Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Virus - Help needed please

  • 06-11-2007 10:34PM
    #1
    phog
    Registered Users, Registered Users 2 Posts: 26,253 ✭✭✭✭


    My AVG AV just reported that it has picked up the JS/Downloader.Agent virus...it also reports an error in deleting the virus.

    I need help - what do I need to do to rid myself of this nasty bit of junk?

    My OS is Win XP.


Comments

  • #2
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Do this

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • Under Additional Scans on the bottom right, check the box for Reg - Disabled MS Config Items.
    • Now click the Run Scan button on the toolbar.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

    Make sure you attach the report in your reply.



    Also post a HijackThis log, check the Sticky thread about it.


  • #3
    phog
    Registered Users, Registered Users 2 Posts: 26,253 ✭✭✭✭phog


    ActorSeeksJob wrote: »
    Do this

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • Under Additional Scans on the bottom right, check the box for Reg - Disabled MS Config Items.
    • Now click the Run Scan button on the toolbar.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

    Make sure you attach the report in your reply.



    Also post a HijackThis log, check the Sticky thread about it.

    Do I need to disable AVG first?


  • #4
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    No


  • #5
    phog
    Registered Users, Registered Users 2 Posts: 26,253 ✭✭✭✭phog


    Actor, this is what I got, hope it makes sense to you.

    WinPFind3 logfile created on: 07/11/2007 21:20:15
    WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Patrick\Desktop\WinPFind3u\
    Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
    Internet Explorer (Version = 7.0.5730.11)

    1013.98 Mb Total Physical Memory | 590.35 Mb Available Physical Memory | 58.22% Memory free
    2.38 Gb Paging File | 1.94 Gb Available in Paging File | 81.16% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048;

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.53 Gb Total Space | 46.39 Gb Free Space | 62.24% Space Free
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded

    Computer Name: PH_PC
    Current User Name: Patrick
    Logged in as Administrator.
    Current Boot Mode: Normal


    [Processes - Non-Microsoft Only]
    agrsmmsg.exe -> %SystemRoot%\agrsmmsg.exe -> Agere Systems [Ver = 2.1.63 2.1.63 12/12/2005 14:50:01 | Size = 88204 bytes | Modified Date = 13/12/2005 14:50:02 | Attr = ]
    aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 25/07/2006 18:03:44 | Attr = ]
    apdproxy.exe -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.66984 | Size = 61440 bytes | Modified Date = 14/09/2006 07:55:52 | Attr = ]
    avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 23/10/2007 10:26:02 | Attr = ]
    avgcc.exe -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.497 | Size = 579072 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    avgemc.exe -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.494 | Size = 406528 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 17/03/2007 21:37:04 | Attr = ]
    cfsvcs.exe -> %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 0, 1 | Size = 40960 bytes | Modified Date = 17/01/2005 23:38:38 | Attr = ]
    dlactrlw.exe -> %System32%\DLA\DLACTRLW.EXE -> Sonic Solutions [Ver = 5.20.09a | Size = 122940 bytes | Modified Date = 06/10/2005 04:20:00 | Attr = ]
    dot1xcfg.exe -> %ProgramFiles%\Intel\Wireless\Bin\Dot1XCfg.exe -> Intel Corporation [Ver = 10.5.0.3 | Size = 479232 bytes | Modified Date = 02/08/2006 00:27:54 | Attr = ]
    dvdramsv.exe -> %System32%\DVDRAMSV.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 3, 0, 0, 0 | Size = 110592 bytes | Modified Date = 28/08/2004 07:33:00 | Attr = ]
    e_fatiboe.exe -> %System32%\spool\drivers\w32x86\3\E_FATIBOE.EXE -> SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 139264 bytes | Modified Date = 29/05/2006 04:00:00 | Attr = ]
    evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10.5.0.20 | Size = 434176 bytes | Modified Date = 02/08/2006 00:39:20 | Attr = ]
    guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 30/06/2007 13:12:52 | Attr = ]
    hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 77824 bytes | Modified Date = 23/03/2006 19:13:40 | Attr = ]
    ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10.5.0.1 | Size = 696320 bytes | Modified Date = 02/08/2006 00:32:44 | Attr = ]
    igfxpers.exe -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 118784 bytes | Modified Date = 23/03/2006 19:17:50 | Attr = ]
    igfxtray.exe -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 94208 bytes | Modified Date = 23/03/2006 19:17:04 | Attr = ]
    ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 30/10/2006 09:36:32 | Attr = ]
    ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 30/10/2006 09:36:36 | Attr = ]
    ndstray.exe -> %ProgramFiles%\Toshiba\ConfigFree\NDSTray.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 1, 2 | Size = 974848 bytes | Modified Date = 16/03/2006 20:58:50 | Attr = ]
    photoshopelementsfileagent.exe -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -> [Ver = | Size = 102400 bytes | Modified Date = 14/09/2006 07:56:06 | Attr = ]
    qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 25/10/2006 18:58:18 | Attr = ]
    ramasst.exe -> %System32%\RAMASST.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 1, 1, 0, 0 | Size = 155648 bytes | Modified Date = 28/08/2004 07:37:00 | Attr = ]
    regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10.5.0.4 | Size = 327680 bytes | Modified Date = 02/08/2006 00:24:22 | Attr = ]
    rthdcpl.exe -> %SystemRoot%\RTHDCPL.exe -> Realtek Semiconductor Corp. [Ver = 2.0.6.4 | Size = 16206848 bytes | Modified Date = 05/05/2006 13:59:16 | Attr = ]
    s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation [Ver = 10.5.0.34 | Size = 937984 bytes | Modified Date = 02/08/2006 00:31:22 | Attr = ]
    smoothview.exe -> %ProgramFiles%\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe -> TOSHIBA Corporation [Ver = 2, 0, 0, 23 | Size = 118784 bytes | Modified Date = 12/05/2005 09:31:38 | Attr = ]
    symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.9.1.1080 | Size = 1174152 bytes | Modified Date = 20/01/2007 21:40:36 | Attr = ]
    syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.13.2 02Mar06 | Size = 761948 bytes | Modified Date = 02/03/2006 23:02:08 | Attr = ]
    tappsrv.exe -> %ProgramFiles%\Toshiba\TOSHIBA Applet\TAPPSRV.exe -> TOSHIBA Corp. [Ver = 1, 0, 0, 14M | Size = 35840 bytes | Modified Date = 07/02/2006 15:30:40 | Attr = ]
    tfncky.exe -> %ProgramFiles%\Toshiba\TOSHIBA Controls\TFncKy.exe -> TOSHIBA Corporation [Ver = 3.21.02 | Size = 184320 bytes | Modified Date = 29/06/2006 07:41:22 | Attr = ]
    thotkey.exe -> %ProgramFiles%\Toshiba\Toshiba Applet\THotkey.exe -> TOSHIBA [Ver = 1.00.0027 | Size = 356352 bytes | Modified Date = 25/08/2006 12:47:12 | Attr = ]
    toscdspd.exe -> %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe -> TOSHIBA [Ver = 1, 0, 6, 0 | Size = 65536 bytes | Modified Date = 11/04/2005 10:26:06 | Attr = ]
    toshiba.exe -> %ProgramFiles%\Synaptics\SynTP\Toshiba.exe -> Synaptics, Inc. [Ver = 8.2.13.2 02Mar06 | Size = 151552 bytes | Modified Date = 02/03/2006 22:50:52 | Attr = ]
    tpsbattm.exe -> %System32%\TPSBattM.exe -> TOSHIBA Corporation [Ver = 1, 0, 2, 0 | Size = 40960 bytes | Modified Date = 03/08/2005 13:26:02 | Attr = ]
    tpsmain.exe -> %System32%\TPSMain.exe -> TOSHIBA Corporation [Ver = 1, 0, 15, 0 | Size = 266240 bytes | Modified Date = 03/08/2005 13:26:14 | Attr = ]
    tvstray.exe -> %ProgramFiles%\Toshiba\Tvs\TvsTray.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 7 | Size = 73728 bytes | Modified Date = 02/02/2006 11:11:38 | Attr = ]
    winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 | Attr = ]
    x10nets.exe -> %CommonProgramFiles%\X10\Common\X10nets.exe -> X10 [Ver = 1, 0, 0, 1 | Size = 20480 bytes | Modified Date = 12/11/2001 12:31:48 | Attr = ]
    zcfgsvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10.5.0.5 | Size = 802816 bytes | Modified Date = 02/08/2006 00:38:30 | Attr = ]

    [Win32 Services - Non-Microsoft Only]
    (AdobeActiveFileMonitor5.0) Adobe Active File Monitor V5 [Win32_Own | Auto | Running] -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -> [Ver = | Size = 102400 bytes | Modified Date = 14/09/2006 07:56:06 | Attr = ]
    (Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Stopped] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4131 | Size = 405504 bytes | Modified Date = 22/03/2006 06:48:56 | Attr = ]
    (Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 25/07/2006 18:03:44 | Attr = ]
    (AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 30/06/2007 13:12:52 | Attr = ]
    (Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 23/10/2007 10:26:02 | Attr = ]
    (Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 17/03/2007 21:37:04 | Attr = ]
    (AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.494 | Size = 406528 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    (CFSvcs) ConfigFree Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 0, 1 | Size = 40960 bytes | Modified Date = 17/01/2005 23:38:38 | Attr = ]
    (dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 10/08/2004 12:00:00 | Attr = ]
    (DVD-RAM_Service) DVD-RAM_Service [Win32_Own | Auto | Running] -> %System32%\DVDRAMSV.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 3, 0, 0, 0 | Size = 110592 bytes | Modified Date = 28/08/2004 07:33:00 | Attr = ]
    (EvtEng) Intel(R) PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10.5.0.20 | Size = 434176 bytes | Modified Date = 02/08/2006 00:39:20 | Attr = ]
    (gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.711.37800.beta | Size = 136120 bytes | Modified Date = 04/01/2007 01:40:22 | Attr = ]
    (IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 22/10/2004 02:24:18 | Attr = ]
    (iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 30/10/2006 09:36:32 | Attr = ]
    (LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_0.EXE -> Symantec Corporation [Ver = 3.0.0.171 | Size = 2119360 bytes | Modified Date = 25/07/2006 18:03:44 | Attr = ]
    (NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Stopped] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8468 | Size = 143428 bytes | Modified Date = 01/05/2006 20:04:00 | Attr = ]
    (RegSrvc) Intel(R) PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10.5.0.4 | Size = 327680 bytes | Modified Date = 02/08/2006 00:24:22 | Attr = ]
    (S24EventMonitor) Intel(R) PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation [Ver = 10.5.0.34 | Size = 937984 bytes | Modified Date = 02/08/2006 00:31:22 | Attr = ]
    (Symantec Core LC) Symantec Core LC [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.9.1.1080 | Size = 1174152 bytes | Modified Date = 20/01/2007 21:40:36 | Attr = ]
    (TAPPSRV) TOSHIBA Application Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Toshiba\TOSHIBA Applet\TAPPSRV.exe -> TOSHIBA Corp. [Ver = 1, 0, 0, 14M | Size = 35840 bytes | Modified Date = 07/02/2006 15:30:40 | Attr = ]
    (x10nets) X10 Device Network Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\X10\Common\X10nets.exe -> X10 [Ver = 1, 0, 0, 1 | Size = 20480 bytes | Modified Date = 12/11/2001 12:31:48 | Attr = ]

    [Registry - Non-Microsoft Only]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
    !AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 30/06/2007 13:13:36 | Attr = ]
    Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Elements 5.0\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.66984 | Size = 61440 bytes | Modified Date = 14/09/2006 07:55:52 | Attr = ]
    AGRSMMSG -> %SystemRoot%\agrsmmsg.exe -> Agere Systems [Ver = 2.1.63 2.1.63 12/12/2005 14:50:01 | Size = 88204 bytes | Modified Date = 13/12/2005 14:50:02 | Attr = ]
    Alcmtr -> %SystemRoot%\Alcmtr.exe -> Realtek Semiconductor Corp. [Ver = 1.6.0.2 | Size = 69632 bytes | Modified Date = 04/05/2005 16:43:28 | Attr = ]
    AVG7_CC -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.497 | Size = 579072 bytes | Modified Date = 23/10/2007 10:26:04 | Attr = ]
    Blubster -> %SystemDrive%\PROGRA~1\Blubster\Blubster.exe -> File not found
    DLA -> %System32%\DLA\DLACTRLW.EXE -> Sonic Solutions [Ver = 5.20.09a | Size = 122940 bytes | Modified Date = 06/10/2005 04:20:00 | Attr = ]
    igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 77824 bytes | Modified Date = 23/03/2006 19:13:40 | Attr = ]
    igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 118784 bytes | Modified Date = 23/03/2006 19:17:50 | Attr = ]
    igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4543 | Size = 94208 bytes | Modified Date = 23/03/2006 19:17:04 | Attr = ]
    IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 10.5.0.1 | Size = 696320 bytes | Modified Date = 02/08/2006 00:32:44 | Attr = ]
    IntelZeroConfig -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10.5.0.5 | Size = 802816 bytes | Modified Date = 02/08/2006 00:38:30 | Attr = ]
    iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 30/10/2006 09:36:36 | Attr = ]
    NDSTray.exe -> NDSTray.exe -> File not found
    QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 25/10/2006 18:58:18 | Attr = ]
    RTHDCPL -> %SystemRoot%\RTHDCPL.exe -> Realtek Semiconductor Corp. [Ver = 2.0.6.4 | Size = 16206848 bytes | Modified Date = 05/05/2006 13:59:16 | Attr = ]
    SmoothView -> %ProgramFiles%\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe -> TOSHIBA Corporation [Ver = 2, 0, 0, 23 | Size = 118784 bytes | Modified Date = 12/05/2005 09:31:38 | Attr = ]
    SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.13.2 02Mar06 | Size = 761948 bytes | Modified Date = 02/03/2006 23:02:08 | Attr = ]
    TFncKy -> TFncKy.exe -> File not found
    THotkey -> %ProgramFiles%\Toshiba\Toshiba Applet\THotkey.exe -> TOSHIBA [Ver = 1.00.0027 | Size = 356352 bytes | Modified Date = 25/08/2006 12:47:12 | Attr = ]
    TPSMain -> %System32%\TPSMain.exe -> TOSHIBA Corporation [Ver = 1, 0, 15, 0 | Size = 266240 bytes | Modified Date = 03/08/2005 13:26:14 | Attr = ]
    Tvs -> %ProgramFiles%\Toshiba\Tvs\TvsTray.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 7 | Size = 73728 bytes | Modified Date = 02/02/2006 11:11:38 | Attr = ]
    < OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
    IMAIL -> Installed = 1 ->
    MAPI -> Installed = 1 ->
    MSFS -> Installed = 1 ->
    < Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
    EPSON Stylus Photo R360 Series -> %System32%\spool\DRIVERS\W32X86\3\E_FATIBOE.EXE /FU "C:\WINDOWS\TEMP\E_S8C.tmp -> File not found
    TOSCDSPD -> %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe -> TOSHIBA [Ver = 1, 0, 6, 0 | Size = 65536 bytes | Modified Date = 11/04/2005 10:26:06 | Attr = ]
    < Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
    %AllUsersStartup%\RAMASST.lnk -> %System32%\RAMASST.exe -> Matsu****a Electric Industrial Co., Ltd. [Ver = 1, 1, 0, 0 | Size = 155648 bytes | Modified Date = 28/08/2004 07:37:00 | Attr = ]
    < ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
    {57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 30/06/2007 13:12:28 | Attr = ]
    < SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
    < Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
    < Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
    < Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
    AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4131 | Size = 61440 bytes | Modified Date = 22/03/2006 06:50:12 | Attr = ]
    igfxcui -> %System32%\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4543 | Size = 139264 bytes | Modified Date = 23/03/2006 19:12:42 | Attr = ]
    < CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallVisualStyle -> C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallTheme -> C:\WINDOWS\Resources\Themes\Royale.theme ->
    < CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
    < HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
    127.0.0.1 localhost -> ->
    < Internet Explorer Settings > -> ->
    HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
    HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
    HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
    HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
    HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
    HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
    HKCU: Search Bar -> http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR ->
    HKCU: Search Page -> http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR ->
    HKCU: Start Page -> http://home.eircom.net/ ->
    HKCU: ProxyEnable -> 0 ->
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 12/01/2006 19:38:22 | Attr = ]
    {5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %System32%\DLA\DLASHX_W.DLL [DriveLetterAccess] -> Sonic Solutions [Ver = 5.20.09a | Size = 110652 bytes | Modified Date = 06/10/2005 04:20:00 | Attr = ]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 10/11/2005 12:22:10 | Attr = ]
    {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} [HKLM] -> %ProgramFiles%\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EpsonToolBandKicker Class] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 22/02/2005 12:50:34 | Attr = ]
    < Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKLM] -> %ProgramFiles%\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 22/02/2005 12:50:34 | Attr = ]
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
    WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    WebBrowser\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKLM] -> %ProgramFiles%\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 22/02/2005 12:50:34 | Attr = ]
    < Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\npjpi150_06.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 69746 bytes | Modified Date = 10/11/2005 12:22:10 | Attr = ]
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 10/11/2005 12:22:10 | Attr = ]
    {92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
    {e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
    < Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
    &MSN Search -> %ProgramFiles%\MSN Toolbar Suite\msntb.dll\search.htm -> File not found
    < DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
    {241028C0-9CEF-4E61-BAEE-96E1343BCDFC} -> (Intel(R) PRO/100 VE Network Connection) ->
    {A1160923-B856-4F7E-83A0-78254C35F7E8} -> (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
    {A17A53A1-543C-4BF4-ACFE-DD8AC351EA82} -> (1394 Net Adapter) ->
    {ADFBBA37-A132-42E0-888C-2EE0F86BEA8A} -> (1394 Net Adapter) ->
    < Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
    ipp -> Reg Data - Key not found -> File not found
    msdaipp -> Reg Data - Key not found -> File not found
    < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
    {166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
    {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab ->
    {8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
    {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} -> Zylom Games Player - CodeBase = http://aolsvc.aol.com/onlinegames/free-trial-delicious-deluxe/zylomgamesplayer.cab ->
    {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
    {D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab ->


    [Registry - Additional Scans - Non-Microsoft Only]

    [Files/Folders - Created Within 30 days]
    sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Created Date = 23/10/2007 20:52:03 | Attr = H ]
    sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Created Date = 24/10/2007 17:51:37 | Attr = H ]
    sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Created Date = 24/10/2007 20:51:03 | Attr = H ]
    sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Created Date = 23/10/2007 20:52:03 | Attr = H ]
    sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Created Date = 24/10/2007 17:51:36 | Attr = H ]
    sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Created Date = 24/10/2007 20:51:03 | Attr = H ]
    $NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 11/10/2007 18:55:47 | Attr = H ]
    $NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 11/10/2007 18:50:44 | Attr = H ]

    [Files/Folders - Modified Within 30 days]
    hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1063309312 bytes | Modified Date = 07/11/2007 19:45:48 | Attr = HS]
    sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 25/10/2007 20:48:50 | Attr = H ]
    sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 17:39:02 | Attr = H ]
    sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 18:08:36 | Attr = H ]
    sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 20:45:10 | Attr = H ]
    sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm -> [Ver = | Size = 268 bytes | Modified Date = 26/10/2007 22:18:14 | Attr = H ]
    sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Modified Date = 27/10/2007 08:43:04 | Attr = H ]
    sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 15:25:44 | Attr = H ]
    sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 18:36:58 | Attr = H ]
    sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 19:32:14 | Attr = H ]
    sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 20:45:36 | Attr = H ]
    sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Modified Date = 30/10/2007 22:20:00 | Attr = H ]
    sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/10/2007 07:19:26 | Attr = H ]
    sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/10/2007 19:41:08 | Attr = H ]
    sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 31/10/2007 22:55:52 | Attr = H ]
    sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 01/11/2007 18:31:24 | Attr = H ]
    sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Modified Date = 01/11/2007 22:34:02 | Attr = H ]
    sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 02/11/2007 19:18:30 | Attr = H ]
    sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Modified Date = 02/11/2007 21:48:42 | Attr = H ]
    sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Modified Date = 24/10/2007 17:51:38 | Attr = H ]
    sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Modified Date = 24/10/2007 20:51:04 | Attr = H ]
    sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 25/10/2007 20:48:50 | Attr = H ]
    sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 17:39:00 | Attr = H ]
    sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 18:08:36 | Attr = H ]
    sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 20:45:10 | Attr = H ]
    sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm -> [Ver = | Size = 244 bytes | Modified Date = 26/10/2007 22:18:14 | Attr = H ]
    sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Modified Date = 27/10/2007 08:43:04 | Attr = H ]
    sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 15:25:44 | Attr = H ]
    sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 18:36:58 | Attr = H ]
    sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 19:32:14 | Attr = H ]
    sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 20:45:36 | Attr = H ]
    sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 30/10/2007 22:20:00 | Attr = H ]
    sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/10/2007 07:19:26 | Attr = H ]
    sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/10/2007 19:41:08 | Attr = H ]
    sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 31/10/2007 22:55:52 | Attr = H ]
    sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 01/11/2007 18:31:24 | Attr = H ]
    sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 01/11/2007 22:34:02 | Attr = H ]
    sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 02/11/2007 19:18:30 | Attr = H ]
    sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 02/11/2007 21:48:40 | Attr = H ]
    sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Modified Date = 24/10/2007 17:51:38 | Attr = H ]
    sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Modified Date = 24/10/2007 20:51:04 | Attr = H ]
    WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 07/11/2007 19:46:28 | Attr = ]
    $hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 11/10/2007 18:55:38 | Attr = H ]
    $NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 11/10/2007 18:55:50 | Attr = H ]
    $NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 11/10/2007 18:50:46 | Attr = H ]
    bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 07/11/2007 19:45:54 | Attr = S]
    ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 11/10/2007 18:51:26 | Attr = ]
    imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 11/10/2007 18:52:30 | Attr = ]
    inf -> %SystemRoot%\inf -> [Folder | Modified Date = 01/11/2007 18:06:30 | Attr = H ]
    Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 07/11/2007 19:47:02 | Attr = ]
    system32 -> %System32% -> [Folder | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 07/11/2007 19:46:12 | Attr = ]
    win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 507 bytes | Modified Date = 26/10/2007 17:09:24 | Attr = ]
    SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 07/11/2007 19:46:12 | Attr = H ]
    CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 02/11/2007 21:48:20 | Attr = ]
    DLA -> %System32%\DLA -> [Folder | Modified Date = 07/11/2007 19:45:58 | Attr = ]
    dllcache -> %System32%\dllcache -> [Folder | Modified Date = 11/10/2007 18:55:52 | Attr = RHS]
    drivers -> %System32%\drivers -> [Folder | Modified Date = 23/10/2007 10:26:10 | Attr = ]
    perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 63196 bytes | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 402274 bytes | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 471882 bytes | Modified Date = 30/10/2007 14:49:20 | Attr = ]
    wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 07/11/2007 19:46:52 | Attr = ]
    avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 23/10/2007 10:25:58 | Attr = ]

    [File String Scan - Non-Microsoft Only]
    PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 10/08/2004 12:00:00 | Attr = ]
    WSUD , -> %System32%\oembios.bin -> [Ver = | Size = 13107200 bytes | Modified Date = 02/09/2001 09:29:22 | Attr = ]
    winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 10/08/2004 12:00:00 | Attr = ]
    UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 23/10/2007 10:25:58 | Attr = ]

    < End of report >


  • #6
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Hello

    Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
    [Registry - Non-Microsoft Only]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> Alcmtr -> %SystemRoot%\Alcmtr.exe
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    < Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    YN -> {92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research]
    YN -> {e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001]

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan(attach the WinPFind3 scan report).

    I will review the information when it comes back in.




    * Click here to download AVG Anti Rootkit and save it to your desktop.
    • Double-click on the AVG_AntiRootkit_1.0.0.42.exe file to run it.
    • Click "I Agree" to agree to the EULA.
    • By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
    • Click "Next" to begin the installation then click "Install".
    • It will then ask you to reboot now to finish the installation.
    • Click "Finish" and your computer will reboot.
    • After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
    • Click on the "Perform in-depth search" button to begin the scan.
    • The scan will take a while so be patient and let it complete.
    • When the scan is finished, click the "Save result to file" button.
    • Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.


  • Advertisement
  • #7
    phog
    Registered Users, Registered Users 2 Posts: 26,253 ✭✭✭✭phog


    Report WinPFind 3 is -
    [Registry - Non-Microsoft Only]
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Alcmtr deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583} deleted successfully.
    < End of log >
    Created on 11/08/2007 17:44:09

    I got an error message while trying to run AVG Anti Root Kit - something about the Installer being corrupt or incomplete.

    ASJ, Thanks for your time on this.


  • #8
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Try this

    Download Combofix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
      When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" for further review.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall




    Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
    • Open a command window by going to Start > Run and typing: cmd
    • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
    • Hit "Enter" to start the program and then close the cmd box.
    • Accept the user agreement and click "Next".
    • Click "Scan".
    • After the scan is complete, click "Next", then "Exit".
    • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
    • The log will have a list of all items found. Do not choose to rename any yet!
      I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
    • Exit Blacklight and post the contents of the log in your next reply.


  • #9
    phog
    Registered Users, Registered Users 2 Posts: 26,253 ✭✭✭✭phog


    ASJ, the two reports are as follows:

    Combifix Report -

    ComboFix 07-11-08.3 - Patrick 2007-11-08 21:20:36.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT 0:00]
    Running from: C:\Documents and Settings\Patrick\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
    .

    2007-11-08 21:18 51,200 --a
    C:\WINDOWS\NirCmd.exe
    2007-10-10 18:51 582,656
    c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-08 17:39
    d
    w C:\Documents and Settings\Patrick\Application Data\AVG7
    2007-11-05 22:07 1,714 ----a-w C:\Documents and Settings\Patrick\Application Data\wklnhst.dat
    2007-10-23 10:24
    d
    w C:\Documents and Settings\Jennifer\Application Data\AVG7
    2007-10-21 11:06
    d
    w C:\Documents and Settings\Michelle\Application Data\AVG7
    2007-10-17 19:10
    d
    w C:\Program Files\Picasa2
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 19:17]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 23:02]
    "RTHDCPL"="RTHDCPL.EXE" [2006-05-05 13:59 C:\WINDOWS\RTHDCPL.exe]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 14:50 C:\WINDOWS\agrsmmsg.exe]
    "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 12:47]
    "TPSMain"="TPSMain.exe" [2005-08-03 13:26 C:\WINDOWS\system32\TPSMain.exe]
    "NDSTray.exe"="NDSTray.exe" []
    "Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 11:11]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 09:31]
    "TFncKy"="TFncKy.exe" []
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 04:20]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 10:26]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-30 13:13]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 07:55]
    "Blubster"="C:\PROGRA~1\Blubster\Blubster.exe" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 10:26]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]
    "EPSON Stylus Photo R360 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOE.exe" [2006-05-29 04:00]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    C:\Documents and Settings\Patrick\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 13:06:14]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-12-17 23:34:14]
    Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 21:44:08]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

    R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys
    S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

    *Newly Created Service* - CATCHME
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-08 21:22:26
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************
    .
    Completion time: 2007-11-08 21:23:25
    .
    --- E O F ---

    The fsbl report is -

    11/08/07 21:29:33 [Info]: BlackLight Engine 1.0.67 initialized
    11/08/07 21:29:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    11/08/07 21:29:33 [Note]: 7019 4
    11/08/07 21:29:33 [Note]: 7005 0
    11/08/07 21:29:37 [Note]: 7006 0
    11/08/07 21:29:37 [Note]: 7022 0
    11/08/07 21:29:37 [Note]: 7011 3732
    11/08/07 21:29:38 [Note]: 7026 0
    11/08/07 21:29:38 [Note]: 7026 0
    11/08/07 21:29:39 [Note]: FSRAW library version 1.7.1024
    11/08/07 21:34:56 [Note]: 2000 1012
    11/08/07 21:38:32 [Note]: 7007 0

    Thanks again,
    Phog


  • #10
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Well all your logs look clean. Are you having any visible problems? I'd say the piece of malware you had was fixed by AVG or some other program.


  • #11
    phog
    Registered Users, Registered Users 2 Posts: 26,253 ✭✭✭✭phog


    ActorSeeksJob wrote: »
    Well all your logs look clean. Are you having any visible problems? I'd say the piece of malware you had was fixed by AVG or some other program.

    Thanks - No obvious problems, the AVG scan had listed the virus in a few reports before I did anything about it. The last one this evening didn't pick it up either so I don't know if it's deleted or just not being detected by AVG.

    The only thing I did was delete history and cookies since the last scan, I usually would this about once a month, could that have deleted the virus?

    Anyway, thanks for the time and advice.
    Phog


  • Advertisement
  • #12
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    The only thing I did was delete history and cookies since the last scan, I usually would this about once a month, could that have deleted the virus?
    Well it could have been in your temp folder which was emptied, meaning the virus would be gone. I wouldn't worry cause the scans we ran were pretty in depth and they found nothing.

    Do the following, then we are all done


    Time for some housekeeping
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK

      • CF_Cleanup.png

    • When shown the disclaimer, Select "2"

    The above procedure will:
    • Delete the following:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:\Deckard folder, if present
      • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.


    You can also delete the other tools that we ran to be safe.


  • #13
    phog
    Registered Users, Registered Users 2 Posts: 26,253 ✭✭✭✭phog


    ASJ, thanks for your time and help.
    Phog


Advertisement