Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Virus - Help needed please

  • 06-11-2007 9:34pm
    #1
    phog
    Registered Users, Registered Users 2 Posts: 24,968 ✭✭✭✭


    My AVG AV just reported that it has picked up the JS/Downloader.Agent virus...it also reports an error in deleting the virus.

    I need help - what do I need to do to rid myself of this nasty bit of junk?

    My OS is Win XP.


Comments

  • #2
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Do this

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • Under Additional Scans on the bottom right, check the box for Reg - Disabled MS Config Items.
    • Now click the Run Scan button on the toolbar.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

    Make sure you attach the report in your reply.



    Also post a HijackThis log, check the Sticky thread about it.


  • #3
    phog
    Registered Users, Registered Users 2 Posts: 24,968 ✭✭✭✭phog


    ActorSeeksJob wrote: »
    Do this

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • Under Additional Scans on the bottom right, check the box for Reg - Disabled MS Config Items.
    • Now click the Run Scan button on the toolbar.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

    Make sure you attach the report in your reply.



    Also post a HijackThis log, check the Sticky thread about it.

    Do I need to disable AVG first?


  • #4
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    No


  • #5
    phog
    Registered Users, Registered Users 2 Posts: 24,968 ✭✭✭✭phog


    Actor, this is what I got, hope it makes sense to you.

    WinPFind3 logfile created on: 07/11/2007 21:20:15
    WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Patrick\Desktop\WinPFind3u\
    Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
    Internet Explorer (Version = 7.0.5730.11)

    1013.98 Mb Total Physical Memory | 590.35 Mb Available Physical Memory | 58.22% Memory free
    2.38 Gb Paging File | 1.94 Gb Available in Paging File | 81.16% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048;

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.53 Gb Total Space | 46.39 Gb Free Space | 62.24% Space Free
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded

    Computer Name: PH_PC
    Current User Name: Patrick
    Logged in as Administrator.
    Current Boot Mode: Normal


    [Processes - Non-Microsoft Only]
    agrsmmsg.exe -> %SystemRoot%\agrsmmsg.exe -> Agere Systems [Ver = 2.1.63 2.1.63 12/12/2005 14:50:01 | Size = 88204 bytes | Modified Date = 13/12/2005 14:50:02 | Attr = ]
    aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 25/07/2006 18:03:44 | Attr = ]
    apdproxy.exe -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.66984 | Size = 61440 bytes | Modified Date = 14/09/2006 07:55:52 | Attr = ]
    avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 23/10/2007 10:26:02 | Attr = ]
    avgcc.exe -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.497 | Size = 579072 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    avgemc.exe -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.494 | Size = 406528 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 17/03/2007 21:37:04 | Attr = ]
    cfsvcs.exe -> %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 0, 1 | Size = 40960 bytes | Modified Date = 17/01/2005 23:38:38 | Attr = ]
    dlactrlw.exe -> %System32%\DLA\DLACTRLW.EXE -> Sonic Solutions [Ver = 5.20.09a | Size = 122940 bytes | Modified Date = 06/10/2005 04:20:00 | Attr = ]
    dot1xcfg.exe -> %ProgramFiles%\Intel\Wireless\Bin\Dot1XCfg.exe -> Intel Corporation [Ver = 10.5.0.3 | Size = 479232 bytes | Modified Date = 02/08/2006 00:27:54 | Attr = ]
    dvdramsv.exe -> %System32%\DVDRAMSV.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 3, 0, 0, 0 | Size = 110592 bytes | Modified Date = 28/08/2004 07:33:00 | Attr = ]
    e_fatiboe.exe -> %System32%\spool\drivers\w32x86\3\E_FATIBOE.EXE -> SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 139264 bytes | Modified Date = 29/05/2006 04:00:00 | Attr = ]
    evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10.5.0.20 | Size = 434176 bytes | Modified Date = 02/08/2006 00:39:20 | Attr = ]
    guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 30/06/2007 13:12:52 | Attr = ]
    hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 77824 bytes | Modified Date = 23/03/2006 19:13:40 | Attr = ]
    ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10.5.0.1 | Size = 696320 bytes | Modified Date = 02/08/2006 00:32:44 | Attr = ]
    igfxpers.exe -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 118784 bytes | Modified Date = 23/03/2006 19:17:50 | Attr = ]
    igfxtray.exe -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 94208 bytes | Modified Date = 23/03/2006 19:17:04 | Attr = ]
    ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 30/10/2006 09:36:32 | Attr = ]
    ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 30/10/2006 09:36:36 | Attr = ]
    ndstray.exe -> %ProgramFiles%\Toshiba\ConfigFree\NDSTray.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 1, 2 | Size = 974848 bytes | Modified Date = 16/03/2006 20:58:50 | Attr = ]
    photoshopelementsfileagent.exe -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -> [Ver = | Size = 102400 bytes | Modified Date = 14/09/2006 07:56:06 | Attr = ]
    qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 25/10/2006 18:58:18 | Attr = ]
    ramasst.exe -> %System32%\RAMASST.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 1, 1, 0, 0 | Size = 155648 bytes | Modified Date = 28/08/2004 07:37:00 | Attr = ]
    regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10.5.0.4 | Size = 327680 bytes | Modified Date = 02/08/2006 00:24:22 | Attr = ]
    rthdcpl.exe -> %SystemRoot%\RTHDCPL.exe -> Realtek Semiconductor Corp. [Ver = 2.0.6.4 | Size = 16206848 bytes | Modified Date = 05/05/2006 13:59:16 | Attr = ]
    s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation [Ver = 10.5.0.34 | Size = 937984 bytes | Modified Date = 02/08/2006 00:31:22 | Attr = ]
    smoothview.exe -> %ProgramFiles%\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe -> TOSHIBA Corporation [Ver = 2, 0, 0, 23 | Size = 118784 bytes | Modified Date = 12/05/2005 09:31:38 | Attr = ]
    symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.9.1.1080 | Size = 1174152 bytes | Modified Date = 20/01/2007 21:40:36 | Attr = ]
    syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.13.2 02Mar06 | Size = 761948 bytes | Modified Date = 02/03/2006 23:02:08 | Attr = ]
    tappsrv.exe -> %ProgramFiles%\Toshiba\TOSHIBA Applet\TAPPSRV.exe -> TOSHIBA Corp. [Ver = 1, 0, 0, 14M | Size = 35840 bytes | Modified Date = 07/02/2006 15:30:40 | Attr = ]
    tfncky.exe -> %ProgramFiles%\Toshiba\TOSHIBA Controls\TFncKy.exe -> TOSHIBA Corporation [Ver = 3.21.02 | Size = 184320 bytes | Modified Date = 29/06/2006 07:41:22 | Attr = ]
    thotkey.exe -> %ProgramFiles%\Toshiba\Toshiba Applet\THotkey.exe -> TOSHIBA [Ver = 1.00.0027 | Size = 356352 bytes | Modified Date = 25/08/2006 12:47:12 | Attr = ]
    toscdspd.exe -> %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe -> TOSHIBA [Ver = 1, 0, 6, 0 | Size = 65536 bytes | Modified Date = 11/04/2005 10:26:06 | Attr = ]
    toshiba.exe -> %ProgramFiles%\Synaptics\SynTP\Toshiba.exe -> Synaptics, Inc. [Ver = 8.2.13.2 02Mar06 | Size = 151552 bytes | Modified Date = 02/03/2006 22:50:52 | Attr = ]
    tpsbattm.exe -> %System32%\TPSBattM.exe -> TOSHIBA Corporation [Ver = 1, 0, 2, 0 | Size = 40960 bytes | Modified Date = 03/08/2005 13:26:02 | Attr = ]
    tpsmain.exe -> %System32%\TPSMain.exe -> TOSHIBA Corporation [Ver = 1, 0, 15, 0 | Size = 266240 bytes | Modified Date = 03/08/2005 13:26:14 | Attr = ]
    tvstray.exe -> %ProgramFiles%\Toshiba\Tvs\TvsTray.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 7 | Size = 73728 bytes | Modified Date = 02/02/2006 11:11:38 | Attr = ]
    winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 | Attr = ]
    x10nets.exe -> %CommonProgramFiles%\X10\Common\X10nets.exe -> X10 [Ver = 1, 0, 0, 1 | Size = 20480 bytes | Modified Date = 12/11/2001 12:31:48 | Attr = ]
    zcfgsvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10.5.0.5 | Size = 802816 bytes | Modified Date = 02/08/2006 00:38:30 | Attr = ]

    [Win32 Services - Non-Microsoft Only]
    (AdobeActiveFileMonitor5.0) Adobe Active File Monitor V5 [Win32_Own | Auto | Running] -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -> [Ver = | Size = 102400 bytes | Modified Date = 14/09/2006 07:56:06 | Attr = ]
    (Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Stopped] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4131 | Size = 405504 bytes | Modified Date = 22/03/2006 06:48:56 | Attr = ]
    (Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 25/07/2006 18:03:44 | Attr = ]
    (AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 30/06/2007 13:12:52 | Attr = ]
    (Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 23/10/2007 10:26:02 | Attr = ]
    (Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 17/03/2007 21:37:04 | Attr = ]
    (AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.494 | Size = 406528 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    (CFSvcs) ConfigFree Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 0, 1 | Size = 40960 bytes | Modified Date = 17/01/2005 23:38:38 | Attr = ]
    (dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 10/08/2004 12:00:00 | Attr = ]
    (DVD-RAM_Service) DVD-RAM_Service [Win32_Own | Auto | Running] -> %System32%\DVDRAMSV.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 3, 0, 0, 0 | Size = 110592 bytes | Modified Date = 28/08/2004 07:33:00 | Attr = ]
    (EvtEng) Intel(R) PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10.5.0.20 | Size = 434176 bytes | Modified Date = 02/08/2006 00:39:20 | Attr = ]
    (gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.711.37800.beta | Size = 136120 bytes | Modified Date = 04/01/2007 01:40:22 | Attr = ]
    (IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 22/10/2004 02:24:18 | Attr = ]
    (iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 30/10/2006 09:36:32 | Attr = ]
    (LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_0.EXE -> Symantec Corporation [Ver = 3.0.0.171 | Size = 2119360 bytes | Modified Date = 25/07/2006 18:03:44 | Attr = ]
    (NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Stopped] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8468 | Size = 143428 bytes | Modified Date = 01/05/2006 20:04:00 | Attr = ]
    (RegSrvc) Intel(R) PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10.5.0.4 | Size = 327680 bytes | Modified Date = 02/08/2006 00:24:22 | Attr = ]
    (S24EventMonitor) Intel(R) PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation [Ver = 10.5.0.34 | Size = 937984 bytes | Modified Date = 02/08/2006 00:31:22 | Attr = ]
    (Symantec Core LC) Symantec Core LC [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.9.1.1080 | Size = 1174152 bytes | Modified Date = 20/01/2007 21:40:36 | Attr = ]
    (TAPPSRV) TOSHIBA Application Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Toshiba\TOSHIBA Applet\TAPPSRV.exe -> TOSHIBA Corp. [Ver = 1, 0, 0, 14M | Size = 35840 bytes | Modified Date = 07/02/2006 15:30:40 | Attr = ]
    (x10nets) X10 Device Network Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\X10\Common\X10nets.exe -> X10 [Ver = 1, 0, 0, 1 | Size = 20480 bytes | Modified Date = 12/11/2001 12:31:48 | Attr = ]

    [Registry - Non-Microsoft Only]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
    !AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 30/06/2007 13:13:36 | Attr = ]
    Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.66984 | Size = 61440 bytes | Modified Date = 14/09/2006 07:55:52 | Attr = ]
    AGRSMMSG -> %SystemRoot%\agrsmmsg.exe -> Agere Systems [Ver = 2.1.63 2.1.63 12/12/2005 14:50:01 | Size = 88204 bytes | Modified Date = 13/12/2005 14:50:02 | Attr = ]
    Alcmtr -> %SystemRoot%\Alcmtr.exe -> Realtek Semiconductor Corp. [Ver = 1.6.0.2 | Size = 69632 bytes | Modified Date = 04/05/2005 16:43:28 | Attr = ]
    AVG7_CC -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.497 | Size = 579072 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    Blubster -> %SystemDrive%\PROGRA~1\Blubster\Blubster.exe -> File not found
    DLA -> %System32%\DLA\DLACTRLW.EXE -> Sonic Solutions [Ver = 5.20.09a | Size = 122940 bytes | Modified Date = 06/10/2005 04:20:00 | Attr = ]
    igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 77824 bytes | Modified Date = 23/03/2006 19:13:40 | Attr = ]
    igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 118784 bytes | Modified Date = 23/03/2006 19:17:50 | Attr = ]
    igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 94208 bytes | Modified Date = 23/03/2006 19:17:04 | Attr = ]
    IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10.5.0.1 | Size = 696320 bytes | Modified Date = 02/08/2006 00:32:44 | Attr = ]
    IntelZeroConfig -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10.5.0.5 | Size = 802816 bytes | Modified Date = 02/08/2006 00:38:30 | Attr = ]
    iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 30/10/2006 09:36:36 | Attr = ]
    NDSTray.exe -> NDSTray.exe -> File not found
    QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 25/10/2006 18:58:18 | Attr = ]
    RTHDCPL -> %SystemRoot%\RTHDCPL.exe -> Realtek Semiconductor Corp. [Ver = 2.0.6.4 | Size = 16206848 bytes | Modified Date = 05/05/2006 13:59:16 | Attr = ]
    SmoothView -> %ProgramFiles%\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe -> TOSHIBA Corporation [Ver = 2, 0, 0, 23 | Size = 118784 bytes | Modified Date = 12/05/2005 09:31:38 | Attr = ]
    SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.13.2 02Mar06 | Size = 761948 bytes | Modified Date = 02/03/2006 23:02:08 | Attr = ]
    TFncKy -> TFncKy.exe -> File not found
    THotkey -> %ProgramFiles%\Toshiba\Toshiba Applet\THotkey.exe -> TOSHIBA [Ver = 1.00.0027 | Size = 356352 bytes | Modified Date = 25/08/2006 12:47:12 | Attr = ]
    TPSMain -> %System32%\TPSMain.exe -> TOSHIBA Corporation [Ver = 1, 0, 15, 0 | Size = 266240 bytes | Modified Date = 03/08/2005 13:26:14 | Attr = ]
    Tvs -> %ProgramFiles%\Toshiba\Tvs\TvsTray.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 7 | Size = 73728 bytes | Modified Date = 02/02/2006 11:11:38 | Attr = ]
    < OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
    IMAIL -> Installed = 1 ->
    MAPI -> Installed = 1 ->
    MSFS -> Installed = 1 ->
    < Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
    EPSON Stylus Photo R360 Series -> %System32%\spool\DRIVERS\W32X86\3\E_FATIBOE.EXE /FU "C:\WINDOWS\TEMP\E_S8C.tmp -> File not found
    TOSCDSPD -> %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe -> TOSHIBA [Ver = 1, 0, 6, 0 | Size = 65536 bytes | Modified Date = 11/04/2005 10:26:06 | Attr = ]
    < Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
    %AllUsersStartup%\RAMASST.lnk -> %System32%\RAMASST.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 1, 1, 0, 0 | Size = 155648 bytes | Modified Date = 28/08/2004 07:37:00 | Attr = ]
    < ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
    {57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 30/06/2007 13:12:28 | Attr = ]
    < SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
    < Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
    < Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
    < Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
    AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4131 | Size = 61440 bytes | Modified Date = 22/03/2006 06:50:12 | Attr = ]
    igfxcui -> %System32%\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4543 | Size = 139264 bytes | Modified Date = 23/03/2006 19:12:42 | Attr = ]
    < CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallVisualStyle -> C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallTheme -> C:\WINDOWS\Resources\Themes\Royale.theme ->
    < CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
    < HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
    127.0.0.1 localhost -> ->
    < Internet Explorer Settings > -> ->
    HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
    HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
    HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
    HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
    HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
    HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
    HKCU: Search Bar -> http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR ->
    HKCU: Search Page -> http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR ->
    HKCU: Start Page -> http://home.eircom.net/ ->
    HKCU: ProxyEnable -> 0 ->
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 12/01/2006 19:38:22 | Attr = ]
    {5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %System32%\DLA\DLASHX_W.DLL [DriveLetterAccess] -> Sonic Solutions [Ver = 5.20.09a | Size = 110652 bytes | Modified Date = 06/10/2005 04:20:00 | Attr = ]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 10/11/2005 12:22:10 | Attr = ]
    {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} [HKLM] -> %ProgramFiles%\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EpsonToolBandKicker Class] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 22/02/2005 12:50:34 | Attr = ]
    < Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKLM] -> %ProgramFiles%\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 22/02/2005 12:50:34 | Attr = ]
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
    WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    WebBrowser\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKLM] -> %ProgramFiles%\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 22/02/2005 12:50:34 | Attr = ]
    < Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\npjpi150_06.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 69746 bytes | Modified Date = 10/11/2005 12:22:10 | Attr = ]
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 10/11/2005 12:22:10 | Attr = ]
    {92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
    {e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
    < Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
    &MSN Search -> %ProgramFiles%\MSN Toolbar Suite\msntb.dll\search.htm -> File not found
    < DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
    {241028C0-9CEF-4E61-BAEE-96E1343BCDFC} -> (Intel(R) PRO/100 VE Network Connection) ->
    {A1160923-B856-4F7E-83A0-78254C35F7E8} -> (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
    {A17A53A1-543C-4BF4-ACFE-DD8AC351EA82} -> (1394 Net Adapter) ->
    {ADFBBA37-A132-42E0-888C-2EE0F86BEA8A} -> (1394 Net Adapter) ->
    < Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
    ipp -> Reg Data - Key not found -> File not found
    msdaipp -> Reg Data - Key not found -> File not found
    < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
    {166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
    {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab ->
    {8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
    {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} -> Zylom Games Player - CodeBase = http://aolsvc.aol.com/onlinegames/free-trial-delicious-deluxe/zylomgamesplayer.cab ->
    {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
    {D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab ->


    [Registry - Additional Scans - Non-Microsoft Only]

    [Files/Folders - Created Within 30 days]
    sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Created Date = 23/10/2007 20:52:03 | Attr = H ]
    sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Created Date = 24/10/2007 17:51:37 | Attr = H ]
    sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Created Date = 24/10/2007 20:51:03 | Attr = H ]
    sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Created Date = 23/10/2007 20:52:03 | Attr = H ]
    sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Created Date = 24/10/2007 17:51:36 | Attr = H ]
    sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Created Date = 24/10/2007 20:51:03 | Attr = H ]
    $NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 11/10/2007 18:55:47 | Attr = H ]
    $NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 11/10/2007 18:50:44 | Attr = H ]

    [Files/Folders - Modified Within 30 days]
    hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1063309312 bytes | Modified Date = 07/11/2007 19:45:48 | Attr = HS]
    sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 25/10/2007 20:48:50 | Attr = H ]
    sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 17:39:02 | Attr = H ]
    sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 18:08:36 | Attr = H ]
    sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 20:45:10 | Attr = H ]
    sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 22:18:14 | Attr = H ]
    sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Modified Date = 27/10/2007 08:43:04 | Attr = H ]
    sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 15:25:44 | Attr = H ]
    sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 18:36:58 | Attr = H ]
    sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 19:32:14 | Attr = H ]
    sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 20:45:36 | Attr = H ]
    sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 22:20:00 | Attr = H ]
    sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/10/2007 07:19:26 | Attr = H ]
    sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/10/2007 19:41:08 | Attr = H ]
    sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/10/2007 22:55:52 | Attr = H ]
    sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 01/11/2007 18:31:24 | Attr = H ]
    sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Modified Date = 01/11/2007 22:34:02 | Attr = H ]
    sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 02/11/2007 19:18:30 | Attr = H ]
    sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Modified Date = 02/11/2007 21:48:42 | Attr = H ]
    sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Modified Date = 24/10/2007 17:51:38 | Attr = H ]
    sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Modified Date = 24/10/2007 20:51:04 | Attr = H ]
    sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 25/10/2007 20:48:50 | Attr = H ]
    sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 17:39:00 | Attr = H ]
    sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 18:08:36 | Attr = H ]
    sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 20:45:10 | Attr = H ]
    sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 22:18:14 | Attr = H ]
    sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Modified Date = 27/10/2007 08:43:04 | Attr = H ]
    sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 15:25:44 | Attr = H ]
    sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 18:36:58 | Attr = H ]
    sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 19:32:14 | Attr = H ]
    sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 20:45:36 | Attr = H ]
    sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 22:20:00 | Attr = H ]
    sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/10/2007 07:19:26 | Attr = H ]
    sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/10/2007 19:41:08 | Attr = H ]
    sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/10/2007 22:55:52 | Attr = H ]
    sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 01/11/2007 18:31:24 | Attr = H ]
    sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 01/11/2007 22:34:02 | Attr = H ]
    sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 02/11/2007 19:18:30 | Attr = H ]
    sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 02/11/2007 21:48:40 | Attr = H ]
    sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Modified Date = 24/10/2007 17:51:38 | Attr = H ]
    sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Modified Date = 24/10/2007 20:51:04 | Attr = H ]
    WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 07/11/2007 19:46:28 | Attr = ]
    $hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 11/10/2007 18:55:38 | Attr = H ]
    $NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 11/10/2007 18:55:50 | Attr = H ]
    $NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 11/10/2007 18:50:46 | Attr = H ]
    bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 07/11/2007 19:45:54 | Attr = S]
    ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 11/10/2007 18:51:26 | Attr = ]
    imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 11/10/2007 18:52:30 | Attr = ]
    inf -> %SystemRoot%\inf -> [Folder | Modified Date = 01/11/2007 18:06:30 | Attr = H ]
    Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 07/11/2007 19:47:02 | Attr = ]
    system32 -> %System32% -> [Folder | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 07/11/2007 19:46:12 | Attr = ]
    win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 507 bytes | Modified Date = 26/10/2007 17:09:24 | Attr = ]
    SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 07/11/2007 19:46:12 | Attr = H ]
    CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 02/11/2007 21:48:20 | Attr = ]
    DLA -> %System32%\DLA -> [Folder | Modified Date = 07/11/2007 19:45:58 | Attr = ]
    dllcache -> %System32%\dllcache -> [Folder | Modified Date = 11/10/2007 18:55:52 | Attr = RHS]
    drivers -> %System32%\drivers -> [Folder | Modified Date = 23/10/2007 10:26:10 | Attr = ]
    perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 63196 bytes | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 402274 bytes | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 471882 bytes | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 07/11/2007 19:46:52 | Attr = ]
    avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 23/10/2007 10:25:58 | Attr = ]

    [File String Scan - Non-Microsoft Only]
    PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 10/08/2004 12:00:00 | Attr = ]
    WSUD , -> %System32%\oembios.bin -> [Ver = | Size = 13107200 bytes | Modified Date = 02/09/2001 09:29:22 | Attr = ]
    winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 10/08/2004 12:00:00 | Attr = ]
    UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 23/10/2007 10:25:58 | Attr = ]

    < End of report >


  • #6
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Hello

    Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
    [Registry - Non-Microsoft Only]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> Alcmtr -> %SystemRoot%\Alcmtr.exe
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    < Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    YN -> {92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research]
    YN -> {e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001]

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan(attach the WinPFind3 scan report).

    I will review the information when it comes back in.




    * Click here to download AVG Anti Rootkit and save it to your desktop.
    • Double-click on the AVG_AntiRootkit_1.0.0.42.exe file to run it.
    • Click "I Agree" to agree to the EULA.
    • By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
    • Click "Next" to begin the installation then click "Install".
    • It will then ask you to reboot now to finish the installation.
    • Click "Finish" and your computer will reboot.
    • After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
    • Click on the "Perform in-depth search" button to begin the scan.
    • The scan will take a while so be patient and let it complete.
    • When the scan is finished, click the "Save result to file" button.
    • Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.


  • Advertisement
  • #7
    phog
    Registered Users, Registered Users 2 Posts: 24,968 ✭✭✭✭phog


    Report WinPFind 3 is -
    [Registry - Non-Microsoft Only]
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Alcmtr deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583} deleted successfully.
    < End of log >
    Created on 11/08/2007 17:44:09

    I got an error message while trying to run AVG Anti Root Kit - something about the Installer being corrupt or incomplete.

    ASJ, Thanks for your time on this.


  • #8
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Try this

    Download Combofix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
      When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" for further review.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall




    Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
    • Open a command window by going to Start > Run and typing: cmd
    • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
    • Hit "Enter" to start the program and then close the cmd box.
    • Accept the user agreement and click "Next".
    • Click "Scan".
    • After the scan is complete, click "Next", then "Exit".
    • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
    • The log will have a list of all items found. Do not choose to rename any yet!
      I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
    • Exit Blacklight and post the contents of the log in your next reply.


  • #9
    phog
    Registered Users, Registered Users 2 Posts: 24,968 ✭✭✭✭phog


    ASJ, the two reports are as follows:

    Combifix Report -

    ComboFix 07-11-08.3 - Patrick 2007-11-08 21:20:36.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT 0:00]
    Running from: C:\Documents and Settings\Patrick\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
    .

    2007-11-08 21:18 51,200 --a
    C:\WINDOWS\NirCmd.exe
    2007-10-10 18:51 582,656
    c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-08 17:39
    d
    w C:\Documents and Settings\Patrick\Application Data\AVG7
    2007-11-05 22:07 1,714 ----a-w C:\Documents and Settings\Patrick\Application Data\wklnhst.dat
    2007-10-23 10:24
    d
    w C:\Documents and Settings\Jennifer\Application Data\AVG7
    2007-10-21 11:06
    d
    w C:\Documents and Settings\Michelle\Application Data\AVG7
    2007-10-17 19:10
    d
    w C:\Program Files\Picasa2
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 19:17]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 23:02]
    "RTHDCPL"="RTHDCPL.EXE" [2006-05-05 13:59 C:\WINDOWS\RTHDCPL.exe]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 14:50 C:\WINDOWS\agrsmmsg.exe]
    "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 12:47]
    "TPSMain"="TPSMain.exe" [2005-08-03 13:26 C:\WINDOWS\system32\TPSMain.exe]
    "NDSTray.exe"="NDSTray.exe" []
    "Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 11:11]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 09:31]
    "TFncKy"="TFncKy.exe" []
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 04:20]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 10:26]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-30 13:13]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 07:55]
    "Blubster"="C:\PROGRA~1\Blubster\Blubster.exe" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 10:26]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]
    "EPSON Stylus Photo R360 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOE.exe" [2006-05-29 04:00]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    C:\Documents and Settings\Patrick\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 13:06:14]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-12-17 23:34:14]
    Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 21:44:08]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

    R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys
    S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

    *Newly Created Service* - CATCHME
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-08 21:22:26
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************
    .
    Completion time: 2007-11-08 21:23:25
    .
    --- E O F ---

    The fsbl report is -

    11/08/07 21:29:33 [Info]: BlackLight Engine 1.0.67 initialized
    11/08/07 21:29:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    11/08/07 21:29:33 [Note]: 7019 4
    11/08/07 21:29:33 [Note]: 7005 0
    11/08/07 21:29:37 [Note]: 7006 0
    11/08/07 21:29:37 [Note]: 7022 0
    11/08/07 21:29:37 [Note]: 7011 3732
    11/08/07 21:29:38 [Note]: 7026 0
    11/08/07 21:29:38 [Note]: 7026 0
    11/08/07 21:29:39 [Note]: FSRAW library version 1.7.1024
    11/08/07 21:34:56 [Note]: 2000 1012
    11/08/07 21:38:32 [Note]: 7007 0

    Thanks again,
    Phog


  • #10
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Well all your logs look clean. Are you having any visible problems? I'd say the piece of malware you had was fixed by AVG or some other program.


  • #11
    phog
    Registered Users, Registered Users 2 Posts: 24,968 ✭✭✭✭phog


    ActorSeeksJob wrote: »
    Well all your logs look clean. Are you having any visible problems? I'd say the piece of malware you had was fixed by AVG or some other program.

    Thanks - No obvious problems, the AVG scan had listed the virus in a few reports before I did anything about it. The last one this evening didn't pick it up either so I don't know if it's deleted or just not being detected by AVG.

    The only thing I did was delete history and cookies since the last scan, I usually would this about once a month, could that have deleted the virus?

    Anyway, thanks for the time and advice.
    Phog


  • Advertisement
  • #12
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    The only thing I did was delete history and cookies since the last scan, I usually would this about once a month, could that have deleted the virus?
    Well it could have been in your temp folder which was emptied, meaning the virus would be gone. I wouldn't worry cause the scans we ran were pretty in depth and they found nothing.

    Do the following, then we are all done


    Time for some housekeeping
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK

      • CF_Cleanup.png

    • When shown the disclaimer, Select "2"

    The above procedure will:
    • Delete the following:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:\Deckard folder, if present
      • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.


    You can also delete the other tools that we ran to be safe.


  • #13
    phog
    Registered Users, Registered Users 2 Posts: 24,968 ✭✭✭✭phog


    ASJ, thanks for your time and help.
    Phog


Advertisement