcpView to see which process was attempting to make the connection and found that services.exe would establish a connection to smtp.bk.ru as soon as I turned my firewall off, followed shortly by services.exe crashing.

I ran Wireshark (Ethereal) to see what exactly was being sent out and sure enough it was attempting to mass email to various addresses (none of which have come from my email client Thunderbird). On a more interesting note I also captured the username & password for the spam account.

HJT & Kaspersky log are posted below.
djbass
2007-10-21, 00:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:44 AM, on 21/10/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTxfispi.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internode\mum.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.on.net:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {F81FB289-0FB6-4FE0-A488-101447EE1ED3} (HD View Control) - http://research.microsoft.com/ivm/HDView/HDViewVista.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SATARaid5 Configuration Service (SATARaid5 Config Service) - Unknown owner - C:\Program Files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe

--
End of file - 7114 bytes
djbass
2007-10-21, 00:24
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 21, 2007 7:10:58 AM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/10/2007
Kaspersky Anti-Virus database records: 441591
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 174732
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:07:37

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\dig\nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\efce66e96e9bd035e717d8dcd0761d68_728f751e-cd70-477c-bf4f-11d1b1b26052 Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\UsrClass.dat{6b8e05b3-c1da-11db-9f77-00508d94014c}.TM.blf Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\UsrClass.dat{6b8e05b3-c1da-11db-9f77-00508d94014c}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Peter\AppData\Local\Microsoft\Windows\UsrClass.dat{6b8e05b3-c1da-11db-9f77-00508d94014c}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Peter\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Peter\Desktop\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Users\Peter\NTUSER.DAT Object is locked skipped
C:\Users\Peter\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Peter\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Peter\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Users\Peter\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Peter\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_2015390875_15794176_53367 Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\TempSBE\SBEDD7F.tmp Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\{2B710FC3-D080-48E3-B609-8899689E158F}.TmpSBE Object is locked skipped
C:\Windows\CSC\v2.0.6\pq Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\SchedLgU.Txt Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ehmsdri.log Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ehRecvr.log Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped

Scan process completed.
Rorschach112
2007-10-27, 14:03
Sorry for the delay. My name is Rorschach and I'll be helping you with your problems.

Looking at your logs, this may not be a malware issue. Lets take a deeper look though to be sure.


Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
Under Additional Scans on the bottom right, check the boxes for Reg - Disabled MS Config Items, Reg - Uninstall List.
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the information back here. I will review it when it comes in. The last line is < End of Report >
djbass
2007-10-27, 18:45
WinPFind3 logfile created on: 28/10/2007 2:01:57 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Users\Peter\Desktop\WinPFind3u\
Windows Vista (TM) Ultimate (Version = 6.0.6000)
Internet Explorer (Version = 7.0.6000.16546)

2.00 Gb Total Physical Memory | 1.32 Gb Available Physical Memory | 66.03% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): c:\pagefile.sys 0 0;f:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 80.18 Gb Free Space | 34.43% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 139.73 Gb Total Space | 107.51 Gb Free Space | 76.94% Space Free

Computer Name: DJBASS2
Current User Name: Peter
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
avgnt.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 16/10/2007 2:11:30 PM | Attr = ]
avguard.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 16/10/2007 2:11:30 PM | Attr = ]
cthelper.exe -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 6.00.01.1302-2.15.1030 | Size = 19456 bytes | Modified Date = 10/05/2007 4:51:56 PM | Attr = ]
ctxfihlp.exe -> %System32%\CTXFIHLP.EXE -> Creative Technology Ltd [Ver = 6.00.01.1302-2.15.1030 | Size = 19968 bytes | Modified Date = 10/05/2007 4:52:00 PM | Attr = ]
ctxfispi.exe -> %System32%\CTXFISPI.EXE -> Creative Technology Ltd [Ver = 6.00.01.1302-2.15.1030 | Size = 966144 bytes | Modified Date = 10/05/2007 4:48:30 PM | Attr = ]
daemon.exe -> %ProgramFiles%\DAEMON Tools\daemon.exe -> DT Soft Ltd. [Ver = 4.09.0.0 | Size = 165784 bytes | Modified Date = 4/04/2007 7:59:16 AM | Attr = ]
dllml.exe -> %ProgramFiles%\Creative\Shared Files\Module Loader\DLLML.exe -> Creative Technology Ltd. [Ver = 1.0.25.0 | Size = 49152 bytes | Modified Date = 4/11/2005 6:07:56 PM | Attr = ]
khalmnpr.exe -> %CommonProgramFiles%\Logitech\khalshared\KHALMNPR.exe -> Logitech Inc. [Ver = 3.30.152 | Size = 101136 bytes | Modified Date = 23/01/2007 3:44:00 PM | Attr = ]
lcdclock.exe -> %CommonProgramFiles%\Logitech\LCD Manager\Applets\LCDClock.exe -> Logitech Inc. [Ver = 1.04.153 | Size = 203288 bytes | Modified Date = 26/04/2007 4:53:24 PM | Attr = ]
lcdmedia.exe -> %CommonProgramFiles%\Logitech\LCD Manager\Applets\LCDMedia.exe -> Logitech Inc. [Ver = 1.04.153 | Size = 374296 bytes | Modified Date = 26/04/2007 4:54:18 PM | Attr = ]
lcdmon.exe -> %CommonProgramFiles%\Logitech\LCD Manager\LCDMon.exe -> Logitech Inc. [Ver = 1.04.153 | Size = 774168 bytes | Modified Date = 26/04/2007 4:54:30 PM | Attr = ]
mum.exe -> %ProgramFiles%\Internode\mum.exe -> Angus Johnson [Ver = 6.5.3.158 | Size = 1197568 bytes | Modified Date = 6/07/2007 3:13:30 PM | Attr = ]
pnkbstra.exe -> %System32%\PnkBstrA.exe -> [Ver = | Size = 66872 bytes | Modified Date = 1/09/2007 12:30:18 AM | Attr = ]
richvideo.exe -> %ProgramFiles%\CyberLink\Shared files\RichVideo.exe -> [Ver = 1.1.0808 | Size = 173616 bytes | Modified Date = 7/02/2007 4:29:50 PM | Attr = ]
sataraid5configservice.exe -> %ProgramFiles%\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe -> [Ver = | Size = 131072 bytes | Modified Date = 5/10/2005 6:19:00 PM | Attr = ]
sched.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 7.00.00.62 | Size = 63016 bytes | Modified Date = 28/08/2007 1:16:24 PM | Attr = ]
setpoint.exe -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 3.30.165 | Size = 688128 bytes | Modified Date = 30/01/2007 1:52:06 AM | Attr = ]
tsvncache.exe -> %ProgramFiles%\TortoiseSVN\bin\TSVNCache.exe -> www.tortoisesvn.org [Ver = 1, 4, 3, 8645 | Size = 397312 bytes | Modified Date = 4/02/2007 10:07:26 AM | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 79664 bytes | Modified Date = 4/06/2007 5:24:56 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 4/09/2007 10:47:26 AM | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 960240 bytes | Modified Date = 4/06/2007 5:24:58 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 9/04/2007 11:01:48 PM | Attr = ]
(AntiVirScheduler) AntiVir PersonalEdition Classic Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 7.00.00.62 | Size = 63016 bytes | Modified Date = 28/08/2007 1:16:24 PM | Attr = ]
(AntiVirService) AntiVir PersonalEdition Classic Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 16/10/2007 2:11:30 PM | Attr = ]
(CertPropSvc) Certificate Propagation [Win32_Shared | Unknown | Stopped] -> -> File not found
(DcomLaunch) DCOM Server Process Launcher [Win32_Shared | Unknown | Running] -> -> File not found
(DPS) Diagnostic Policy Service [Win32_Shared | Unknown | Running] -> -> File not found
(gpsvc) Group Policy Client [Win32_Shared | Unknown | Running] -> -> File not found
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/04/2005 12:41:10 AM | Attr = ]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> -> File not found
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 30/10/2006 9:36:32 AM | Attr = ]
(MSDTC) Distributed Transaction Coordinator [Win32_Own | Unknown | Stopped] -> -> File not found
(MySQL) MySQL [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -> [Ver = | Size = 6701056 bytes | Modified Date = 28/06/2007 5:37:40 PM | Attr = ]
(NBService) NBService [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 10, 3, 2 | Size = 800040 bytes | Modified Date = 29/06/2007 7:16:56 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,16,0 | Size = 279848 bytes | Modified Date = 27/06/2007 7:04:00 PM | Attr = ]
(PnkBstrA) PnkBstrA [Win32_Own | Auto | Running] -> %System32%\PnkBstrA.exe -> [Ver = | Size = 66872 bytes | Modified Date = 1/09/2007 12:30:18 AM | Attr = ]
(RichVideo) Cyberlink RichVideo Service(CRVS) [Win32_Own | Auto | Running] -> %ProgramFiles%\CyberLink\Shared files\RichVideo.exe -> [Ver = 1.1.0808 | Size = 173616 bytes | Modified Date = 7/02/2007 4:29:50 PM | Attr = ]
(rpcapd) Remote Packet Capture Protocol v.0 (experimental) [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\WinPcap\rpcapd.exe -> CACE Technologies [Ver = 4.0.0.901 | Size = 92792 bytes | Modified Date = 29/06/2007 9:31:48 AM | Attr = ]
(RpcSs) Remote Procedure Call (RPC) [Win32_Shared | Unknown | Running] -> -> File not found
(SATARaid5 Config Service) SATARaid5 Configuration Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe -> [Ver = | Size = 131072 bytes | Modified Date = 5/10/2005 6:19:00 PM | Attr = ]
(SCardSvr) Smart Card [Win32_Shared | Unknown | Stopped] -> -> File not found
(Schedule) Task Scheduler [Win32_Shared | Unknown | Running] -> -> File not found
(SCPolicySvc) Smart Card Removal Policy [Win32_Shared | Unknown | Stopped] -> -> File not found
(TrustedInstaller) Windows Modules Installer [Win32_Own | Unknown | Running] -> -> File not found
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 79664 bytes | Modified Date = 4/06/2007 5:24:56 AM | Attr = ]
(WdiServiceHost) Diagnostic Service Host [Win32_Shared | Unknown | Stopped] -> -> File not found
(WdiSystemHost) Diagnostic System Host [Win32_Shared | Unknown | Running] -> -> File not found
djbass
2007-10-27, 18:45
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
-> -> File not found
AudioDrvEmulator -> %ProgramFiles%\Creative\Shared Files\Module Loader\DLLML.exe -> Creative Technology Ltd. [Ver = 1.0.25.0 | Size = 49152 bytes | Modified Date = 4/11/2005 6:07:56 PM | Attr = ]
avgnt -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 16/10/2007 2:11:30 PM | Attr = ]
CTHelper -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 6.00.01.1302-2.15.1030 | Size = 19456 bytes | Modified Date = 10/05/2007 4:51:56 PM | Attr = ]
CTxfiHlp -> %System32%\CTXFIHLP.EXE -> Creative Technology Ltd [Ver = 6.00.01.1302-2.15.1030 | Size = 19968 bytes | Modified Date = 10/05/2007 4:52:00 PM | Attr = ]
CTXFIREG -> %System32%\CTXFIREG.EXE -> Creative Technology Ltd [Ver = 6.00.01.1302-2.15.1030 | Size = 43520 bytes | Modified Date = 10/05/2007 4:48:34 PM | Attr = ]
Kernel and Hardware Abstraction Layer -> %SystemRoot%\KHALMNPR.Exe -> Logitech Inc. [Ver = 3.30.152 | Size = 101136 bytes | Modified Date = 23/01/2007 3:44:00 PM | Attr = ]
LanguageShortcut -> %ProgramFiles%\CyberLink\PowerDVD\Language\Language.exe -> [Ver = 1.00.2405 | Size = 54832 bytes | Modified Date = 7/02/2007 4:21:30 PM | Attr = ]
Launch LCDMon -> %CommonProgramFiles%\Logitech\LCD Manager\LCDMon.exe -> Logitech Inc. [Ver = 1.04.153 | Size = 774168 bytes | Modified Date = 26/04/2007 4:54:30 PM | Attr = ]
Launch LGDCore -> %CommonProgramFiles%\Logitech\G-series Software\LGDCore.exe -> Logitech Inc. [Ver = 1.04.153 | Size = 1132056 bytes | Modified Date = 26/04/2007 5:22:32 PM | Attr = ]
NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 6 | Size = 153136 bytes | Modified Date = 1/03/2007 3:57:24 PM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 8429568 bytes | Modified Date = 12/04/2007 5:07:00 PM | Attr = ]
NvMediaCenter -> %System32%\nvmctray.dll [RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 81920 bytes | Modified Date = 12/04/2007 5:07:00 PM | Attr = ]
NvSvc -> %System32%\nvsvc.dll [RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart] -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 86016 bytes | Modified Date = 12/04/2007 5:07:00 PM | Attr = ]
UpdReg -> %SystemRoot%\Updreg.EXE -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 11/05/2000 1:00:00 AM | Attr = ]
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 960240 bytes | Modified Date = 4/06/2007 5:24:58 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
DAEMON Tools -> %ProgramFiles%\DAEMON Tools\daemon.exe -> DT Soft Ltd. [Ver = 4.09.0.0 | Size = 165784 bytes | Modified Date = 4/04/2007 7:59:16 AM | Attr = ]
InternodeUsage -> %ProgramFiles%\Internode\mum.exe -> Angus Johnson [Ver = 6.5.3.158 | Size = 1197568 bytes | Modified Date = 6/07/2007 3:13:30 PM | Attr = ]
MsnMsgr -> %ProgramFiles%\MSN Messenger\MsnMsgr.Exe -> File not found
< Common Startup > -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup ->
%AllUsersAppData%\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 3.30.165 | Size = 688128 bytes | Modified Date = 30/01/2007 1:52:06 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 3 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableInstallerDetection -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableSecureUIAPaths -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableVirtualization -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ValidateAdminCodeSignatures -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\scforceoption -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\FilterAdministratorToken -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_TEXT -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_BITMAP -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_OEMTEXT -> 7 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_DIB -> 8 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_PALETTE -> 9 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_UNICODETEXT -> 13 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_DIBV5 -> 17 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (761 bytes) -> C:\Windows\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
::1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKCU: Local Page -> C:\Windows\system32\blank.htm ->
HKCU: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 22/10/2006 11:08:42 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr = ]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> Reg Data - Key not found [MenuText: Spybot - Search & Destroy Configuration] -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{39D666C2-B996-485A-B11C-50C607BD9E19} -> (Realtek RTL8168/8111 Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)) ->
{DA949D9A-DEA7-43AD-8977-C00DE77ED895} -> (Realtek RTL8168/8111 Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
about -> Reg Data - Key not found -> File not found
dvd -> Reg Data - Key not found -> File not found
ipp -> Reg Data - Key not found -> File not found
its -> Reg Data - Key not found -> File not found
mhtml -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
ms-its -> Reg Data - Key not found -> File not found
tv -> Reg Data - Key not found -> File not found
vbscript -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab ->
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -> CDownloadCtrl Object - CodeBase = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_03 - CodeBase = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -> - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab ->
{F81FB289-0FB6-4FE0-A488-101447EE1ED3} -> HD View Control - CodeBase = http://research.microsoft.com/ivm/HDView/HDViewVista.cab ->
djbass
2007-10-27, 18:46
[Registry - Additional Scans - Non-Microsoft Only]
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ->
@icon sushi_is1 -> @icon sushi 1.21 ->
{048298C9-A4D3-490B-9FF9-AB023A9238F3} -> Steam ->
{0CFCE56C-3B69-469A-B7B5-B60B936D0088} -> MySQL Server 5.1 ->
{0D6BC279-CAD9-4BF8-85B7-6E33157D1261} -> PHP 5.2.2 ->
{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} -> Security Update for CAPICOM (KB931906) ->
{17B66E83-1BC9-11D5-A54A-0090278A1BB8} -> Microsoft FrontPage Client - English ->
{18D10072035C4515918F7E37EAFAACFC} -> AutoUpdate ->
{18F11181-EA1A-42AE-AF89-4867C7F7A6FA} -> Sound Blaster X-Fi ->
{1A655D51-1423-48A3-B748-8F5A0BE294C8} -> Microsoft Visual J# .NET Redistributable Package 1.1 ->
{236BB7C4-4419-42FD-0409-1E257A25E34D} -> Adobe Photoshop CS2 ->
{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3} -> Logitech SetPoint ->
{2FEB25F8-C3CB-49A2-AE79-DE17FFAFB5D9} -> MySQL Server 5.0 ->
{3248F0A8-6813-11D6-A77B-00B0D0150050} -> J2SE Runtime Environment 5.0 Update 5 ->
{3248F0A8-6813-11D6-A77B-00B0D0160030} -> Java(TM) 6 Update 3 ->
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP ->
{3A253240-FD45-4570-8D3B-A742F1502D75} -> Richard Garriott's Tabula Rasa ->
{3E354FBA-C7CE-402A-BB0D-225230BB1918} -> Logitech G15 Keyboard Software 1.04 ->
{446DBFFA-4088-48E3-8932-74316BA4CAE4} -> iTunes ->
{44D4AF75-6870-41F5-9181-662EA05507E1} -> Microsoft Document Explorer 2005 ->
{50D8FFDD-90CD-4859-841F-AA1961C7767A} -> QuickTime ->
{56C049BE-79E9-4502-BEA7-9754A3E60F9B} -> neroxml ->
{5EBE62BD-774D-40F7-B777-EA7B2EE28F80} -> DVICO FusionHDTV 3.0.04 ->
{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697} -> PlayNC Launcher ->
{625386A4-B6B6-4911-A6E8-23189C3F2D15} -> Microsoft .NET Compact Framework 2.0 ->
{6811CAA0-BF12-11D4-9EA1-0050BAE317E1} -> PowerDVD ->
{68A35043-C55A-4237-88C9-37EE1C63ED71} -> Microsoft Visual J# 2.0 Redistributable Package ->
{6C531060-84FB-4F96-8F33-29DF020632EB} -> Microsoft .NET Compact Framework 1.0 SP3 Developer ->
{786C5747-1033-0000-B58E-000000000001} -> Adobe Stock Photos 1.0 ->
{789289CA-F73A-4A16-A331-54D498CE069F} -> Ventrilo Client ->
{78B75C6D-E53C-424C-BF83-4B63BD4A6682} -> Microsoft Device Emulator version 1.0 - ENU ->
{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747} -> Ad-Aware SE Personal ->
{7B63B2922B174135AFC0E1377DD81EC2} -> DivX Codec ->
{807F01C6-6A78-401C-9508-A65568D1CCE4} -> OmniSecure 3.0a5 ->
{8CC990CD-87C8-475C-AC32-8A7984E2FCFA} -> CDDRV_Installer ->
{8EDBA74D-0686-4C99-BFDD-F894678E5B39} -> Adobe Common File Installer ->
{90840409-6000-11D3-8CFE-0150048383C9} -> Microsoft Office Excel Viewer 2003 ->
{90850409-6000-11D3-8CFE-0150048383C9} -> Microsoft Office Word Viewer 2003 ->
{96E3AED5-3D0B-4BB0-84C2-1EDADB204487} -> FlashFXP v3 ->
{AC76BA86-7AD7-1033-7B44-A81000000003} -> Adobe Reader 8.1.0 ->
{AF599832-2305-4922-9342-6FF48894E384} -> Opera 9.21 ->
{B13A7C41581B411290FBC0395694E2A9} -> DivX Converter ->
{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 -> Spybot - Search & Destroy ->
{B74D4E10-1033-0000-0000-000000000001} -> Adobe Bridge 1.0 ->
{BBF84B6A-DA3E-4302-997A-00D5490D70B0} -> Microsoft DirectX SDK (June 2007) ->
{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD} -> Creative MediaSource 5 ->
{C04E32E0-0416-434D-AFB9-6969D703A9EF} -> MSXML 4.0 SP2 (KB936181) ->
{C89C8D86-4423-4A58-AA40-DD259ACE07C1} -> KhalSetup ->
{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5} -> WinZip 11.1 ->
{CF097717-F174-4144-954A-FBC4BF301033} -> Nero 7 ->
{D407F7C0-579E-4CCB-91FD-855CE5084E86} -> Microsoft Visual Studio 2005 Standard Edition - ENU ->
{D4D24FE5-FAB3-4FE2-AFFC-623955F4DF3A} -> Visual Studio.NET Baseline - English ->
{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32} -> Command & Conquer 3 ->
{E0B2264B-6BE4-4F8B-8300-A05BFA87AAA0} -> TortoiseSVN 1.4.3.8645 (32 bit) ->
{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} -> Windows Media Encoder 9 Series ->
{E9787678-1033-0000-8E67-000000000001} -> Adobe Help Center 1.0 ->
{EC561602-C0B9-4FAA-A175-1B3273639AC3} -> MySQL Tools for 5.0 ->
{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC} -> Battlefield 2142 ->
{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC} -> Realtek High Definition Audio Driver ->
{F428768A-BA63-43A5-86E9-7F0CFD174944} -> Command & Conquer 3 Tiberium Wars(TM) Worldbuilder ->
{F5577101-33CC-4711-8235-3A95BCD49DB0} -> EA Link ->
{F69FD33C-8815-46BF-9134-A643DE68F3C0} -> WinFast(R) Display Driver ->
{F843C6A3-224D-4615-94F8-3C461BD9AEA0} -> Jasc Paint Shop Pro 9 ->
{F98BF160-2B31-4613-BA35-66958F51B97C} -> 3132-W-I32-R SATARAID5 ->
{FF8500E6-EA0D-11D7-8755-0080C8F92A32} -> abti uGuru ->
AC3Filter -> AC3Filter (remove only) ->
Adobe Flash Player ActiveX -> Adobe Flash Player ActiveX ->
Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D} -> Adobe Photoshop CS2 ->
ALchemy -> ALchemy ->
AntiVir PersonalEdition Classic -> Avira AntiVir PersonalEdition Classic ->
Audacity_is1 -> Audacity 1.2.6 ->
AudioCS -> Creative Audio Console ->
clrmamepro -> clrmamepro ->
Command & Conquer 95 -> Command & Conquer Windows 95 ->
ConTEXTEditor_is1 -> ConTEXT ->
Creative Software AutoUpdate -> Creative Software AutoUpdate ->
Creative Sound Blaster Properties -> Creative Sound Blaster Properties ->
DirectVobSub -> DirectVobSub (remove only) ->
Download Manager -> Download Manager 2.3.5 ->
ffdshow_is1 -> ffdshow [rev 1324] [2007-07-01] ->
FileZilla -> FileZilla (remove only) ->
Flux Player -> Flux Player ->
Fraps -> Fraps (remove only) ->
Guild Wars -> Guild Wars ->
HijackThis -> HijackThis 2.0.2 ->
InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1} -> PowerDVD ->
InstallShield_{F5577101-33CC-4711-8235-3A95BCD49DB0} -> EA Link ->
Internode Monthly Usage Meter_is1 -> Internode Monthly Usage Meter 6.5e ->
Kaspersky Online Scanner -> Kaspersky Online Scanner ->
KB926601.T2_30ToU260_30 -> Microsoft Visual Studio 2005 Standard Edition - ENU Service Pack 1 (KB926601) ->
KB931906 -> Security Update for CAPICOM (KB931906) ->
KB932232.T369_30ToU447_30 -> Update for Microsoft Visual Studio 2005 Standard Edition - ENU (KB932232) ->
Microsoft Document Explorer 2005 -> Microsoft Document Explorer 2005 ->
Microsoft Visual J# 2.0 Redistributable Package -> Microsoft Visual J# 2.0 Redistributable Package ->
Microsoft Visual Studio 2005 Standard Edition - ENU -> Microsoft Visual Studio 2005 Academic Edition - ENU ->
Miranda IM -> Miranda IM 0.6.8 ->
mIRC -> mIRC ->
ModPlug Player v1.46_is1 -> ModPlug Player ->
Mozilla Firefox (2.0.0.5) -> Mozilla Firefox (2.0.0.5) ->
Mozilla Thunderbird (2.0.0.6) -> Mozilla Thunderbird (2.0.0.6) ->
OpenAL -> OpenAL ->
Pdf995 -> Pdf995 ->
PdfEdit995 -> PdfEdit995 ->
QuickSFV -> QuickSFV (Remove only) ->
RealAlt_is1 -> Real Alternative 1.52 ->
ReBirth RB-338 2.0 -> ReBirth RB-338 2.0 ->
RolandRDID0021 -> EDIROL UA-20 Driver ->
Signature995 -> Signature995 ->
Soulseek -> SoulSeek Client 156c ->
Spybot - Search & Destroy_is1 -> Spybot - Search & Destroy 1.4 ->
SysInfo -> Creative System Information ->
Teamspeak 2 RC2_is1 -> TeamSpeak 2 RC2 ->
TeamSpeak 2 Server_is1 -> TeamSpeak 2 Server RC2 ->
TortoiseCVS_is1 -> TortoiseCVS 1.8.31 ->
TweakVI -> TweakVI ->
uTorrent -> µTorrent ->
Winamp -> Winamp (remove only) ->
Windows Media Encoder 9 -> Windows Media Encoder 9 Series ->
WinPcapInst -> WinPcap 4.0.1 ->
WinRAR archiver -> WinRAR archiver ->
Wireshark -> Wireshark 0.99.6a ->
World of Warcraft -> World of Warcraft ->
XnView_is1 -> XnView 1.91 ->
Xvid_is1 -> Xvid 1.1.3 final uninstall ->
ZoneAlarm -> ZoneAlarm ->
djbass
2007-10-27, 18:47
[Files/Folders - Created Within 30 days]
CanoScan -> %SystemDrive%\CanoScan -> [Folder | Created Date = 22/10/2007 9:46:54 PM | Attr = H ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 21/10/2007 5:20:18 PM | Attr = HS]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 16/10/2007 1:19:33 PM | Attr = ]
gmer.dll -> %SystemRoot%\gmer.dll -> [Ver = 1, 0, 13, 12551 | Size = 585791 bytes | Created Date = 21/10/2007 12:45:43 PM | Attr = ]
gmer.exe -> %SystemRoot%\gmer.exe -> [Ver = 1, 0, 13, 12551 | Size = 581632 bytes | Created Date = 21/10/2007 12:45:43 PM | Attr = ]
gmer.ini -> %SystemRoot%\gmer.ini -> [Ver = | Size = 250 bytes | Created Date = 21/10/2007 12:45:43 PM | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Created Date = 21/10/2007 12:45:43 PM | Attr = ]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Created Date = 21/10/2007 9:46:25 AM | Attr = ]
pdf995.ini -> %SystemRoot%\pdf995.ini -> [Ver = | Size = 28 bytes | Created Date = 24/10/2007 2:17:27 PM | Attr = ]
wpd99.drv -> %SystemRoot%\wpd99.drv -> [Ver = | Size = 117 bytes | Created Date = 4/10/2007 11:25:43 PM | Attr = ]
CNQL1208.dll -> %System32%\CNQL1208.dll -> CANON INC. [Ver = 2.07 | Size = 217088 bytes | Created Date = 22/10/2007 9:46:54 PM | Attr = ]
CNQU71.DLL -> %System32%\CNQU71.DLL -> CANON INC. [Ver = 1, 0, 0, 6 | Size = 36864 bytes | Created Date = 22/10/2007 9:46:54 PM | Attr = ]
conf.dat -> %System32%\conf.dat -> [Ver = | Size = 94 bytes | Created Date = 6/10/2007 5:50:20 PM | Attr = ]
cookie1.dat -> %System32%\cookie1.dat -> [Ver = | Size = 1 bytes | Created Date = 6/10/2007 5:51:24 PM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 6/10/2007 11:13:17 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 6/10/2007 11:13:18 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 6/10/2007 11:13:17 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 6/10/2007 11:13:17 PM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 20/10/2007 1:24:28 PM | Attr = ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796312 bytes | Created Date = 21/10/2007 10:06:49 AM | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 114915 bytes | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
nvcod.dll -> %System32%\nvcod.dll -> NVIDIA Corporation [Ver = 1 , 0 , 0 , 35 | Size = 37888 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvcolor.exe -> %System32%\nvcolor.exe -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 143360 bytes | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
nvcpl.dll -> %System32%\nvcpl.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 8429568 bytes | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
nvcpluir.dll -> %System32%\nvcpluir.dll -> NVIDIA Corporation [Ver = 1.4.7.02 | Size = 1073152 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvdisp.nvu -> %System32%\nvdisp.nvu -> [Ver = | Size = 5674 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvdisps.dll -> %System32%\nvdisps.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 6221824 bytes | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
nvdispsr.dll -> %System32%\nvdispsr.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 5439488 bytes | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
nvgames.dll -> %System32%\nvgames.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 3289088 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvgamesr.dll -> %System32%\nvgamesr.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 3235840 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvmccs.dll -> %System32%\nvmccs.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 229376 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvmccsrs.dll -> %System32%\nvmccsrs.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 45056 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvmccss.dll -> %System32%\nvmccss.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 188416 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvmccssr.dll -> %System32%\nvmccssr.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 458752 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvmobls.dll -> %System32%\nvmobls.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 1101824 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvmoblsr.dll -> %System32%\nvmoblsr.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 2854912 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvoglv32.dll -> %System32%\nvoglv32.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 6852608 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvudisp.exe -> %System32%\nvudisp.exe -> NVIDIA Corporation [Ver = 1 , 0 , 1 , 56 | Size = 356352 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvuninst.exe -> %System32%\nvuninst.exe -> NVIDIA Corporation [Ver = 1 , 0 , 1 , 56 | Size = 356352 bytes | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
nvvitvs.dll -> %System32%\nvvitvs.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 3538944 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvvitvsr.dll -> %System32%\nvvitvsr.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 3645440 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvwgf2um.dll -> %System32%\nvwgf2um.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 1424384 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvwsapps.xml -> %System32%\nvwsapps.xml -> [Ver = | Size = 81125 bytes | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
nvwss.dll -> %System32%\nvwss.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 2273280 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
nvwssr.dll -> %System32%\nvwssr.dll -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 2387968 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
pdf995mon.dll -> %System32%\pdf995mon.dll -> [Ver = | Size = 51716 bytes | Created Date = 4/10/2007 11:25:43 PM | Attr = ]
pdfmona.dll -> %System32%\pdfmona.dll -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 249856 bytes | Created Date = 4/10/2007 11:25:43 PM | Attr = ]
ps1.dat -> %System32%\ps1.dat -> [Ver = | Size = 1 bytes | Created Date = 6/10/2007 5:51:24 PM | Attr = ]
rc.dat -> %System32%\rc.dat -> [Ver = | Size = 1 bytes | Created Date = 6/10/2007 5:51:24 PM | Attr = ]
UCS32P.DLL -> %System32%\UCS32P.DLL -> Canon [Ver = 2.0.0 | Size = 389180 bytes | Created Date = 22/10/2007 9:46:55 PM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 95984 bytes | Created Date = 21/10/2007 10:06:41 AM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 165616 bytes | Created Date = 21/10/2007 10:06:13 AM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 104176 bytes | Created Date = 21/10/2007 10:06:42 AM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 276208 bytes | Created Date = 21/10/2007 10:06:42 AM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 71408 bytes | Created Date = 21/10/2007 10:06:49 AM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 493296 bytes | Created Date = 21/10/2007 10:06:13 AM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 46832 bytes | Created Date = 21/10/2007 10:06:43 AM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 100080 bytes | Created Date = 21/10/2007 10:06:42 AM | Attr = ]
WinFast -> %System32%\WinFast -> [Folder | Created Date = 10/10/2007 2:38:23 AM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 83696 bytes | Created Date = 21/10/2007 10:06:47 AM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 71408 bytes | Created Date = 21/10/2007 10:06:47 AM | Attr = ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Created Date = 21/10/2007 10:06:42 AM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 21/10/2007 10:06:42 AM | Attr = ]
avipbb.sys -> %System32%\drivers\avipbb.sys -> AVIRA GmbH [Ver = 1.00.02.13 | Size = 61632 bytes | Created Date = 16/10/2007 2:09:12 PM | Attr = ]
gmer.sys -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3911 | Size = 70001 bytes | Created Date = 21/10/2007 12:45:43 PM | Attr = ]
nvlddmkm.sys -> %System32%\drivers\nvlddmkm.sys -> NVIDIA Corporation [Ver = 7.15.11.5818 | Size = 7476640 bytes | Created Date = 10/10/2007 2:38:24 AM | Attr = ]
ssmdrv.sys -> %System32%\drivers\ssmdrv.sys -> Avira GmbH [Ver = 7.0.1.1 | Size = 28352 bytes | Created Date = 16/10/2007 2:09:14 PM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Created Date = 20/10/2007 11:38:59 PM | Attr = ]
vsconfig.xml -> %System32%\drivers\vsconfig.xml -> [Ver = | Size = 350468 bytes | Created Date = 21/10/2007 9:47:39 AM | Attr = H ]
vsdatant.sys -> %System32%\drivers\vsdatant.sys -> Check Point Software Technologies LTD [Ver = 7.1.078.000 | Size = 270488 bytes | Created Date = 21/10/2007 10:06:30 AM | Attr = ]
djbass
2007-10-27, 18:48
[Files/Folders - Modified Within 30 days]
CanoScan -> %SystemDrive%\CanoScan -> [Folder | Modified Date = 22/10/2007 9:46:56 PM | Attr = H ]
Clips -> %SystemDrive%\Clips -> [Folder | Modified Date = 27/10/2007 7:21:40 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 21/10/2007 7:33:14 PM | Attr = HS]
Fraps -> %SystemDrive%\Fraps -> [Folder | Modified Date = 13/10/2007 9:16:38 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 21/10/2007 4:03:48 PM | Attr = R ]
ProgramData -> %AllUsersAppData% -> [Folder | Modified Date = 21/10/2007 4:03:50 PM | Attr = H ]
Temp -> %SystemDrive%\Temp -> [Folder | Modified Date = 25/10/2007 11:01:46 PM | Attr = ]
Windows -> %SystemRoot% -> [Folder | Modified Date = 24/10/2007 2:17:28 PM | Attr = ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 16/10/2007 7:10:12 AM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 20/10/2007 8:08:54 PM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 67584 bytes | Modified Date = 28/10/2007 1:52:42 AM | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 20/10/2007 11:42:00 PM | Attr = S]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 16/10/2007 1:19:36 PM | Attr = ]
Filzip.ini -> %SystemRoot%\Filzip.ini -> [Ver = | Size = 41 bytes | Modified Date = 7/10/2007 6:31:00 PM | Attr = ]
gmer.dll -> %SystemRoot%\gmer.dll -> [Ver = 1, 0, 13, 12551 | Size = 585791 bytes | Modified Date = 21/10/2007 12:45:44 PM | Attr = ]
gmer.ini -> %SystemRoot%\gmer.ini -> [Ver = | Size = 250 bytes | Modified Date = 21/10/2007 12:45:44 PM | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Modified Date = 21/10/2007 12:45:44 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 28/10/2007 2:00:10 AM | Attr = ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 21/10/2007 5:20:22 PM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 28/10/2007 1:58:12 AM | Attr = ]
MEMORY.DMP -> %SystemRoot%\MEMORY.DMP -> [Ver = | Size = 273322982 bytes | Modified Date = 20/10/2007 4:40:20 PM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 20/10/2007 4:40:26 PM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 27/10/2007 7:34:28 PM | Attr = ]
pdf995.ini -> %SystemRoot%\pdf995.ini -> [Ver = | Size = 28 bytes | Modified Date = 24/10/2007 2:17:28 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 28/10/2007 2:01:22 AM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 20/10/2007 8:06:34 PM | Attr = ]
rescache -> %SystemRoot%\rescache -> [Folder | Modified Date = 16/10/2007 7:56:32 AM | Attr = ]
System32 -> %System32% -> [Folder | Modified Date = 28/10/2007 2:00:10 AM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 28/10/2007 1:53:18 AM | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 22/10/2007 9:47:34 PM | Attr = ]
winsxs -> %SystemRoot%\winsxs -> [Folder | Modified Date = 21/10/2007 10:06:46 AM | Attr = ]
wpd99.drv -> %SystemRoot%\wpd99.drv -> [Ver = | Size = 117 bytes | Modified Date = 4/10/2007 11:27:18 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 28/10/2007 1:52:46 AM | Attr = H ]
7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> [Ver = | Size = 2368 bytes | Modified Date = 28/10/2007 1:52:46 AM | Attr = H ]
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> [Ver = | Size = 2368 bytes | Modified Date = 28/10/2007 1:52:46 AM | Attr = H ]
BMXState-{00000007-00000000-00000006-00001102-00000005-002C1102}.rfx -> %System32%\BMXState-{00000007-00000000-00000006-00001102-00000005-002C1102}.rfx -> [Ver = | Size = 53964 bytes | Modified Date = 26/10/2007 9:04:56 PM | Attr = ]
BMXStateBkp-{00000007-00000000-00000006-00001102-00000005-002C1102}.rfx -> %System32%\BMXStateBkp-{00000007-00000000-00000006-00001102-00000005-002C1102}.rfx -> [Ver = | Size = 53964 bytes | Modified Date = 26/10/2007 9:04:56 PM | Attr = ]
catroot -> %System32%\catroot -> [Folder | Modified Date = 22/10/2007 9:47:02 PM | Attr = ]
catroot2 -> %System32%\catroot2 -> [Folder | Modified Date = 21/10/2007 9:37:22 AM | Attr = ]
conf.dat -> %System32%\conf.dat -> [Ver = | Size = 94 bytes | Modified Date = 6/10/2007 5:50:22 PM | Attr = ]
cookie1.dat -> %System32%\cookie1.dat -> [Ver = | Size = 1 bytes | Modified Date = 6/10/2007 5:51:26 PM | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 22/10/2007 9:47:36 PM | Attr = ]
DVCState-{00000007-00000000-00000006-00001102-00000005-002C1102}.rfx -> %System32%\DVCState-{00000007-00000000-00000006-00001102-00000005-002C1102}.rfx -> [Ver = | Size = 64756 bytes | Modified Date = 26/10/2007 9:04:56 PM | Attr = ]
en-US -> %System32%\en-US -> [Folder | Modified Date = 16/10/2007 7:10:12 AM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 20/10/2007 1:24:30 PM | Attr = ]
Macromed -> %System32%\Macromed -> [Folder | Modified Date = 21/10/2007 9:32:24 AM | Attr = ]
migration -> %System32%\migration -> [Folder | Modified Date = 21/10/2007 10:08:52 AM | Attr = ]
pdf995mon.dll -> %System32%\pdf995mon.dll -> [Ver = | Size = 51716 bytes | Modified Date = 4/10/2007 11:25:44 PM | Attr = ]
pdfmona.dll -> %System32%\pdfmona.dll -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 249856 bytes | Modified Date = 4/10/2007 11:25:44 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 118776 bytes | Modified Date = 28/10/2007 2:00:10 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 652050 bytes | Modified Date = 28/10/2007 2:00:10 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 767184 bytes | Modified Date = 28/10/2007 2:00:10 AM | Attr = ]
ps1.dat -> %System32%\ps1.dat -> [Ver = | Size = 1 bytes | Modified Date = 6/10/2007 5:51:26 PM | Attr = ]
rc.dat -> %System32%\rc.dat -> [Ver = | Size = 1 bytes | Modified Date = 6/10/2007 5:51:26 PM | Attr = ]
SLUI -> %System32%\SLUI -> [Folder | Modified Date = 16/10/2007 7:10:12 AM | Attr = ]
WinFast -> %System32%\WinFast -> [Folder | Modified Date = 10/10/2007 2:40:42 AM | Attr = ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 21/10/2007 10:06:54 AM | Attr = ]
avipbb.sys -> %System32%\drivers\avipbb.sys -> AVIRA GmbH [Ver = 1.00.02.13 | Size = 61632 bytes | Modified Date = 16/10/2007 2:11:30 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 20/10/2007 11:52:00 PM | Attr = ]
gmer.sys -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3911 | Size = 70001 bytes | Modified Date = 21/10/2007 12:45:44 PM | Attr = ]
sptd.sys -> %System32%\drivers\sptd.sys -> [Ver = | Size = 685816 bytes | Modified Date = 20/10/2007 4:44:26 PM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 20/10/2007 11:44:00 PM | Attr = ]
vsconfig.xml -> %System32%\drivers\vsconfig.xml -> [Ver = | Size = 350468 bytes | Modified Date = 28/10/2007 1:52:48 AM | Attr = H ]

[File String Scan - Non-Microsoft Only]
File scan skipped for file %SystemRoot%\MEMORY.DMP -> File size too big (273322982 bytes) ->
FSG! , -> %System32%\28MBGM.sf2 -> [Ver = | Size = 29705938 bytes | Modified Date = 4/05/2006 10:37:00 AM | Attr = ]
Thawte Consulting , -> %System32%\AddCat.exe -> Creative Technology Ltd. [Ver = 0.0.0.1 | Size = 48400 bytes | Modified Date = 10/05/2007 3:36:50 PM | Attr = ]
UPX! , UPX0 , -> %System32%\avisynth.dll -> The Public [Ver = 2, 5, 7, 0 | Size = 306688 bytes | Modified Date = 12/11/2006 1:44:10 PM | Attr = ]
UPX! , UPX0 , -> %System32%\CoreAAC.ax -> [Ver = 1, 2, 0, 575 | Size = 175104 bytes | Modified Date = 17/08/2006 12:23:32 AM | Attr = RHS]
Thawte Consulting , -> %System32%\ctpxinst.exe -> Creative Technology Ltd [Ver = 1, 1, 0, 58 | Size = 58104 bytes | Modified Date = 14/11/2006 5:01:30 PM | Attr = ]
Thawte Consulting , -> %System32%\ctpxst32.exe -> Creative Technology Ltd [Ver = 1, 1, 0, 59 | Size = 89336 bytes | Modified Date = 13/03/2007 10:32:14 AM | Attr = ]
UPX! , UPX0 , -> %System32%\DiracSplitter.ax -> Gabest [Ver = 1, 0, 0, 0 | Size = 179200 bytes | Modified Date = 18/01/2005 8:56:36 AM | Attr = RHS]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.6.1.4 | Size = 740442 bytes | Modified Date = 3/07/2007 5:07:36 AM | Attr = ]
UPX! , UPX0 , -> %System32%\i420vfw.dll -> www.helixcommunity.org [Ver = R1.02 | Size = 70656 bytes | Modified Date = 3/01/2004 12:08:00 AM | Attr = ]
Thawte Consulting , -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.35a | Size = 63144 bytes | Modified Date = 25/08/2006 1:17:00 PM | Attr = ]
Thawte Consulting , -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 67240 bytes | Modified Date = 25/08/2006 1:17:00 PM | Attr = ]
Thawte Consulting , -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 62632 bytes | Modified Date = 25/08/2006 1:17:00 PM | Attr = ]
Thawte Consulting , -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 115880 bytes | Modified Date = 25/08/2006 1:17:00 PM | Attr = ]
UPX! , UPX0 , -> %System32%\RLOgg.ax -> RadLight [Ver = 1.0.0.2 | Size = 186880 bytes | Modified Date = 13/02/2005 8:30:00 AM | Attr = RHS]
UPX! , UPX0 , -> %System32%\RLSpeexDec.ax -> [Ver = 1, 0, 0, 0 | Size = 51712 bytes | Modified Date = 13/02/2005 8:30:00 AM | Attr = RHS]
UPX! , UPX0 , -> %System32%\RLTheoraDec.ax -> RadLight, LLC [Ver = 1, 0, 0, 3 | Size = 67584 bytes | Modified Date = 13/02/2005 8:30:00 AM | Attr = RHS]
UPX! , UPX0 , -> %System32%\RLVorbisDec.ax -> RadLight [Ver = 1, 0, 1, 1 | Size = 92672 bytes | Modified Date = 6/02/2005 8:30:00 AM | Attr = RHS]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 7/10/2006 5:18:32 AM | Attr = ]
PECompact2 , -> %System32%\Smab.dll -> [Ver = | Size = 471552 bytes | Modified Date = 12/12/2006 2:15:08 PM | Attr = ]
UPX! , UPX0 , -> %System32%\x.264.exe -> [Ver = | Size = 240128 bytes | Modified Date = 10/11/2005 1:16:02 PM | Attr = ]
UPX! , UPX0 , -> %System32%\yv12vfw.dll -> www.helixcommunity.org [Ver = R1.02 | Size = 70656 bytes | Modified Date = 3/01/2004 12:08:00 AM | Attr = ]

< End of report >
djbass
2007-10-27, 18:54
As for whether its some form of malware that much I am clear on.

Aside from the captured packets demonstrating an attempt to email multiple recipients at random addresses, and a foreign address that was constantly polling for a response on port 443. I also hijacked the spam account and found multiple returned emails attempting to advertise a particular companys services.
Rorschach112
2007-10-28, 22:36
Well lets see if we can find it

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.




Please download F-Secure Blacklight (fsbl.exe) (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe) and save to your C:\ drive. Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.
tashi
2007-11-06, 22:50
djbass, still with us?
djbass
2007-11-07, 04:51
I am indeed, and I must appologise I was unable to get back to you sooner.

Unfortunately my system eventually got to the point where it was too unstable to use and crashed randomly.

I took the plunge and did a fresh install of Windows as it was too frustrating to continue as it was.

I appologise if I have wasted anyones time, but do appreciate your attempts to assist me. You can close this thread now.