Multiple messages - multiple infections??

pops4444 · Oct 13, 2006

Dear Forum,

I'm not much of a geek!
I generally have Ad-Aware monitoring things. I got attacked so

I have run the latest Ewido and latest AVG , ran them in safe mode too, also ran Spybot S&D and a specific AVG Trojan utility.

Most crap is gone but the computer is now telling me I have
PSW.x-Vir
Spyware.CyberLog-X
MyZor.FK@yf
Trojan-Spy.Win32@mx
and the occasional other odd thing is happening. Web is running strangely.
I also have MsMpEng running in memory which looks suspicious and does not terminate.

........................................

>>>I took your advice to run AdwareAway Trial but that program apparently no longer cleans while on trial period.<<<
It found these problems:
AutorunHKLM\Run\winupdates=ProgramFiles\winupdates\winupdates.exe/auto
....HKLM\Sharedtask\(dfa61db1-388e-4c87-8d56-540fa229bcb4)=contrabandists
......iMeshBar\bar\2.bin\IMESHBAR.dll
....DefaultURlSearchHook Missing=IE BHO & Toolbar

.......................................................

I Ran the search (but no fix) on latest SmitFraudFix - here it is

SmitFraudFix v2.109

Scan done at 10:39:25.24, Sat 14/10/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dpfwu.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\MMediaCodec\ FOUND !
C:\Program Files\VirusBurster\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

[HKEY_CLASSES_ROOT\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
@="C:\WINDOWS\system32\dpfwu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
@="C:\WINDOWS\system32\dpfwu.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

..............................................................

And here is log from Hijack This from about 22 hours ago.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MMediaCodec\isamonitor.exe
C:\Program Files\MMediaCodec\pmsngr.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\MMediaCodec\pmmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MMediaCodec\isamini.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [addpg32.exe] C:\WINDOWS\addpg32.exe
O4 - HKLM\..\RunOnce: [ipbn.exe] C:\WINDOWS\system32\ipbn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Can anyone help with that?

maca1 · Oct 13, 2006

Copy these instructions to NotePad for reading while in Safe Mode

Reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

Post the C:\rapport.txt and a new HJT log in your next reply.

pops4444 · Oct 14, 2006

[bold]Thanks![/bold]

I followed the instructions. Here is Rapport.txt

SmitFraudFix v2.109

Scan done at 7:52:11.47, Sun 15/10/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

[HKEY_CLASSES_ROOT\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
@="C:\WINDOWS\system32\dpfwu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
@="C:\WINDOWS\system32\dpfwu.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\dpfwu.dll -> Hoax.Win32.Renos.gen.d
C:\WINDOWS\system32\dpfwu.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\Program Files\MMediaCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Here is HJT log 10 minutes ago

Logfile of HijackThis v1.99.1
Scan saved at 8:02:25 AM, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll (file missing)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

maca1 · Oct 14, 2006

Download CWShredder from here:
http://cwshredder.net/bin/CWShredder.exe
Save it to the desktop but do NOT run it yet.

Then download About:Buster from here:
http://www.malwarebytes.org/AboutBuster.zip
Unzip it to the desktop, run it, Check for Updates, and update the files, but do NOT run a scan yet.

DownLoad http://www.downloads.subratam.org/KillBox.zip
Unzip it to the desktop

Please download AVG Anti-spyware
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please run CWShredder, and click Fix.

Then please run About:Buster and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved. I will want to see this logfile later.

Then please run AVG AS, and run a full scan. Save the log from the scan for me.

Finally, run HijackThis, click Scan, and check:

[bold]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll (file missing)
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\RunOnce: [addpg32.exe] C:\WINDOWS\addpg32.exe
O4 - HKLM\..\RunOnce: [ipbn.exe] C:\WINDOWS\system32\ipbn.exe [/bold]

Close all open windows except for HijackThis and click Fix Checked.

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the X button after you enter each file. It will ask for confimation to delete the file. Click Yes.

Note:

It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files.

[bold]C:\WINDOWS\pmscs.dll
C:\WINDOWS\sysqn.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\winupdates
C:\WINDOWS\addpg32.exe
C:\WINDOWS\system32\ipbn.exe [/bold]

Then please restart your computer in Normal Mode, and post a new HijackThis log, and the logs from AboutBuster and AVG.

pops4444 · Oct 14, 2006

Dear Forum, logs follow.
NOTE THAT SOME REGISTRIES YOU WANTED ME TO CHECK to delete in
HiJack This were missing. eg All starting with R1 or R0

AboutBuster 6.05
Scan started on [15/10/2006] at [12:13:13 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\cdplayer.ini:hmzdrp
Removed Stream! C:\WINDOWS\cdplayer.ini:jzymhf
Removed Stream! C:\WINDOWS\clvjw.log:anritz
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:caqsjh
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:soknoj
Removed Stream! C:\WINDOWS\cqwfd.txt:dicqxm
Removed Stream! C:\WINDOWS\DAVIDSON.INI:winvzw
Removed Stream! C:\WINDOWS\dqcmt.log:yrkaak
Removed Stream! C:\WINDOWS\eiwtc.datjfjth
Removed Stream! C:\WINDOWS\EventSystem.log:rrdfcv
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:jsnlwf
Removed Stream! C:\WINDOWS\iis6.log:uwdzxb
Removed Stream! C:\WINDOWS\izeod.log:lhctwv
Removed Stream! C:\WINDOWS\ka.ini:ehvyqf
Removed Stream! C:\WINDOWS\KB824105.log:ghslxo
Removed Stream! C:\WINDOWS\KB824105.logkkwyu
Removed Stream! C:\WINDOWS\KB826939.log:jwusvb
Removed Stream! C:\WINDOWS\KB826939.log:yikrry
Removed Stream! C:\WINDOWS\KB828741.log:uwfxym
Removed Stream! C:\WINDOWS\KB840374.log:qnjfp
Removed Stream! C:\WINDOWS\KB873333.log:ixmsyv
Removed Stream! C:\WINDOWS\KB873339.log:bdltzv
Removed Stream! C:\WINDOWS\KB885835.log:tddgty
Removed Stream! C:\WINDOWS\KB885835.log:tyfxby
Removed Stream! C:\WINDOWS\KB889293-IE6SP1-20041111.235619.log:nhefxs
Removed Stream! C:\WINDOWS\KB890859.log:gixkrd
Removed Stream! C:\WINDOWS\KB891781.log:yjpqtn
Removed Stream! C:\WINDOWS\KW.INI:vyqxdg
Removed Stream! C:\WINDOWS\loqdd.txt:nzidxj
Removed Stream! C:\WINDOWS\otzsi.txtionoi
Removed Stream! C:\WINDOWS\PhotoSuite.ini:gjgtql
Removed Stream! C:\WINDOWS\rdtgm.dat:xjrwth
Removed Stream! C:\WINDOWS\regopt.log:zvcdxk
Removed Stream! C:\WINDOWS\Rhododendron.bmp:xrenau
Removed Stream! C:\WINDOWS\ruvro.txt:qswave
Removed Stream! C:\WINDOWS\rwsir.log:xwqmfg
Removed Stream! C:\WINDOWS\sessmgr.setup.log:qxirzr
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:iytect
Removed Stream! C:\WINDOWS\WindowsUpdate.log:axsbvk
Removed Stream! C:\WINDOWS\winnt256.bmp:sylppv
Removed Stream! C:\WINDOWS\wrrjq.txt:mnnuqs
Removed Stream! C:\WINDOWS\xqraj.txt:xofhkc
Removed Stream! C:\WINDOWS\Zapotec.bmppynmn
Removed Stream! C:\WINDOWS\_default.pif:afiser
Removed Stream! C:\WINDOWS\_default.pif:ccohln
Removed Stream! C:\WINDOWS\_default.pif:crxcfe
Removed Stream! C:\WINDOWS\_default.pif:gsykjw
Removed Stream! C:\WINDOWS\_default.pif:hgwsqh
Removed Stream! C:\WINDOWS\_default.pif:hregvt
Removed Stream! C:\WINDOWS\_default.pif:ihrpil
Removed Stream! C:\WINDOWS\_default.pif:lisomi
Removed Stream! C:\WINDOWS\_default.pifrltti
Removed Stream! C:\WINDOWS\_default.pifrnjrk
Removed Stream! C:\WINDOWS\_default.piffdnwx
Removed Stream! C:\WINDOWS\_default.pif:qghkoa
Removed Stream! C:\WINDOWS\_default.pif:qlqcfx
Removed Stream! C:\WINDOWS\_default.pif:qtiplh
Removed Stream! C:\WINDOWS\_default.pif:rfebdc
Removed Stream! C:\WINDOWS\_default.pif:thaasg
Removed Stream! C:\WINDOWS\_default.pif:tjchey
Removed Stream! C:\WINDOWS\_default.pif:udymny
Removed Stream! C:\WINDOWS\_default.pif:ykxxlm
-------------------------------------------------------------
Removed File! : C:\WINDOWS\amjta.txt
Removed File! : C:\WINDOWS\bdqfe.log
Removed File! : C:\WINDOWS\bohkl.dat
Removed File! : C:\WINDOWS\bzddh.dat
Removed File! : C:\WINDOWS\chcax.dat
Removed File! : C:\WINDOWS\ckivy.txt
Removed File! : C:\WINDOWS\clvjw.log
Removed File! : C:\WINDOWS\crwmd.dat
Removed File! : C:\WINDOWS\gfqhm.txt
Removed File! : C:\WINDOWS\hcrdq.log
Removed File! : C:\WINDOWS\howol.txt
Removed File! : C:\WINDOWS\hrmnc.dat
Removed File! : C:\WINDOWS\ildin.txt
Removed File! : C:\WINDOWS\ircat.dat
Removed File! : C:\WINDOWS\loqdd.txt
Removed File! : C:\WINDOWS\lvkrs.log
Removed File! : C:\WINDOWS\nyqud.txt
Removed File! : C:\WINDOWS\otzsi.txt
Removed File! : C:\WINDOWS\pblat.dat
Removed File! : C:\WINDOWS\qdfss.log
Removed File! : C:\WINDOWS\qhqjj.txt
Removed File! : C:\WINDOWS\rfebd.dat
Removed File! : C:\WINDOWS\ridwu.dat
Removed File! : C:\WINDOWS\rkdnt.dat
Removed File! : C:\WINDOWS\sofqb.txt
Removed File! : C:\WINDOWS\soygy.dat
Removed File! : C:\WINDOWS\sykkb.log
Removed File! : C:\WINDOWS\tnhyq.dat
Removed File! : C:\WINDOWS\tykvv.txt
Removed File! : C:\WINDOWS\vgzgv.txt
Removed File! : C:\WINDOWS\wedsk.txt
Removed File! : C:\WINDOWS\wjrrw.txt
Removed File! : C:\WINDOWS\xqraj.txt
Removed File! : C:\WINDOWS\yrmgl.log
Removed File! : C:\WINDOWS\zmerh.txt
Removed File! : C:\WINDOWS\system32\atgap.dat
Removed File! : C:\WINDOWS\system32\bjqhy.txt
Removed File! : C:\WINDOWS\system32\blrln.txt
Removed File! : C:\WINDOWS\system32\cggen.txt
Removed File! : C:\WINDOWS\system32\covai.txt
Removed File! : C:\WINDOWS\system32\cvdjg.txt
Removed File! : C:\WINDOWS\system32\dcqyl.dat
Removed File! : C:\WINDOWS\system32\ffkfj.dat
Removed File! : C:\WINDOWS\system32\goble.log
Removed File! : C:\WINDOWS\system32\gwidr.dat
Removed File! : C:\WINDOWS\system32\hlubs.dat
Removed File! : C:\WINDOWS\system32\hsrmv.dat
Removed File! : C:\WINDOWS\system32\iiwjx.dat
Removed File! : C:\WINDOWS\system32\itlwr.dat
Removed File! : C:\WINDOWS\system32\jkvbr.dat
Removed File! : C:\WINDOWS\system32\khavc.dat
Removed File! : C:\WINDOWS\system32\mytvd.txt
Removed File! : C:\WINDOWS\system32\natfw.txt
Removed File! : C:\WINDOWS\system32\nnsrl.log
Removed File! : C:\WINDOWS\system32\ntsht.txt
Removed File! : C:\WINDOWS\system32\ornjr.log
Removed File! : C:\WINDOWS\system32\oswbt.log
Removed File! : C:\WINDOWS\system32\pqwba.log
Removed File! : C:\WINDOWS\system32\qowzv.dat
Removed File! : C:\WINDOWS\system32\qvctc.txt
Removed File! : C:\WINDOWS\system32\rdpdt.log
Removed File! : C:\WINDOWS\system32\rotge.dat
Removed File! : C:\WINDOWS\system32\rxolh.log
Removed File! : C:\WINDOWS\system32\sgzyt.dat
Removed File! : C:\WINDOWS\system32\sylpp.dat
Removed File! : C:\WINDOWS\system32\tcdpy.log
Removed File! : C:\WINDOWS\system32\tcsou.txt
Removed File! : C:\WINDOWS\system32\tyfxb.log
Removed File! : C:\WINDOWS\system32\unlae.txt
Removed File! : C:\WINDOWS\system32\unulk.txt
Removed File! : C:\WINDOWS\system32\vpsva.log
Removed File! : C:\WINDOWS\system32\wchwa.log
Removed File! : C:\WINDOWS\system32\wopvi.txt
Removed File! : C:\WINDOWS\system32\xekel.log
Removed File! : C:\WINDOWS\system32\xmdiv.txt
Removed File! : C:\WINDOWS\system32\ytfhw.dat
Removed File! : C:\WINDOWS\system32\ythzz.dat
Removed File! : C:\WINDOWS\system32\zoyim.dat
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:20:24 PM

AboutBuster 6.05
Scan started on [15/10/2006] at [12:22:23 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:22:29 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:34:52 PM, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll (file missing)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:32:02 PM 15/10/2006

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : No action taken.

::Report end

maca1 · Oct 15, 2006

Those entries were taking care of beforehand. Also, in future , make sure when you scan with ewido that you click 'Apply All Actions' at the end of the scan or nothing gets removed.

My Computer -> Tools -> Folder Options -> View tab -> Select Show Hidden Files and Folders.

Please download Brute Force Uninstaller to your desktop.
http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html

* Right click the BFU folder on your desktop, and choose Extract All
* Click "Next"
* In the box to choose where to extract the files to,
* Click "Browse"
* Click on the + sign next to "My Computer"
* Click on "Local Disk (C or whatever your primary drive is
* Click "Make New Folder"
* Type in BFU
* Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK on this link http://metallica.geekstogo.com/alcanshorty.bfu
and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

run Hijackthis and place a check beside each of the following. Once you have checked them, click fix checked.

[bold]O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll (file missing)
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto [/bold]

Search for and delete the following if they still exist

C:\Program Files\[bold]iMesh[/bold] <folder
C:\Program Files\[bold]MMediaCodec [/bold] <folder
C:\WINDOWS\[bold]sysqn.exe [/bold] <file
C:\Program Files\[bold]winupdates [/bold] <folder

reboot into normal mode and post a new HIjackthis log.

pops4444 · Oct 15, 2006

Some things I've noticed. In safe mode Hijack this seems to freeze a bit with a slow scroll up or down the log. Also the last sweep with AVG Ewido may not have been the very latest update, but almost if not the latest.
I took the opportunity to wipe IE history, files and most of the cookies present.

Only one of the things you asked me to check and delete existed.

HJT log:-

Logfile of HijackThis v1.99.1
Scan saved at 11:24:36 PM, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Thanks heaps

maca1 · Oct 15, 2006

Some entries are back. I think there might be a hidden service preventing it from being fixed so we'll try this first.

Download ServiceFilter. http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip
Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
Press Ctrl + A simultaneously to select all of the text.
Copy and paste the whole thing into your next post.
A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

pops4444 · Oct 15, 2006

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Oct 16, 2006 11:25:54 AM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: AVGEMS
Display Name: AVG E-mail Scanner
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\grisoft\avgfre~1\avgemc.exe
State: Running
Process ID: 1596
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: ewido anti-spyware 4.0 guard
Display Name: ewido anti-spyware 4.0 guard
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\ewido anti-spyware 4.0\guard.exe
State: Running
Process ID: 1632
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{c5aeba7e-6cbe-43fb-873c-311dc2cae12c}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: WinDefend
Display Name: Windows Defender Service
Start Mode: Auto
Start Name: LocalSystem
Description: Helps protect users from malicious software, spyware, and other potentially unwanted ...
Service Type: Own Process
Path: "c:\program files\windows defender\msmpeng.exe"
State: Running
Process ID: 856
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 84 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 0.8515625 seconds.

I ran that scan with internet connected (no browser) Is that an issue.

Also "sysqun" and "winupdates" returned on last hijack this scan and returned again immediately after deletion.

I've had trouble with pages loading on this site right now but it may not be my computer.

maca1 · Oct 16, 2006

post another Hijackthis log

pops4444 · Oct 16, 2006

I'm sorry about that I should have posted it.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:03 PM, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D89735BB-4860-4E6B-B733-8D6807DEBE47}: NameServer = 203.12.160.35 203.12.160.36
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

maca1 · Oct 16, 2006

Ok, You have downloaded some of these already but I've listed them again in case you've deleted them. Please follow all these instructions

Go to
My Computer -> Tools -> Folder Options -> View tab -> Select Show Hidden Files and Folders.

Click here to download cwsserviceremove.zip: http://castlecops.com/zx/flrman1/cwsserviceremove.zip
Unzip it to your desktop and have it ready to run later.

Download
http://www.ccleaner.com/
Install but don't run. You needn't install the yahoo toolbar.

Download Cleanup from Here http://cleanup.stevengould.org/

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.

Click here to download CWShredder: http://cwshredder.net/bin/CWShredder.exe
DO NOT run it yet. Download it to the desktop and have it ready to run later.

Click here to download AboutBuster created by Rubber Ducky: http://www.majorgeeks.com/AboutBuster_d4289.html

Unzip AboutBuster to the desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit".

DO NOT run it yet.
Just update the program for later.

First copy these instrcutions to notepad and save it to your desktop for safe mode

reboot into safe mode and do these steps exactly

Double click on the [bold]cwsserviceremove.reg[/bold] file you downloaded at the beginning to enter into the registry.Answer yes when asked to have it's contents added to the registry.

Run HijackThis and put a check by these entries:

[bold]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto [/bold]

Once you’ve checked all of the above entries, click the Fix Checked .

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

[bold]C:\WINDOWS\sysqn.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\winupdates
C:\WINDOWS\pmscs.dll[/bold]

Next, Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All then Edit>Delete to delete the entire contents of the Temp folder.

Go to Start>Run and type %temp% in the Run box.
The Temp folder will open. Click Edit>Select All then Edit>Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel>Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Next run AboutBuster. Double click Aboutbuster.exe, click OK, click Start then click OK. This will scan your computer for the bad files and delete them.

Now, run CWShredder. Just click on the cwshredder.exe then click Fix (Not Scan only) and let it do its thing.

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

Run a scan with ewido antispyware. When it finishes make sure you click apply all actions

Start CCleaner.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
Deselect "Only delete files in Windows Temp folders older than 48 hours".
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
After CCleaner has completed, click Exit.
Restart your computer into normal mode

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options "Download Signed and Unsigned ActiveX controls" to 'Prompt', and "Initialize and Script ActiveX Controls not marked as Safe" to 'Disable'.

Reboot and post another Hijack This log please.

pops4444 · Oct 17, 2006

Following is HJT log
anomalies are still present - so....issues:
1. I left the computer in safe mode for several hours before the "ewido" scan because I had to go out.
2. Lavasoft Ad-Watch runs automatically in normal windows mode. On startup it normally shows some registry modification, but not the most recent startup. Should all such programs be disabled?
3. About Buster will not update - I see no way to do that.

Other than these I followed the instructions.

Other logs:-
[bold]Ewido[/bold]:- found nothing
[bold]About buster:-[/bold] found nothing.
AboutBuster 6.05
Scan started on [17/10/2006] at [10:50:59 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:55:04 AM

[bold]CCleaner[/bold] log:-
CLEANING COMPLETE - (10.895 secs)
------------------------------------------------------------------------------------------
41.0MB removed.
------------------------------------------------------------------------------------------

Details of files deleted
------------------------------------------------------------------------------------------
IE Temporary Internet Files (2 files) 134 bytes
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\desktop.ini 113 bytes
C:\WINDOWS\TEMP\WGAErrLog.txt 255 bytes
C:\DOCUME~1\Owner\LOCALS~1\Temp\ycomp_setup_cclean.exe 0.73MB
C:\WINDOWS\system32\wbem\Logs\FrameWork.log 14.31KB
C:\WINDOWS\system32\wbem\Logs\mofcomp.log 2.50KB
C:\WINDOWS\system32\wbem\Logs\NTEVT.log 2 bytes
C:\WINDOWS\system32\wbem\Logs\replog.log 400 bytes
C:\WINDOWS\system32\wbem\Logs\setup.log 653 bytes
C:\WINDOWS\system32\wbem\Logs\wbemcore.log 536 bytes
C:\WINDOWS\system32\wbem\Logs\wbemess.log 21.24KB
C:\WINDOWS\system32\wbem\Logs\wbemprox.log 308 bytes
C:\WINDOWS\system32\wbem\Logs\WBEMSNMP.log 2 bytes
C:\WINDOWS\system32\wbem\Logs\WinMgmt.log 5.06KB
C:\WINDOWS\system32\wbem\Logs\wmiadap.log 1.52KB
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 52.02KB
C:\WINDOWS\system32\wbem\Logs\wbemess.lo_ 64.08KB
C:\WINDOWS\0.log 0 bytes
C:\WINDOWS\bbsno.log 0 bytes
C:\WINDOWS\bzxtf.log 0 bytes
C:\WINDOWS\cmnjc.log 0 bytes
C:\WINDOWS\cmsetacl.log 200 bytes
C:\WINDOWS\comsetup.log 0.21MB
C:\WINDOWS\cwllo.log 0 bytes
C:\WINDOWS\dahotfix.log 19.15KB
C:\WINDOWS\dqcmt.log 0 bytes
C:\WINDOWS\DtcInstall.log 232 bytes
C:\WINDOWS\epbsn.log 0 bytes
C:\WINDOWS\EventSystem.log 594 bytes
C:\WINDOWS\FaxSetup.log 0.91MB
C:\WINDOWS\iiiim.log 0 bytes
C:\WINDOWS\iis6.log 0.14MB
C:\WINDOWS\imsins.log 1.36KB
C:\WINDOWS\izeod.log 0 bytes
C:\WINDOWS\jogue.log 0 bytes
C:\WINDOWS\KB823182.log 17.10KB
C:\WINDOWS\KB824105.log 17.04KB
C:\WINDOWS\KB824141.log 18.94KB
C:\WINDOWS\KB824146.log 18.73KB
C:\WINDOWS\KB825119.log 8.64KB
C:\WINDOWS\KB826939.log 20.96KB
C:\WINDOWS\KB828028.log 7.74KB
C:\WINDOWS\KB828035.log 9.21KB
C:\WINDOWS\KB828741.log 10.83KB
C:\WINDOWS\KB833987.log 5.49KB
C:\WINDOWS\KB834707-IE6SP1-20040929.091901.log 9.02KB
C:\WINDOWS\KB835732.log 16.48KB
C:\WINDOWS\KB837001.log 5.52KB
C:\WINDOWS\KB839643.log 5.21KB
C:\WINDOWS\KB839645.log 7.33KB
C:\WINDOWS\KB840315.log 4.34KB
C:\WINDOWS\KB840374.log 16.55KB
C:\WINDOWS\KB840987.log 13.59KB
C:\WINDOWS\KB841356.log 9.29KB
C:\WINDOWS\KB841533.log 7.26KB
C:\WINDOWS\KB841873.log 5.86KB
C:\WINDOWS\KB842773.log 5.82KB
C:\WINDOWS\KB871250.log 7.76KB
C:\WINDOWS\KB873333.log 0.20MB
C:\WINDOWS\KB873339.log 0.20MB
C:\WINDOWS\KB873376.log 8.78KB
C:\WINDOWS\KB883939-IE6SP1-20050428.125228.log 20.85KB
C:\WINDOWS\KB885250.log 13.68KB
C:\WINDOWS\KB885835.log 0.21MB
C:\WINDOWS\KB885836.log 0.20MB
C:\WINDOWS\KB886185.log 5.59KB
C:\WINDOWS\KB887472.log 13.58KB
C:\WINDOWS\KB887742.log 9.70KB
C:\WINDOWS\KB888113.log 0.20MB
C:\WINDOWS\KB888302.log 0.20MB
C:\WINDOWS\KB889293-IE6SP1-20041111.235619.log 5.79KB
C:\WINDOWS\KB890046.log 0.22MB
C:\WINDOWS\KB890047.log 3.42KB
C:\WINDOWS\KB890175.log 0.20MB
C:\WINDOWS\KB890859.log 0.21MB
C:\WINDOWS\KB890923-IE6SP1-20050225.103456.log 10.76KB
C:\WINDOWS\KB891711.log 7.62KB
C:\WINDOWS\KB891781.log 0.20MB
C:\WINDOWS\KB893066.log 0.24MB
C:\WINDOWS\KB893086.log 0.20MB
C:\WINDOWS\KB893756.log 0.22MB
C:\WINDOWS\KB893803v2.log 11.66KB
C:\WINDOWS\KB896358.log 0.22MB
C:\WINDOWS\KB896422.log 0.23MB
C:\WINDOWS\KB896423.log 0.21MB
C:\WINDOWS\KB896424.log 11.61KB
C:\WINDOWS\KB896426.log 34.51KB
C:\WINDOWS\KB896428.log 0.23MB
C:\WINDOWS\KB896688-IE6SP1-20051004.130236.log 18.50KB
C:\WINDOWS\KB897715-OE6SP1-20050503.210336.log 16.49KB
C:\WINDOWS\KB898461.log 19.98KB
C:\WINDOWS\KB899587.log 0.22MB
C:\WINDOWS\KB899591.log 0.22MB
C:\WINDOWS\KB900485.log 11.61KB
C:\WINDOWS\KB900725.log 0.21MB
C:\WINDOWS\KB901017.log 0.21MB
C:\WINDOWS\KB901214.log 0.20MB
C:\WINDOWS\KB902400.log 0.22MB
C:\WINDOWS\KB904706.log 0.20MB
C:\WINDOWS\KB905414.log 0.21MB
C:\WINDOWS\KB905495.log 20.03KB
C:\WINDOWS\KB905749.log 0.20MB
C:\WINDOWS\KB905915.log 15.75KB
C:\WINDOWS\KB908519.log 10.28KB
C:\WINDOWS\KB908531.log 15.69KB
C:\WINDOWS\KB910437.log 9.83KB
C:\WINDOWS\KB911280.log 16.40KB
C:\WINDOWS\KB911562.log 14.96KB
C:\WINDOWS\KB911564.log 7.38KB
C:\WINDOWS\KB911565.log 14.11KB
C:\WINDOWS\KB911567.log 10.44KB
C:\WINDOWS\KB911927.log 12.19KB
C:\WINDOWS\KB912475.log 3.64KB
C:\WINDOWS\KB912475Uninst.log 1.37KB
C:\WINDOWS\KB912812.log 16.73KB
C:\WINDOWS\KB912919.log 11.28KB
C:\WINDOWS\KB913446.log 7.45KB
C:\WINDOWS\KB913580.log 15.35KB
C:\WINDOWS\KB914388.log 12.11KB
C:\WINDOWS\KB914389.log 13.24KB
C:\WINDOWS\KB916281.log 19.42KB
C:\WINDOWS\KB916595.log 10.16KB
C:\WINDOWS\KB917159.log 11.64KB
C:\WINDOWS\KB917344.log 17.45KB
C:\WINDOWS\KB917422.log 11.96KB
C:\WINDOWS\KB917734.log 12.86KB
C:\WINDOWS\KB917953.log 16.42KB
C:\WINDOWS\KB918439.log 16.78KB
C:\WINDOWS\KB918899.log 19.22KB
C:\WINDOWS\KB919007.log 12.79KB
C:\WINDOWS\KB920214.log 10.88KB
C:\WINDOWS\KB920670.log 11.81KB
C:\WINDOWS\KB920683.log 12.19KB
C:\WINDOWS\KB920685.log 12.64KB
C:\WINDOWS\KB920872.log 14.88KB
C:\WINDOWS\KB921398.log 11.58KB
C:\WINDOWS\KB921883.log 15.78KB
C:\WINDOWS\KB922582.log 8.28KB
C:\WINDOWS\KB922616.log 10.87KB
C:\WINDOWS\KB922819.log 12.01KB
C:\WINDOWS\KB923191.log 8.62KB
C:\WINDOWS\KB923414.log 11.22KB
C:\WINDOWS\KB924191.log 12.20KB
C:\WINDOWS\KB924496.log 11.21KB
C:\WINDOWS\KB925486.log 10.42KB
C:\WINDOWS\lpkuv.log 0 bytes
C:\WINDOWS\msgsocm.log 46.74KB
C:\WINDOWS\ntdtcsetup.log 0.16MB
C:\WINDOWS\nwzkq.log 0 bytes
C:\WINDOWS\ocgen.log 0.41MB
C:\WINDOWS\ocmsn.log 35.38KB
C:\WINDOWS\pkzdy.log 0 bytes
C:\WINDOWS\Q819696.log 18.52KB
C:\WINDOWS\Q828026.log 17.08KB
C:\WINDOWS\regopt.log 2.10KB
C:\WINDOWS\risgd.log 0 bytes
C:\WINDOWS\rwsir.log 0 bytes
C:\WINDOWS\sessmgr.setup.log 1.25KB
C:\WINDOWS\setupact.log 2.48KB
C:\WINDOWS\setupapi.log 0.78MB
C:\WINDOWS\setuperr.log 0 bytes
C:\WINDOWS\spupdsvc.log 32.29KB
C:\WINDOWS\Sti_Trace.log 0 bytes
C:\WINDOWS\svcpack.log 0.41MB
C:\WINDOWS\sylpi.log 0 bytes
C:\WINDOWS\tfdpf.log 0 bytes
C:\WINDOWS\TMFilter.log 14.11KB
C:\WINDOWS\tsoc.log 0.35MB
C:\WINDOWS\updspapi.log 44.11KB
C:\WINDOWS\WgaNotify.log 16.26KB
C:\WINDOWS\wiadebug.log 274 bytes
C:\WINDOWS\wiaservc.log 50 bytes
C:\WINDOWS\Windows Update.log 0.15MB
C:\WINDOWS\WindowsUpdate.log 1.74MB
C:\WINDOWS\wmsetup.log 0.18MB
C:\WINDOWS\wmsetup10.log 238 bytes
C:\WINDOWS\xpsp1hfm.log 8.85KB
C:\WINDOWS\yszdr.log 0 bytes
C:\WINDOWS\yurcr.log 0 bytes
C:\WINDOWS\imsins.BAK 1.36KB
C:\WINDOWS\ntbtlog.txt 0.69MB
C:\WINDOWS\OEWABLog.txt 345 bytes
C:\WINDOWS\setuplog.txt 5.56KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log 6.92MB
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp 67.34KB
C:\WINDOWS\Debug\blastcln.log 286 bytes
C:\WINDOWS\Debug\mrt.log 9.31KB
C:\WINDOWS\Debug\NetSetup.LOG 2.41KB
C:\WINDOWS\SchedLgU.Txt 31.78KB
C:\WINDOWS\security\logs\backup.log 2.86KB
C:\WINDOWS\security\logs\SceRoot.log 586 bytes
C:\WINDOWS\security\logs\scesetup.log 0.11MB
C:\WINDOWS\security\logs\update.log 7.03KB
C:\WINDOWS\security\logs\scecomp.old 700 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\-Louis twin.LNK 587 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\-mum & dad in pool.LNK 622 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\02-22-2005 02;33;09PM.RTF.LNK 786 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\2003-04business.LNK 734 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\2004-05business.LNK 734 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\3001-2166_4-10316751[2].LNK 1.21KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\A B Read Me.rtf.LNK 436 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\A House Is Not a Home 2.eps.LNK 1.11KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\A House Is Not a Home 2.jpg.LNK 496 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\A taste of honey piano.eps.LNK 986 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\aboutbuster.LNK 412 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Anyone who had a heart piano.LNK 987 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Aussie Music Quiz.doc.LNK 466 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\b2b.doc.LNK 390 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Bacharach info 6 sept 2006.doc.LNK 986 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\bacharach.LNK 781 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Beginner Piano.LNK 806 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Book1[1].xls.LNK 1.13KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Bread recipe 1.doc.LNK 451 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Bread recipes.doc.LNK 446 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\can't believe - midi.LNK 481 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Casino royale.LNK 897 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Chance.LNK 409 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Confirmation_Prague_Castle.doc.LNK 511 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\CRYSTALS.doc.LNK 421 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Desktop.LNK 306 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Easy Peasy - whole score_001.eps.LNK 960 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Easy Peasy - whole score_001.tif.LNK 960 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Easy Peasy - whole score_002.tif.LNK 960 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Ebook - Prize Winning Recipes.LNK 641 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\G7J3QWT1.LNK 1.02KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\GeorgeW[1].LNK 731 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\GRC.LNK 745 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\GUESSTHESONGTITLE.LNK 766 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\happy card.doc.LNK 431 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Harry Potter and the Order of the Phoenix CH 1-2.LNK 398 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Harry Potter and the Order of the Phoenix CH 12-15.LNK 771 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Harry Potter and the Order of the Phoenix CH 3-4.LNK 761 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Harry Potter and the Order of the Phoenix CH 5-6.LNK 761 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Harry Potter and the Order of the Phoenix CH 7-10.LNK 766 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Harry Potter and the Order of the Phoenix CH 7-8.LNK 761 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Harry_Potter_Book_5.LNK 591 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\I'll never fall piano.LNK 813 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\I'll Never Fall In Love Again.LNK 977 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\IMPORTANT NOTICE 2006 term 4.doc.LNK 335 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\LIME PICKLE.doc.LNK 820 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\List of Goup Students cfdet2.xls.LNK 521 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\mergedata.LNK 892 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Message to Michael.LNK 922 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Microsoft 2008.LNK 751 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\mike Steve.doc.LNK 431 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Moonlight Swingata PNO only version_001.LNK 1.09KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Moonlight Swingata PNO only version_002.LNK 1.09KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Moonlight Swingata PNO only version_003.LNK 1.09KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Moonlight Swingata PNO only version_004.LNK 1.09KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Mum & Dads pos slips.doc.LNK 781 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\My Documents.LNK 606 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Noel bio pic.jpg.LNK 441 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Noel bio pic2.jpg.LNK 446 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Noel bio pic3.jpg.LNK 446 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Normal.dot.LNK 869 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Normal.LNK 869 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Note to self.LNK 441 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\NOTICE 8th June.doc.LNK 756 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\O3A1GFMV.LNK 1.02KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\over & under.eps.LNK 941 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\over & under.tif.LNK 941 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Pa_s_story[1].doc.LNK 1.15KB
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\PRESIDENTS REPORT.doc.LNK 766 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Promises.LNK 872 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Read Me.rtf.LNK 522 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\RECIPE -stew.doc.LNK 825 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Recipe for Sweet and Sour Fish.doc.LNK 831 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Recipe for Sweet and Sour Fish.htm.LNK 831 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\recipes.LNK 690 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Reference from Ruth.doc.LNK 776 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\REGARDING OUR STRATEGIC PLAN.doc.LNK 967 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\simple blues 8_001.LNK 1016 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\simple blues 8_002.LNK 1016 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\skip to my lou.tif.LNK 951 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Song Score.dot.LNK 891 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Song Score.LNK 891 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Suzies memories.doc.LNK 756 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Sweet%20&%20Sour%20Fish.jpg.LNK 796 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\tall boy.tif.LNK 921 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Temp.LNK 661 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Templates.LNK 766 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Temporary Directory 1 for AboutBuster.zip.LNK 921 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\UNTITLED (E).LNK 187 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\what can the matter be.tif.LNK 991 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\wise owl grey.tif.LNK 946 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\Wives and lovers Piano.LNK 597 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\www.yahoo.com.url 47 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\You'll Never.LNK 892 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\ZM4331SD.LNK 1016 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\_Timetables for GRC.LNK 752 bytes
C:\Documents and Settings\Owner\Application Data\Microsoft\Office\Recent\~WRL0967.tmp.LNK 421 bytes
C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\K4G5JJZX\www.youtube.com\soundData.sol 58 bytes
C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.planetcook.com\settings.sol 88 bytes
C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youtube.com\settings.sol 85 bytes
C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 372 bytes
C:\Program Files\Ahead\Nero\NeroHistory.log 0.15MB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040711-1150.log 1.91KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040711-1151.txt 2.84KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-0737.log 643 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-0739.txt 1.51KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-0957.log 643 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-0959.txt 1.51KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-1608.log 593 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-1610.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-1637.log 643 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-1639.txt 1.51KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-1648.log 643 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040713-1650.txt 1.51KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1049.log 644 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1050.txt 1.51KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1126.log 594 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1127.log 544 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1127.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1128.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1131.log 244 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1132.txt 525 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1133.log 2.34KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1133.txt 3.30KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1134.log 8.41KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1134.txt 19.08KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1135.log 1.16KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1135.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1136.log 1.11KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1136.txt 2.66KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1137.log 488 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1137.txt 1.86KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1138.log 8.17KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1138.txt 525 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1140.txt 18.57KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1141.log 8.17KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1142.txt 18.57KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1158.log 644 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1201.txt 1.51KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1212.log 594 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1213.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1436.log 593 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040714-1438.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040715-1947.log 593 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040715-1949.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040715-1952.log 593 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040715-1954.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040715-2101.log 593 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040715-2103.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040720-2238.log 679 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040720-2240.txt 1.43KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040722-1131.log 194 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040725-2124.log 543 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040725-2126.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040810-2139.log 593 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.040810-2141.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050206-2118.log 3.42KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050206-2120.txt 7.07KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050206-2230.log 886 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050206-2233.txt 1.94KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050206-2242.log 593 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050206-2244.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050211-0926.log 721 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050211-0928.txt 1.55KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050211-0929.log 640 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050211-0930.txt 1.47KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050214-1156.log 641 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050214-1158.txt 1.47KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050322-2043.log 1.44KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050322-2045.txt 2.52KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050401-1312.log 1.27KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050401-1315.txt 2.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050501-1512.log 1.76KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050501-1516.txt 2.85KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0759.log 826 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0801.txt 1.85KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0846.log 1018 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0846.txt 464 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0848.txt 1.85KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0910.log 592 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0912.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0914.log 592 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050502-0917.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050503-0939.log 885 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050503-0941.txt 1.94KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050530-2229.log 1.20KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050530-2232.txt 2.05KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050530-2233.log 594 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050530-2234.txt 1.35KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-1411.log 836 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-1413.txt 1.46KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-1419.log 477 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-1421.txt 791 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-1433.log 242 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-1435.txt 555 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-2243.log 393 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050607-2245.txt 705 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050611-1815.log 243 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050611-1817.txt 555 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.061013-0948.log 369 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.061013-0950.txt 799 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.061014-1102.log 370 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.061014-1104.txt 799 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040711-1152.txt 2.69KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040713-0740.txt 1.47KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040713-1000.txt 1.47KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040713-1610.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040713-1646.txt 1.47KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1126.txt 1.47KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1127.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1128.txt 1.37KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1135.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1136.txt 2.63KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1140.txt 18.53KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1145.txt 18.36KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1155.txt 18.36KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1201.txt 1.47KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1436.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040714-1439.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040715-1950.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.040715-2105.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050206-2225.txt 6.75KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050206-2233.txt 1.87KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050206-2244.txt 1.31KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050322-2046.txt 2.41KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050401-1317.txt 2.25KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050502-0754.txt 2.73KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050502-0909.txt 1.79KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050503-0941.txt 1.87KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050530-2232.txt 1.96KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050607-1414.txt 1.40KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050607-1432.txt 770 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050607-2246.txt 691 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.061014-1105.txt 792 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Update downloads.log 6.11KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Statistics.ini 4.15KB
C:\Program Files\Lavasoft\Ad-Aware SE Professional\defs.ref.old 0.48MB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-03 09-16-14.txt 30.02KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-03 14-26-35.txt 38.02KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-03 18-01-30.txt 38.07KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-03 18-11-56.txt 23.90KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-03 18-33-06.txt 25.34KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-04 23-48-47.txt 32.79KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-12 13-17-02.txt 39.02KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-12 15-53-00.txt 41.65KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-12 23-46-16.txt 32.19KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-13 08-16-45.txt 25.95KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-13 08-31-44.txt 27.52KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-13 08-33-01.txt 25.41KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-13 08-33-29.txt 25.41KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-13 08-33-51.txt 25.41KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-13 11-17-56.txt 25.41KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-13 14-58-20.txt 27.49KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-15 10-35-35.txt 30.83KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-15 22-38-18.txt 37.16KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-15 22-39-13.txt 27.01KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-16 03-42-07.txt 26.14KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-16 09-19-55.txt 25.94KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-16 12-52-39.txt 31.36KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-16 22-05-23.txt 25.93KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-17 07-36-55.txt 21.25KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-17 08-32-55.txt 22.75KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-17 22-17-38.txt 23.26KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-17 22-19-50.txt 29.34KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-17 22-52-16.txt 24.33KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-17 23-34-58.txt 21.76KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-17 23-35-31.txt 20.79KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-19 20-52-43.txt 32.80KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-19 23-40-34.txt 22.06KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-19 23-41-45.txt 3.11KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-21 09-49-21.txt 21.63KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-21 09-49-50.txt 20.40KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-22 13-43-50.txt 28.12KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-22 14-05-31.txt 34.88KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-22 14-06-19.txt 21.29KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-22 20-56-27.txt 23.63KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-25 10-53-13.txt 22.87KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-25 10-54-56.txt 20.75KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-26 07-55-57.txt 20.75KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-29 10-40-49.txt 20.55KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-29 22-27-55.txt 22.87KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-30 08-48-30.txt 22.76KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-07-31 20-59-25.txt 21.70KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-02 08-34-44.txt 23.22KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-02 08-35-26.txt 21.11KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-02 21-52-42.txt 20.54KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-04 10-46-38.txt 20.54KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-04 10-48-46.txt 21.09KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-04 11-13-48.txt 21.09KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-14 21-36-45.txt 22.13KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-08-27 11-59-27.txt 24.12KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-09-05 15-11-39.txt 24.40KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-09-06 13-12-34.txt 22.28KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2005-09-06 21-21-36.txt 21.74KB
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt 5.07MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\Avg7.log 87.85KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log 29.14KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\history.log 0.12MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avg7info.ctf 2.95KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avg7info.id 26 bytes
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avginet.log 0.44MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avginfo.ctf 4.48KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\download.nfo 595 bytes
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7avi798u71641.bin 0.43MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7avi816u71623.bin 0.45MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7avi818u814em.bin 22.05KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7ems400r3813w.bin 26.13KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7f405r3943s.bin 1.56MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7f408r405uk.bin 0.81MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7helpsm398r3863w.bin 47.31KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi44241.bin 3.69MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi48123.bin 4.19MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi482u481a.bin 7.10KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi486u481iq.bin 25.09KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7setup4053r.bin 0.62MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\update7.log 48.04KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Quick\{1B9C7162-CC75-4EC1-B033-143F473714AC} 2.56KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Quick\{45114DA6-37C8-4E84-8866-9988AC054B54} 4.73KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Quick\{E383950E-BC5A-4596-A0E0-8A128D7D5288} 4.73KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Quick\{E622CE1B-8EF0-4938-AE78-C754B990E4E2} 4.73KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Quick\{F5350E17-5ECC-4FC1-A50C-CB75398BE87B} 4.73KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Resource\{A83E29BB-A434-4C05-A50B-2BC6B8570776} 2.83KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Resource\{F229835F-03B5-4A37-BCE8-45E7BCB9A16D} 5.01KB

Logfile of HijackThis v1.99.1
Scan saved at 6:32:26 PM, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

maca1 · Oct 17, 2006

Your CWS infection still showing is one thing but thos other 2 files in the 04s have no other raeson to be showing other than something is interfering-like your security programs like you said. So disable all your security programs in normal mode, AD watch, spwsweeper, ewido's guard etc.. I'm sorry I probably should have said that already. Then check all those things I said in my last post in normal mode, then boot to safe mode and follow my last again

1.Disable all security programs
2.Check those things in hijackthis in normal mode
3.Then follow my last post again in safe mode (checking those things again if there)

Can you try that?

pops4444 · Oct 17, 2006

I will do that but because of the time difference it'll be later and I'll post the result.

Actually I ran all your instructions a second time, but before the ewido scan (which had found nothing last time), I ran Adware Away (unregistered and will not clean).
It found one item:-
IE UrlSearchHook(HKLM) : Default UrlSearchHook Missing=
IE BHO & Toolbar

That's all

maca1 · Oct 17, 2006

To disable windows defender, spysweeper, ewido and adwatch

Windows Defender

* Open Windows Defender.
* Click on Tools>Options.
* Scroll down and uncheck "Use real-time protection (recommended)".
* After you uncheck this, click on the Save button and close Windows Defender.

Webroot SpySweeper

* Go to the Options>Program Options
* Uncheck Load at Windows Startup
* Click Shields on the left.
* Click Internet Explorer and uncheck all items.
* Click Windows System and uncheck all items.
* Click Startup Programs and uncheck all items.
* Click Browser Add-Ons and uncheck all items.
* Exit Spysweeper.

Ad-Aware's AdWatch

* Open AdAware SE.
* Go to AdWatch User Interface.
* Go to Tools and Preferences.
* At the bottom of the screen you will see 2 options Active and Automatic.
* Active: This will turn Ad-Watch On\Off without closing it
* Automatic: Suspicious activity will be blocked automatically
Uncheck both options.

Ewido

Disable ewidos guard by just running ewido and changing the guard to inactive if active.

pops4444 · Oct 17, 2006

Logfile of HijackThis v1.99.1
Scan saved at 12:08:40 PM, on 18/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

How are we going?
I hadn't seen your post and I didn't deactivate Windows Defender

Spybot which I haven't used in ages - it seems may have been runnig protection, and Ad-Watch loads and runs when wares are present even when deactivated as you described. However I did ask it not to load at startup which worked.

NOW AS I"M TYPING I've opened Ad-Aware, Ad-Watch and it's immedately told me there is an attempt to change a reigistry value BLAH BLAH which is what normally happens -about five of them. But the log above looks better than before.

What's your opinion of that. If the log is clear, then loading Ad-Watch finds the spyware, can the spyware be attached to Ad-Watch?

I'll click "accept" for each change then give you the new HJT log as well. I think we can guess the result.

OK there were only two as I fiddled with it.

New log

Logfile of HijackThis v1.99.1
Scan saved at 1:14:58 PM, on 18/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D89735BB-4860-4E6B-B733-8D6807DEBE47}: NameServer = 203.12.160.35 203.12.160.36
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

maca1 · Oct 18, 2006

Ad-watch detecting changes to the registry is probably got to do with you checking the entries in Hijackthis.

Leave it disabled until the end in case it interferes again.

Your hijackthis log is clean but run an online scan.

Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm
When the scan is finished, save the results from the scan!

If anything bad is found post the results

pops4444 · Oct 19, 2006

Since my last post I updated programs and a couple wiped out a number of items like trojan downloaders.

Today, as you suggested, Online scan result - 4 items >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\Anti-Spyware Prgrms\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Thanks

maca1 · Oct 20, 2006

Nothing bad was found, only process.exe which belongs to Smitfraudfix
and a cookie.

How are things now so?

Log in or Sign up

Multiple messages - multiple infections??

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

Share This Page

Log in or Sign up

Multiple messages - multiple infections??

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

pops4444 Member

maca1 Regular member

Share This Page

Useful Searches