View Full Version : Please help with ads popping up
Hi I would really apppreciate some help. I had Win32.Agent.fz showing up as being in use, although that it didnt show up this morning, as well as a few more which were removed during AVG and Spybot scans. Now there is a change in Windows/system32/drivers/etc/hosts which may be the problem?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:52, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [302bf601] rundll32.exe "C:\WINDOWS\system32\hpdgbiyl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O15 - Trusted Zone: www.hmv.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129896854671
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - https://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O21 - SSODL: KernelPrx - {f537fc47-a4ea-42c9-a5bf-8f1c37a4189f} - C:\WINDOWS\Resources\KernelPrx.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9726 bytes
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Thanks for your help! Here is the Combofix report
ComboFix 08-04-27.3 - SARAH 2008-04-28 20:47:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT 1:00]
Running from: C:\Documents and Settings\SARAH\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\#SharedObjects\JK3RCKDZ\iforex.com
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\#SharedObjects\JK3RCKDZ\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\AHMAD\Application Data\WeatherDPA
C:\Documents and Settings\AHMAD\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\Program Files\License_Manager
C:\Program Files\License_Manager\license_manager.exe
C:\Program Files\popcorn Terms.html
C:\smp.bat
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\bdMSBcdd.ini
C:\WINDOWS\SYSTEM32\bdMSBcdd.ini2
C:\WINDOWS\system32\bnijbtee.ini
C:\WINDOWS\system32\ddcBSMdb.dll
C:\WINDOWS\system32\ddcBUnlJ.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\eetbjinb.dll
C:\WINDOWS\system32\hpdgbiyl.dll
C:\WINDOWS\SYSTEM32\lyibgdph.ini
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-04-26 23:52 . 2008-04-26 23:52 <DIR> d-------- C:\Program Files\Channel4
2008-04-25 06:36 . 2008-04-25 06:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 16:58 . 2008-04-24 23:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\382077
2008-04-21 09:15 . 2008-04-21 09:16 <DIR> d-------- C:\Documents and Settings\AHMAD\Application Data\Zango
2008-04-20 16:59 . 2008-04-23 22:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 16:59 . 2008-04-20 16:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 20:42 . 2008-04-11 20:42 <DIR> d-------- C:\Documents and Settings\AHMAD\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 14:06 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB171.tmp
2008-04-28 14:01 4,665,856 ----a-w C:\WINDOWS\Internet Logs\xDB170.tmp
2008-04-28 06:42 4,665,344 ----a-w C:\WINDOWS\Internet Logs\xDB16E.tmp
2008-04-28 06:42 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB16F.tmp
2008-04-28 06:35 4,665,344 ----a-w C:\WINDOWS\Internet Logs\xDB16C.tmp
2008-04-28 06:35 26,112 ----a-w C:\WINDOWS\Internet Logs\xDB16D.tmp
2008-04-27 18:54 40,448 ----a-w C:\WINDOWS\Internet Logs\xDB16B.tmp
2008-04-27 18:54 4,663,808 ----a-w C:\WINDOWS\Internet Logs\xDB16A.tmp
2008-04-27 14:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-27 08:42 --------- d-----w C:\Documents and Settings\YASMIN\Application Data\MSN6
2008-04-27 08:05 4,661,760 ----a-w C:\WINDOWS\Internet Logs\xDB168.tmp
2008-04-27 07:58 37,888 ----a-w C:\WINDOWS\Internet Logs\xDB169.tmp
2008-04-26 23:05 73,728 ----a-w C:\WINDOWS\Internet Logs\xDB167.tmp
2008-04-26 22:52 --------- d-----w C:\Program Files\Kontiki
2008-04-26 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-26 22:32 4,660,736 ----a-w C:\WINDOWS\Internet Logs\xDB166.tmp
2008-04-24 16:51 46,592 ----a-w C:\WINDOWS\Internet Logs\xDB165.tmp
2008-04-24 16:51 4,651,520 ----a-w C:\WINDOWS\Internet Logs\xDB164.tmp
2008-04-24 10:30 68,608 ----a-w C:\WINDOWS\Internet Logs\xDB163.tmp
2008-04-24 10:30 4,651,008 ----a-w C:\WINDOWS\Internet Logs\xDB162.tmp
2008-04-23 20:25 24,064 ----a-w C:\WINDOWS\Internet Logs\xDB161.tmp
2008-04-23 20:05 4,649,472 ----a-w C:\WINDOWS\Internet Logs\xDB160.tmp
2008-04-23 11:52 4,639,232 ----a-w C:\WINDOWS\Internet Logs\xDB15E.tmp
2008-04-23 11:52 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB15F.tmp
2008-04-23 10:05 25,600 ----a-w C:\WINDOWS\Internet Logs\xDB15D.tmp
2008-04-23 10:04 4,643,328 ----a-w C:\WINDOWS\Internet Logs\xDB15C.tmp
2008-04-23 08:53 43,008 ----a-w C:\WINDOWS\Internet Logs\xDB15B.tmp
2008-04-23 08:18 4,640,256 ----a-w C:\WINDOWS\Internet Logs\xDB15A.tmp
2008-04-21 16:50 4,629,504 ----a-w C:\WINDOWS\Internet Logs\xDB158.tmp
2008-04-21 16:50 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB159.tmp
2008-04-21 13:56 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB157.tmp
2008-04-21 13:44 4,629,504 ----a-w C:\WINDOWS\Internet Logs\xDB156.tmp
2008-04-21 08:15 --------- d-----w C:\Program Files\Zango Programs
2008-04-19 16:21 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB155.tmp
2008-04-19 15:46 4,601,344 ----a-w C:\WINDOWS\Internet Logs\xDB154.tmp
2008-04-17 14:06 17,408 ----a-w C:\WINDOWS\Internet Logs\xDB153.tmp
2008-04-17 13:06 4,598,272 ----a-w C:\WINDOWS\Internet Logs\xDB152.tmp
2008-04-17 08:04 4,596,736 ----a-w C:\WINDOWS\Internet Logs\xDB150.tmp
2008-04-17 07:55 51,712 ----a-w C:\WINDOWS\Internet Logs\xDB151.tmp
2008-04-15 15:55 122,368 ----a-w C:\WINDOWS\Internet Logs\xDB14F.tmp
2008-04-15 15:20 4,595,712 ----a-w C:\WINDOWS\Internet Logs\xDB14E.tmp
2008-04-11 05:47 94,720 ----a-w C:\WINDOWS\Internet Logs\xDB14D.tmp
2008-04-11 05:47 4,579,328 ----a-w C:\WINDOWS\Internet Logs\xDB14C.tmp
2008-04-08 11:15 73,728 ----a-w C:\WINDOWS\Internet Logs\xDB14B.tmp
2008-04-07 18:20 --------- d-----w C:\Documents and Settings\LAILA\Application Data\LimeWire
2008-04-05 08:40 95,232 ----a-w C:\WINDOWS\Internet Logs\xDB14A.tmp
2008-04-05 08:40 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB149.tmp
2008-04-02 19:13 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB147.tmp
2008-04-02 19:07 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB148.tmp
2008-04-02 13:43 20,480 ----a-w C:\WINDOWS\Internet Logs\xDB146.tmp
2008-04-02 13:35 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB145.tmp
2008-04-01 13:29 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB144.tmp
2008-04-01 12:59 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB143.tmp
2008-03-31 18:16 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB142.tmp
2008-03-31 18:15 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB141.tmp
2008-03-22 14:36 4,557,824 ----a-w C:\WINDOWS\Internet Logs\xDB13F.tmp
2008-03-22 14:36 328,192 ----a-w C:\WINDOWS\Internet Logs\xDB140.tmp
2008-03-19 17:03 --------- d-----w C:\Documents and Settings\ADAM\Application Data\Aim
2008-03-11 20:07 56,320 ----a-w C:\WINDOWS\Internet Logs\xDB13E.tmp
2008-03-11 20:07 4,553,728 ----a-w C:\WINDOWS\Internet Logs\xDB13D.tmp
2008-03-09 16:37 97,280 ----a-w C:\WINDOWS\Internet Logs\xDB13C.tmp
2008-03-09 16:37 4,553,216 ----a-w C:\WINDOWS\Internet Logs\xDB13B.tmp
2008-03-06 20:06 4,550,144 ----a-w C:\WINDOWS\Internet Logs\xDB139.tmp
2008-03-06 20:06 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB13A.tmp
2008-03-06 15:51 4,549,120 ----a-w C:\WINDOWS\Internet Logs\xDB137.tmp
2008-03-06 14:32 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB138.tmp
2008-03-05 06:42 4,549,120 ----a-w C:\WINDOWS\Internet Logs\xDB135.tmp
2008-03-05 06:37 70,144 ----a-w C:\WINDOWS\Internet Logs\xDB136.tmp
2008-03-02 19:16 138,752 ----a-w C:\WINDOWS\Internet Logs\xDB134.tmp
2008-03-02 19:10 4,546,560 ----a-w C:\WINDOWS\Internet Logs\xDB133.tmp
2008-02-28 14:17 981,504 ----a-w C:\WINDOWS\Internet Logs\xDB132.tmp
2008-02-28 14:17 4,546,048 ----a-w C:\WINDOWS\Internet Logs\xDB131.tmp
2008-02-19 23:56 32,256 ----a-w C:\WINDOWS\Internet Logs\xDB130.tmp
2008-02-19 23:54 4,530,688 ----a-w C:\WINDOWS\Internet Logs\xDB12F.tmp
2008-02-19 17:37 4,528,640 ----a-w C:\WINDOWS\Internet Logs\xDB12D.tmp
2008-02-19 17:37 33,280 ----a-w C:\WINDOWS\Internet Logs\xDB12E.tmp
2008-02-18 19:40 4,528,640 ----a-w C:\WINDOWS\Internet Logs\xDB12B.tmp
2008-02-18 19:40 2,821,120 ----a-w C:\WINDOWS\Internet Logs\xDB12C.tmp
2008-02-06 15:52 4,519,936 ----a-w C:\WINDOWS\Internet Logs\xDB129.tmp
2008-02-06 15:52 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB12A.tmp
2008-02-06 15:47 4,519,936 ----a-w C:\WINDOWS\Internet Logs\xDB127.tmp
2008-02-06 15:47 118,784 ----a-w C:\WINDOWS\Internet Logs\xDB128.tmp
2008-01-31 16:41 790,528 ----a-w C:\WINDOWS\Internet Logs\xDB126.tmp
2008-01-31 16:41 4,515,840 ----a-w C:\WINDOWS\Internet Logs\xDB125.tmp
2007-09-06 18:32 61,296 ----a-w C:\Documents and Settings\SARAH\Application Data\GDIPFONTCACHEV1.DAT
2007-07-08 11:12 61,296 ----a-w C:\Documents and Settings\LAILA\Application Data\GDIPFONTCACHEV1.DAT
2006-12-18 20:02 284 ----a-w C:\Documents and Settings\SARAH\Application Data\ViewerApp.dat
2006-06-04 13:19 56,592 ----a-w C:\Documents and Settings\YASMIN\Application Data\GDIPFONTCACHEV1.DAT
2006-03-26 16:43 56,592 ----a-w C:\Documents and Settings\ADAM\Application Data\GDIPFONTCACHEV1.DAT
2004-04-20 18:23 48,848 ----a-w C:\Documents and Settings\AHMAD\Application Data\GDIPFONTCACHEV1.DAT
2004-02-18 02:41 32 --sha-w C:\WINDOWS\{8A5B4560-803A-4975-81C4-D78A555500F6}.dat
2004-02-18 02:41 32 --sha-w C:\WINDOWS\SYSTEM32\{F1868A96-4A39-49CB-8B2C-A67D0280A8AF}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe" [2004-04-01 09:30 693520]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-28 17:13 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-23 17:45 219136]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 10:04 54936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KernelPrx"= {f537fc47-a4ea-42c9-a5bf-8f1c37a4189f} - C:\WINDOWS\Resources\KernelPrx.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBUnlJ]
ddcBUnlJ.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
[HKLM\~\startupfolder\C:^Documents and Settings^AHMAD^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\AHMAD\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Check-Up.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Broadband Check-Up.lnk
backup=C:\WINDOWS\pss\AOL Broadband Check-Up.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=C:\WINDOWS\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=C:\WINDOWS\pss\PCSuiteForNokia6600 TS.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=C:\WINDOWS\pss\Status Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^LAILA^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\LAILA\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SAM^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\SAM\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SAM^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\SAM\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SARAH^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\SARAH\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SARAH^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\SARAH\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\302bf601]
C:\WINDOWS\system32\hpdgbiyl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 16:37 61440 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-11-10 00:22 497240 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
--a------ 2008-01-28 17:13 406528 C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
--a------ 2003-05-08 20:15 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-12-02 17:11 54296 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2003-12-02 17:11 58392 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-05-17 17:42 933888 C:\Program Files\Brother\ControlCenter2\brctrcen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMouse ]
--a------ 2004-06-27 15:38 503808 C:\Program Files\Mouse Driver\MouseDrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-11-11 11:15 851456 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 02:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
--a------ 2003-04-25 11:22 16384 C:\WINDOWS\SYSTEM32\dslagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 15:38 39264 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]
--a------ 2003-05-27 04:08 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GSICONEXE]
--a------ 2003-05-14 21:25 90112 C:\WINDOWS\SYSTEM32\gsicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-07-29 17:53 159832 C:\Program Files\Common Files\AOL\1150496578\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2005-03-17 14:45 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2003-12-16 22:37 188416 C:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2003-12-16 22:39 77824 C:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
--a------ 2004-08-13 17:41 86016 C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2005-03-17 14:25 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-03-31 09:24 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-13 23:52 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2005-01-26 18:02 49152 C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-01-27 20:03 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The Nose]
C:\Program Files\The Nose\TheNose.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherDPA]
C:\Program Files\Zango\bin\10.3.37.0\Weather.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates]
javaw -cp C:\Program Files\WebRebates\System\Code Main lp: C:\Program Files\WebRebates
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\You've Got Pictures screensaver]
--a------ 2004-06-22 12:13 99456 C:\Program Files\Common Files\AOL\Screensaver\ygpsstra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
c:\program files\zango\zango.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]
C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"You've Got Pictures screensaver"=C:\Program Files\Common Files\AOL\Screensaver\ygpsstra.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\AOL 8.0a\\waol.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a32d504c-cab5-11d9-a539-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-04-28 20:19:26 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 21:19:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 67
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\brsvc01a.exe
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\SYSTEM32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-28 21:50:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 20:50:44
Pre-Run: 25,413,685,248 bytes free
Post-Run: 29,586,456,576 bytes free
433 --- E O F --- 2008-04-27 11:50:18
and the latest Hijack this report
ComboFix 08-04-27.3 - SARAH 2008-04-28 20:47:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT 1:00]
Running from: C:\Documents and Settings\SARAH\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\#SharedObjects\JK3RCKDZ\iforex.com
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\#SharedObjects\JK3RCKDZ\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\AHMAD\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\AHMAD\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\AHMAD\Application Data\WeatherDPA
C:\Documents and Settings\AHMAD\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\LAILA\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\Program Files\License_Manager
C:\Program Files\License_Manager\license_manager.exe
C:\Program Files\popcorn Terms.html
C:\smp.bat
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\bdMSBcdd.ini
C:\WINDOWS\SYSTEM32\bdMSBcdd.ini2
C:\WINDOWS\system32\bnijbtee.ini
C:\WINDOWS\system32\ddcBSMdb.dll
C:\WINDOWS\system32\ddcBUnlJ.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\eetbjinb.dll
C:\WINDOWS\system32\hpdgbiyl.dll
C:\WINDOWS\SYSTEM32\lyibgdph.ini
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-04-26 23:52 . 2008-04-26 23:52 <DIR> d-------- C:\Program Files\Channel4
2008-04-25 06:36 . 2008-04-25 06:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 16:58 . 2008-04-24 23:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\382077
2008-04-21 09:15 . 2008-04-21 09:16 <DIR> d-------- C:\Documents and Settings\AHMAD\Application Data\Zango
2008-04-20 16:59 . 2008-04-23 22:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 16:59 . 2008-04-20 16:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 20:42 . 2008-04-11 20:42 <DIR> d-------- C:\Documents and Settings\AHMAD\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 14:06 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB171.tmp
2008-04-28 14:01 4,665,856 ----a-w C:\WINDOWS\Internet Logs\xDB170.tmp
2008-04-28 06:42 4,665,344 ----a-w C:\WINDOWS\Internet Logs\xDB16E.tmp
2008-04-28 06:42 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB16F.tmp
2008-04-28 06:35 4,665,344 ----a-w C:\WINDOWS\Internet Logs\xDB16C.tmp
2008-04-28 06:35 26,112 ----a-w C:\WINDOWS\Internet Logs\xDB16D.tmp
2008-04-27 18:54 40,448 ----a-w C:\WINDOWS\Internet Logs\xDB16B.tmp
2008-04-27 18:54 4,663,808 ----a-w C:\WINDOWS\Internet Logs\xDB16A.tmp
2008-04-27 14:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-27 08:42 --------- d-----w C:\Documents and Settings\YASMIN\Application Data\MSN6
2008-04-27 08:05 4,661,760 ----a-w C:\WINDOWS\Internet Logs\xDB168.tmp
2008-04-27 07:58 37,888 ----a-w C:\WINDOWS\Internet Logs\xDB169.tmp
2008-04-26 23:05 73,728 ----a-w C:\WINDOWS\Internet Logs\xDB167.tmp
2008-04-26 22:52 --------- d-----w C:\Program Files\Kontiki
2008-04-26 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-26 22:32 4,660,736 ----a-w C:\WINDOWS\Internet Logs\xDB166.tmp
2008-04-24 16:51 46,592 ----a-w C:\WINDOWS\Internet Logs\xDB165.tmp
2008-04-24 16:51 4,651,520 ----a-w C:\WINDOWS\Internet Logs\xDB164.tmp
2008-04-24 10:30 68,608 ----a-w C:\WINDOWS\Internet Logs\xDB163.tmp
2008-04-24 10:30 4,651,008 ----a-w C:\WINDOWS\Internet Logs\xDB162.tmp
2008-04-23 20:25 24,064 ----a-w C:\WINDOWS\Internet Logs\xDB161.tmp
2008-04-23 20:05 4,649,472 ----a-w C:\WINDOWS\Internet Logs\xDB160.tmp
2008-04-23 11:52 4,639,232 ----a-w C:\WINDOWS\Internet Logs\xDB15E.tmp
2008-04-23 11:52 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB15F.tmp
2008-04-23 10:05 25,600 ----a-w C:\WINDOWS\Internet Logs\xDB15D.tmp
2008-04-23 10:04 4,643,328 ----a-w C:\WINDOWS\Internet Logs\xDB15C.tmp
2008-04-23 08:53 43,008 ----a-w C:\WINDOWS\Internet Logs\xDB15B.tmp
2008-04-23 08:18 4,640,256 ----a-w C:\WINDOWS\Internet Logs\xDB15A.tmp
2008-04-21 16:50 4,629,504 ----a-w C:\WINDOWS\Internet Logs\xDB158.tmp
2008-04-21 16:50 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB159.tmp
2008-04-21 13:56 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB157.tmp
2008-04-21 13:44 4,629,504 ----a-w C:\WINDOWS\Internet Logs\xDB156.tmp
2008-04-21 08:15 --------- d-----w C:\Program Files\Zango Programs
2008-04-19 16:21 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB155.tmp
2008-04-19 15:46 4,601,344 ----a-w C:\WINDOWS\Internet Logs\xDB154.tmp
2008-04-17 14:06 17,408 ----a-w C:\WINDOWS\Internet Logs\xDB153.tmp
2008-04-17 13:06 4,598,272 ----a-w C:\WINDOWS\Internet Logs\xDB152.tmp
2008-04-17 08:04 4,596,736 ----a-w C:\WINDOWS\Internet Logs\xDB150.tmp
2008-04-17 07:55 51,712 ----a-w C:\WINDOWS\Internet Logs\xDB151.tmp
2008-04-15 15:55 122,368 ----a-w C:\WINDOWS\Internet Logs\xDB14F.tmp
2008-04-15 15:20 4,595,712 ----a-w C:\WINDOWS\Internet Logs\xDB14E.tmp
2008-04-11 05:47 94,720 ----a-w C:\WINDOWS\Internet Logs\xDB14D.tmp
2008-04-11 05:47 4,579,328 ----a-w C:\WINDOWS\Internet Logs\xDB14C.tmp
2008-04-08 11:15 73,728 ----a-w C:\WINDOWS\Internet Logs\xDB14B.tmp
2008-04-07 18:20 --------- d-----w C:\Documents and Settings\LAILA\Application Data\LimeWire
2008-04-05 08:40 95,232 ----a-w C:\WINDOWS\Internet Logs\xDB14A.tmp
2008-04-05 08:40 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB149.tmp
2008-04-02 19:13 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB147.tmp
2008-04-02 19:07 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB148.tmp
2008-04-02 13:43 20,480 ----a-w C:\WINDOWS\Internet Logs\xDB146.tmp
2008-04-02 13:35 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB145.tmp
2008-04-01 13:29 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB144.tmp
2008-04-01 12:59 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB143.tmp
2008-03-31 18:16 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB142.tmp
2008-03-31 18:15 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB141.tmp
2008-03-22 14:36 4,557,824 ----a-w C:\WINDOWS\Internet Logs\xDB13F.tmp
2008-03-22 14:36 328,192 ----a-w C:\WINDOWS\Internet Logs\xDB140.tmp
2008-03-19 17:03 --------- d-----w C:\Documents and Settings\ADAM\Application Data\Aim
2008-03-11 20:07 56,320 ----a-w C:\WINDOWS\Internet Logs\xDB13E.tmp
2008-03-11 20:07 4,553,728 ----a-w C:\WINDOWS\Internet Logs\xDB13D.tmp
2008-03-09 16:37 97,280 ----a-w C:\WINDOWS\Internet Logs\xDB13C.tmp
2008-03-09 16:37 4,553,216 ----a-w C:\WINDOWS\Internet Logs\xDB13B.tmp
2008-03-06 20:06 4,550,144 ----a-w C:\WINDOWS\Internet Logs\xDB139.tmp
2008-03-06 20:06 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB13A.tmp
2008-03-06 15:51 4,549,120 ----a-w C:\WINDOWS\Internet Logs\xDB137.tmp
2008-03-06 14:32 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB138.tmp
2008-03-05 06:42 4,549,120 ----a-w C:\WINDOWS\Internet Logs\xDB135.tmp
2008-03-05 06:37 70,144 ----a-w C:\WINDOWS\Internet Logs\xDB136.tmp
2008-03-02 19:16 138,752 ----a-w C:\WINDOWS\Internet Logs\xDB134.tmp
2008-03-02 19:10 4,546,560 ----a-w C:\WINDOWS\Internet Logs\xDB133.tmp
2008-02-28 14:17 981,504 ----a-w C:\WINDOWS\Internet Logs\xDB132.tmp
2008-02-28 14:17 4,546,048 ----a-w C:\WINDOWS\Internet Logs\xDB131.tmp
2008-02-19 23:56 32,256 ----a-w C:\WINDOWS\Internet Logs\xDB130.tmp
2008-02-19 23:54 4,530,688 ----a-w C:\WINDOWS\Internet Logs\xDB12F.tmp
2008-02-19 17:37 4,528,640 ----a-w C:\WINDOWS\Internet Logs\xDB12D.tmp
2008-02-19 17:37 33,280 ----a-w C:\WINDOWS\Internet Logs\xDB12E.tmp
2008-02-18 19:40 4,528,640 ----a-w C:\WINDOWS\Internet Logs\xDB12B.tmp
2008-02-18 19:40 2,821,120 ----a-w C:\WINDOWS\Internet Logs\xDB12C.tmp
2008-02-06 15:52 4,519,936 ----a-w C:\WINDOWS\Internet Logs\xDB129.tmp
2008-02-06 15:52 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB12A.tmp
2008-02-06 15:47 4,519,936 ----a-w C:\WINDOWS\Internet Logs\xDB127.tmp
2008-02-06 15:47 118,784 ----a-w C:\WINDOWS\Internet Logs\xDB128.tmp
2008-01-31 16:41 790,528 ----a-w C:\WINDOWS\Internet Logs\xDB126.tmp
2008-01-31 16:41 4,515,840 ----a-w C:\WINDOWS\Internet Logs\xDB125.tmp
2007-09-06 18:32 61,296 ----a-w C:\Documents and Settings\SARAH\Application Data\GDIPFONTCACHEV1.DAT
2007-07-08 11:12 61,296 ----a-w C:\Documents and Settings\LAILA\Application Data\GDIPFONTCACHEV1.DAT
2006-12-18 20:02 284 ----a-w C:\Documents and Settings\SARAH\Application Data\ViewerApp.dat
2006-06-04 13:19 56,592 ----a-w C:\Documents and Settings\YASMIN\Application Data\GDIPFONTCACHEV1.DAT
2006-03-26 16:43 56,592 ----a-w C:\Documents and Settings\ADAM\Application Data\GDIPFONTCACHEV1.DAT
2004-04-20 18:23 48,848 ----a-w C:\Documents and Settings\AHMAD\Application Data\GDIPFONTCACHEV1.DAT
2004-02-18 02:41 32 --sha-w C:\WINDOWS\{8A5B4560-803A-4975-81C4-D78A555500F6}.dat
2004-02-18 02:41 32 --sha-w C:\WINDOWS\SYSTEM32\{F1868A96-4A39-49CB-8B2C-A67D0280A8AF}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe" [2004-04-01 09:30 693520]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-28 17:13 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-23 17:45 219136]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 10:04 54936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KernelPrx"= {f537fc47-a4ea-42c9-a5bf-8f1c37a4189f} - C:\WINDOWS\Resources\KernelPrx.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBUnlJ]
ddcBUnlJ.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
[HKLM\~\startupfolder\C:^Documents and Settings^AHMAD^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\AHMAD\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Check-Up.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Broadband Check-Up.lnk
backup=C:\WINDOWS\pss\AOL Broadband Check-Up.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=C:\WINDOWS\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=C:\WINDOWS\pss\PCSuiteForNokia6600 TS.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=C:\WINDOWS\pss\Status Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^LAILA^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\LAILA\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SAM^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\SAM\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SAM^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\SAM\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SARAH^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\SARAH\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SARAH^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\SARAH\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\302bf601]
C:\WINDOWS\system32\hpdgbiyl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 16:37 61440 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-11-10 00:22 497240 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
--a------ 2008-01-28 17:13 406528 C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
--a------ 2003-05-08 20:15 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-12-02 17:11 54296 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2003-12-02 17:11 58392 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-05-17 17:42 933888 C:\Program Files\Brother\ControlCenter2\brctrcen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMouse ]
--a------ 2004-06-27 15:38 503808 C:\Program Files\Mouse Driver\MouseDrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-11-11 11:15 851456 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 02:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
--a------ 2003-04-25 11:22 16384 C:\WINDOWS\SYSTEM32\dslagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 15:38 39264 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]
--a------ 2003-05-27 04:08 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GSICONEXE]
--a------ 2003-05-14 21:25 90112 C:\WINDOWS\SYSTEM32\gsicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-07-29 17:53 159832 C:\Program Files\Common Files\AOL\1150496578\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2005-03-17 14:45 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2003-12-16 22:37 188416 C:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2003-12-16 22:39 77824 C:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
--a------ 2004-08-13 17:41 86016 C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2005-03-17 14:25 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-03-31 09:24 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-13 23:52 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2005-01-26 18:02 49152 C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-01-27 20:03 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The Nose]
C:\Program Files\The Nose\TheNose.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherDPA]
C:\Program Files\Zango\bin\10.3.37.0\Weather.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates]
javaw -cp C:\Program Files\WebRebates\System\Code Main lp: C:\Program Files\WebRebates
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\You've Got Pictures screensaver]
--a------ 2004-06-22 12:13 99456 C:\Program Files\Common Files\AOL\Screensaver\ygpsstra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
c:\program files\zango\zango.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]
C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"You've Got Pictures screensaver"=C:\Program Files\Common Files\AOL\Screensaver\ygpsstra.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\AOL 8.0a\\waol.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a32d504c-cab5-11d9-a539-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-04-28 20:19:26 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 21:19:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 67
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\brsvc01a.exe
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\SYSTEM32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-28 21:50:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 20:50:44
Pre-Run: 25,413,685,248 bytes free
Post-Run: 29,586,456,576 bytes free
433 --- E O F --- 2008-04-27 11:50:18
Hi
Looks like you posted ComboFix twice and no hjt log. Let's do following before getting hjt log.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Documents and Settings\AHMAD\Application Data\Zango
C:\PROGRA~1\MYWEBS~1
C:\Program Files\WebRebates
c:\program files\zango
C:\Program Files\Hotbar
DirLook::
C:\WINDOWS\SYSTEM32\382077
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KernelPrx"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBUnlJ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\302bf601]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherDPA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).
Hi, thanks for all your help.
ComboFix 08-04-27.3 - SARAH 2008-04-29 16:20:50.2 - NTFSx86
Running from: C:\Documents and Settings\SARAH\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SARAH\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\AHMAD\Application Data\Zango
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\1066683.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\1067059.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\1368932.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\1383661.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\1383918.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\1400347.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\141857.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\2214869.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\245753.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\3251993.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\3340762.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\3404705.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\3852296.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\3893245.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\3893642.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\476032.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\489906.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\718175.sdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000030338
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\100846
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\100848
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\10110
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\116250
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\117759
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\117970
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\118375
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\11891
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\130787
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13608
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13617
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14271
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14633
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\148188
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1491
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\153363
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15622
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15628
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15643
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15831
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1590
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16173
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\168167
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17025
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17040
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\184591
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\188810
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18906
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\19052
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\190717
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1927
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\2021
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20478
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\204988
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\205324
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\211386
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\21889
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22383
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\227417
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\237488
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\23923
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\243256
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\251440
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\258958
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25933
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\261481
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\26656
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\26664
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\270571
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\270795
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\27414
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\27503
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\27505
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\279517
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\28532
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\290893
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\29115
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\297534
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\30823
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\309974
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\31262
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\31537
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32137
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32171
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32242
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32290
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\33168
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\3405
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34107
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34123
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34381
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\344900
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\3450
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34952
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35000
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35006
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35020
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35047
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35737
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\372500
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\39850
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\401332
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\40256
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\40267
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\41421
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\41507
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\41952
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\42034
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\427075
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43803
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44293
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44789
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\455563
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\459052
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\459956
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\471072
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\47370
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\477253
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4967
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51194
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51495
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52253
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52335
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\530292
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\53312
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\54469
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\54473
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\5508
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\579123
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\579718
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58804
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59221
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59231
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59234
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59905
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61642
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61837
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6292
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64404
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64414
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64415
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64429
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64484
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64502
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64517
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\66274
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\66852
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67220
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67469
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67491
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68870
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69201
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69235
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69325
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\70518
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\71340
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72123
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\73290
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\733622
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\737827
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738022
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738232
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744260
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744451
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744614
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744884
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745037
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745201
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745438
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745759
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745865
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\747687
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748176
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748292
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748499
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748893
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\749354
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\749559
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\749786
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\7521
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753300
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753309
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753310
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753335
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753340
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753346
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753348
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753350
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753356
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753360
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753366
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80193
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80663
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80670
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\82646
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\8438
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\84449
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\85268
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\86090
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\8843
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\896
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\913
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\91840
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93958
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93997
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95825
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97082
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97964
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\dynamic\ustat\36a6.dat
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\avatar.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\components.cdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\cursors.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\default.cdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\icons2.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\ie_video.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\keywords.idx
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\layout.cdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\progress.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\top7.cdf
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
C:\Documents and Settings\AHMAD\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-26 23:52 . 2008-04-26 23:52 <DIR> d-------- C:\Program Files\Channel4
2008-04-25 06:36 . 2008-04-25 06:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 16:58 . 2008-04-24 23:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\382077
2008-04-20 16:59 . 2008-04-23 22:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 16:59 . 2008-04-20 16:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 20:42 . 2008-04-11 20:42 <DIR> d-------- C:\Documents and Settings\AHMAD\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 14:01 4,669,440 ----a-w C:\WINDOWS\Internet Logs\xDB176.tmp
2008-04-29 14:01 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB177.tmp
2008-04-29 13:41 4,669,440 ----a-w C:\WINDOWS\Internet Logs\xDB174.tmp
2008-04-29 13:41 33,792 ----a-w C:\WINDOWS\Internet Logs\xDB175.tmp
2008-04-29 09:19 51,200 ----a-w C:\WINDOWS\Internet Logs\xDB173.tmp
2008-04-29 09:09 4,669,440 ----a-w C:\WINDOWS\Internet Logs\xDB172.tmp
2008-04-28 14:06 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB171.tmp
2008-04-28 14:01 4,665,856 ----a-w C:\WINDOWS\Internet Logs\xDB170.tmp
2008-04-28 06:42 4,665,344 ----a-w C:\WINDOWS\Internet Logs\xDB16E.tmp
2008-04-28 06:42 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB16F.tmp
2008-04-28 06:35 4,665,344 ----a-w C:\WINDOWS\Internet Logs\xDB16C.tmp
2008-04-28 06:35 26,112 ----a-w C:\WINDOWS\Internet Logs\xDB16D.tmp
2008-04-27 18:54 40,448 ----a-w C:\WINDOWS\Internet Logs\xDB16B.tmp
2008-04-27 18:54 4,663,808 ----a-w C:\WINDOWS\Internet Logs\xDB16A.tmp
2008-04-27 14:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-27 08:42 --------- d-----w C:\Documents and Settings\YASMIN\Application Data\MSN6
2008-04-27 08:05 4,661,760 ----a-w C:\WINDOWS\Internet Logs\xDB168.tmp
2008-04-27 07:58 37,888 ----a-w C:\WINDOWS\Internet Logs\xDB169.tmp
2008-04-26 23:05 73,728 ----a-w C:\WINDOWS\Internet Logs\xDB167.tmp
2008-04-26 22:52 --------- d-----w C:\Program Files\Kontiki
2008-04-26 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-26 22:32 4,660,736 ----a-w C:\WINDOWS\Internet Logs\xDB166.tmp
2008-04-24 16:51 46,592 ----a-w C:\WINDOWS\Internet Logs\xDB165.tmp
2008-04-24 16:51 4,651,520 ----a-w C:\WINDOWS\Internet Logs\xDB164.tmp
2008-04-24 10:30 68,608 ----a-w C:\WINDOWS\Internet Logs\xDB163.tmp
2008-04-24 10:30 4,651,008 ----a-w C:\WINDOWS\Internet Logs\xDB162.tmp
2008-04-23 20:25 24,064 ----a-w C:\WINDOWS\Internet Logs\xDB161.tmp
2008-04-23 20:05 4,649,472 ----a-w C:\WINDOWS\Internet Logs\xDB160.tmp
2008-04-23 11:52 4,639,232 ----a-w C:\WINDOWS\Internet Logs\xDB15E.tmp
2008-04-23 11:52 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB15F.tmp
2008-04-23 10:05 25,600 ----a-w C:\WINDOWS\Internet Logs\xDB15D.tmp
2008-04-23 10:04 4,643,328 ----a-w C:\WINDOWS\Internet Logs\xDB15C.tmp
2008-04-23 08:53 43,008 ----a-w C:\WINDOWS\Internet Logs\xDB15B.tmp
2008-04-23 08:18 4,640,256 ----a-w C:\WINDOWS\Internet Logs\xDB15A.tmp
2008-04-21 16:50 4,629,504 ----a-w C:\WINDOWS\Internet Logs\xDB158.tmp
2008-04-21 16:50 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB159.tmp
2008-04-21 13:56 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB157.tmp
2008-04-21 13:44 4,629,504 ----a-w C:\WINDOWS\Internet Logs\xDB156.tmp
2008-04-21 08:15 --------- d-----w C:\Program Files\Zango Programs
2008-04-19 16:21 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB155.tmp
2008-04-19 15:46 4,601,344 ----a-w C:\WINDOWS\Internet Logs\xDB154.tmp
2008-04-17 14:06 17,408 ----a-w C:\WINDOWS\Internet Logs\xDB153.tmp
2008-04-17 13:06 4,598,272 ----a-w C:\WINDOWS\Internet Logs\xDB152.tmp
2008-04-17 08:04 4,596,736 ----a-w C:\WINDOWS\Internet Logs\xDB150.tmp
2008-04-17 07:55 51,712 ----a-w C:\WINDOWS\Internet Logs\xDB151.tmp
2008-04-15 15:55 122,368 ----a-w C:\WINDOWS\Internet Logs\xDB14F.tmp
2008-04-15 15:20 4,595,712 ----a-w C:\WINDOWS\Internet Logs\xDB14E.tmp
2008-04-11 05:47 94,720 ----a-w C:\WINDOWS\Internet Logs\xDB14D.tmp
2008-04-11 05:47 4,579,328 ----a-w C:\WINDOWS\Internet Logs\xDB14C.tmp
2008-04-08 11:15 73,728 ----a-w C:\WINDOWS\Internet Logs\xDB14B.tmp
2008-04-07 18:20 --------- d-----w C:\Documents and Settings\LAILA\Application Data\LimeWire
2008-04-05 08:40 95,232 ----a-w C:\WINDOWS\Internet Logs\xDB14A.tmp
2008-04-05 08:40 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB149.tmp
2008-04-02 19:13 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB147.tmp
2008-04-02 19:07 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB148.tmp
2008-04-02 13:43 20,480 ----a-w C:\WINDOWS\Internet Logs\xDB146.tmp
2008-04-02 13:35 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB145.tmp
2008-04-01 13:29 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB144.tmp
2008-04-01 12:59 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB143.tmp
2008-03-31 18:16 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB142.tmp
2008-03-31 18:15 4,569,600 ----a-w C:\WINDOWS\Internet Logs\xDB141.tmp
2008-03-22 14:36 4,557,824 ----a-w C:\WINDOWS\Internet Logs\xDB13F.tmp
2008-03-22 14:36 328,192 ----a-w C:\WINDOWS\Internet Logs\xDB140.tmp
2008-03-19 17:03 --------- d-----w C:\Documents and Settings\ADAM\Application Data\Aim
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-11 20:07 56,320 ----a-w C:\WINDOWS\Internet Logs\xDB13E.tmp
2008-03-11 20:07 4,553,728 ----a-w C:\WINDOWS\Internet Logs\xDB13D.tmp
2008-03-09 16:37 97,280 ----a-w C:\WINDOWS\Internet Logs\xDB13C.tmp
2008-03-09 16:37 4,553,216 ----a-w C:\WINDOWS\Internet Logs\xDB13B.tmp
2008-03-06 20:06 4,550,144 ----a-w C:\WINDOWS\Internet Logs\xDB139.tmp
2008-03-06 20:06 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB13A.tmp
2008-03-06 15:51 4,549,120 ----a-w C:\WINDOWS\Internet Logs\xDB137.tmp
2008-03-06 14:32 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB138.tmp
2008-03-05 06:42 4,549,120 ----a-w C:\WINDOWS\Internet Logs\xDB135.tmp
2008-03-05 06:37 70,144 ----a-w C:\WINDOWS\Internet Logs\xDB136.tmp
2008-03-02 19:16 138,752 ----a-w C:\WINDOWS\Internet Logs\xDB134.tmp
2008-03-02 19:10 4,546,560 ----a-w C:\WINDOWS\Internet Logs\xDB133.tmp
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-28 14:17 981,504 ----a-w C:\WINDOWS\Internet Logs\xDB132.tmp
2008-02-28 14:17 4,546,048 ----a-w C:\WINDOWS\Internet Logs\xDB131.tmp
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-19 23:56 32,256 ----a-w C:\WINDOWS\Internet Logs\xDB130.tmp
2008-02-19 23:54 4,530,688 ----a-w C:\WINDOWS\Internet Logs\xDB12F.tmp
2008-02-19 17:37 4,528,640 ----a-w C:\WINDOWS\Internet Logs\xDB12D.tmp
2008-02-19 17:37 33,280 ----a-w C:\WINDOWS\Internet Logs\xDB12E.tmp
2008-02-18 19:40 4,528,640 ----a-w C:\WINDOWS\Internet Logs\xDB12B.tmp
2008-02-18 19:40 2,821,120 ----a-w C:\WINDOWS\Internet Logs\xDB12C.tmp
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-02-06 15:52 4,519,936 ----a-w C:\WINDOWS\Internet Logs\xDB129.tmp
2008-02-06 15:52 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB12A.tmp
2008-02-06 15:47 4,519,936 ----a-w C:\WINDOWS\Internet Logs\xDB127.tmp
2008-02-06 15:47 118,784 ----a-w C:\WINDOWS\Internet Logs\xDB128.tmp
2004-02-18 02:41 32 --sha-w C:\WINDOWS\{8A5B4560-803A-4975-81C4-D78A555500F6}.dat
2004-02-18 02:41 32 --sha-w C:\WINDOWS\SYSTEM32\{F1868A96-4A39-49CB-8B2C-A67D0280A8AF}.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\SYSTEM32\382077 ----
((((((((((((((((((((((((((((( snapshot@2008-04-28_21.30.55.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 20:15:30 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-29 14:54:57 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe" [2004-04-01 09:30 693520]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-28 17:13 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-23 17:45 219136]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 10:04 54936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
[HKLM\~\startupfolder\C:^Documents and Settings^AHMAD^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\AHMAD\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Check-Up.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Broadband Check-Up.lnk
backup=C:\WINDOWS\pss\AOL Broadband Check-Up.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=C:\WINDOWS\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=C:\WINDOWS\pss\PCSuiteForNokia6600 TS.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=C:\WINDOWS\pss\Status Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^LAILA^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\LAILA\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SAM^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\SAM\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SAM^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\SAM\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SARAH^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\SARAH\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^SARAH^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\SARAH\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 16:37 61440 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-11-10 00:22 497240 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
--a------ 2008-01-28 17:13 406528 C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
--a------ 2003-05-08 20:15 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-12-02 17:11 54296 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2003-12-02 17:11 58392 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-05-17 17:42 933888 C:\Program Files\Brother\ControlCenter2\brctrcen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMouse ]
--a------ 2004-06-27 15:38 503808 C:\Program Files\Mouse Driver\MouseDrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-11-11 11:15 851456 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 02:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
--a------ 2003-04-25 11:22 16384 C:\WINDOWS\SYSTEM32\dslagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 11:27 28672 C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 15:38 39264 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]
--a------ 2003-05-27 04:08 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GSICONEXE]
--a------ 2003-05-14 21:25 90112 C:\WINDOWS\SYSTEM32\gsicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-07-29 17:53 159832 C:\Program Files\Common Files\AOL\1150496578\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2005-03-17 14:45 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2003-12-16 22:37 188416 C:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2003-12-16 22:39 77824 C:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
--a------ 2004-08-13 17:41 86016 C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2005-03-17 14:25 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-03-31 09:24 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-13 23:52 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2005-01-26 18:02 49152 C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-01-27 20:03 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The Nose]
C:\Program Files\The Nose\TheNose.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\You've Got Pictures screensaver]
--a------ 2004-06-22 12:13 99456 C:\Program Files\Common Files\AOL\Screensaver\ygpsstra.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"You've Got Pictures screensaver"=C:\Program Files\Common Files\AOL\Screensaver\ygpsstra.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\AOL 8.0a\\waol.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a32d504c-cab5-11d9-a539-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-04-29 14:56:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 16:27:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 67
**************************************************************************
.
Completion time: 2008-04-29 16:38:11
ComboFix-quarantined-files.txt 2008-04-29 15:38:06
ComboFix2.txt 2008-04-28 20:50:55
Pre-Run: 34,858,549,248 bytes free
Post-Run: 34,859,823,104 bytes free
686 --- E O F --- 2008-04-27 11:50:18
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52:25, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O15 - Trusted Zone: www.hmv.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129896854671
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - https://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 10603 bytes
And I will run Kapersky now.
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 8:45:54 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 731075
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 170167
Number of viruses found: 20
Number of infected objects: 55
Number of suspicious objects: 0
Duration of the scan process: 02:49:07
Ive just posted this bit, I think it must be to big to post (3.94MB?) as Ive been trying to post it unsuccessfully.
Hi
You can upload it to http://rapidshare.com. Post a download link back here :)
Thanks!
http://rapidshare.com/files/111359253/KScan.txt.html
Have just realised that the Kaspersky scan was so big because one of the User accounts uses a password.:oops:
Hi
Clear Java cache according to this (http://www.java.com/en/download/help/5000020300.xml) set of instructions.
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Clear items in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery folder (don't remove the folder itself!).
Other bad items get removed by flushing system restore and by uninstalling ComboFix. We'll do that a bit later.
Start hjt, do a system scan, check:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Close browsers and fix checked.
I noticed that you've got Norton Antivirus or should I say some leftovers of it there (I assume AVG Antivirus is now the one you're using). Following instructions are for removing those. Follow the instructions if you want Norton parts to be removed.
1) Uninstall Norton Antivirus related items in add/remove programs if found.
Start hjt, do a system scan, check:
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Close browsers and fix checked.
2) Creating & executing batch file
-------------------------------
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
sc stop ccEvtMgr
sc delete ccEvtMgr
sc stop navapsvc
sc delete navapsvc
sc stop ccPwdSvc
sc delete ccPwdSvc
sc stop SBService
sc delete SBService
Double-click on fixes.bat file to execute it. After that the bat file can be removed.
3) Delete following folders if found:
C:\Program Files\Norton AntiVirus
C:\Program Files\Common Files\Symantec Shared
Reboot and post a fresh hjt log.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.