Free Malware Removal Forum

by **Jane** » August 8th, 2008, 1:28 pm

My HijackThis logfile follows.

My computer has been infected with some sort of malware: I'm not sure what, or how, as it's used by the whole family, who have varying degrees of computer literacy.

I've run Avast anti-virus on it, and that did detect a virus which it removed. Since then, though, the computer switches off and on again with no warning at random moments, usually when I'm connected to the internet--but I can't spot a pattern to it.

When I send an error report to MS, I get one of two responses from MS afterwards: that my computer has suffered a blue-screen failure, due to a problem with a driver, advising me to restore the system to a date before the failures started; or a warning that the report was corrupted and there's a serious problem with my computer (well, duh). The log of the latest error report contained the following text:

"BCCode : 1000008e BCP1 : C0000092 BCP2 : BA136504 BCP3 : 80551180
BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 256_1"

I've installed Spybot Search & Destroy and after each new startup following a sudden closedown, it alerts me that there's been a change made to the registry. I've not been able to get the exact text written down as the message only appears for a few seconds, but it reads something like,

"Registry change allowed: identified as LASSH Whitelist"

The computer also seems to run out of memory quite often: Outlook freezes when I open it, perhaps every third time. I get nothing but a blank screen for five minutes or more, then it opens properly and appears to work OK.

I'd be very grateful indeed for any help with this, as I can't get any work done with the computer behaving this way!

Many thanks for your time

Jane

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:16, on 08/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\savedump.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Java\jre1.5.0\bin\jusched.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\system32\igfxpers.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Omnipage] F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Samsung Common SM] "F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dragon NaturallySpeaking.lnk = F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Global Startup: Device Detector 3.lnk = F:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = F:\Program Files\Olympus\DSSPlayerPro\DirectrecConfig.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: FreshDownload - {A7C6D697-2B0C-4BAE-B203-E10EA815DFC1} - F:\Program Files\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/ ... 0330356531
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0092568248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0095313154
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE4CAD89-825D-4131-ABA7-158C8978CA0E}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 9000 bytes

by **ktreffin** » August 13th, 2008, 9:36 am

Hi Jane, Welcome to the forums!

My name is Ken, on these forums I am known as ktreffin. I will be helping you with your current problem. Please note that I am still in training at Malware Removal University, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

HiJackThis logs do take some time to review and research. I would appreciate it if while you are waiting, you could please do the following for me:

Please make an Uninstall List using HiJackThis.

To access the Uninstall Manager you would do the following:

1.

HijackThis

2.

Config

3.

Misc Tools

4.

Open Uninstall Manager

5.

Save list...

Save

copy and paste

As we work together to resolve your problem, please read these instructions carefully. You may wish to print them off or copy them to Notepad.

Lastly, please keep these points in mind:

If you have questions, please DON'T hesitate to ask!
The instructions I give are specific to your current problem and should not be used on other systems.
Please post your replies only to this topic, and please DO NOT start a new thread.
Since there may be multiple issues with your system, please continue to follow this thread until I have given you an "All Clean!"

I am reviewing your log now, and will be back with you shortly. Thank you for your patience.

Ken

by **Jane** » August 13th, 2008, 11:26 am

Ken, please don't apologise for any delay--the fact that you're helping me is just brilliant, and very much appreciated. I'm not saying I wouldn't like immediate help, but I do know that sorting this out would be a nightmare without you!

I did install a new modem recently, which I didn't mention--my old one seemed to have died after a thunderstorm (we're very remote here, and despite surge protectors lose phones and modems regularly), so I put in a new one. Don't know if that's significant.

OK. Here's the Uninstall list that you asked for.

Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
avast! Antivirus
Canon CanoScan Toolbox 4.1
CCleaner (remove only)
Coupon Printer
Crawler Toolbar with Web Security Guard
Customizable Alerts
Dragon NaturallySpeaking 8
FreshDownload
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
hp deskjet 950c series (Remove only)
HP Driver Diagnostics
Intel(R) Graphics Media Accelerator Driver
InterVideo WinDVD
J2SE Runtime Environment 5.0
Manual CanoScan LiDE 50
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB936181)
Nero Suite
Olympus DSS Player Pro
OmniPage SE
Presto! PageManager 6
Realtek High Definition Audio Driver
Samsung ML-1610 Series
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Soft Voice SoftRing Modem
Spybot - Search & Destroy
Spyware Terminator
Tesco internet access dialler
U.S. Robotics Connections 6.30
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3

That's it. I'll look forward to hearing from you soon. Thank you!

Jane

by **ktreffin** » August 15th, 2008, 9:54 am

Hello Jane,

Thank you very much for your patience!

Before we begin, I need to stress some important points to you.

Some of the instructions I will provide may get quite long. I highly recommend that you print a copy of them off or copy them into Notepad.
If at any time you have questions, please DON'T hesitate to ask!
Please keep in mind that the instructions I give are specific to your current problem and should not be used on other systems.
Also, please remember that there may be multiple issues with your system, please continue to follow this thread until I have given you an "All Clean!"

Ready? Lets go....

Step #1: Temporarily Disable TeaTimer

Teatimer

First:

Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident

Second:

Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.

*==============================================*

Step #2: Remove programs using Add / Remove Programs

Please remove the following programs from your computer by completeing the following steps:

Please click Start > Control Panel > Add / Remove Programs
Please remove the following programs:
Do not panic if some programs listed are not present.
Once you have completed removing the above prgrams, you may exit the Control Panel

*==============================================*

Step #3: Remove malware lines using Hijack This

Please start HiJackThis as you did to generate a log, but this time click on "Do A System Scan Only".
Place a checkmark in the boxes to the left of the following entries by clicking on them:

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HIJACKTHIS and click on "Fix Checked".

Once complete, please exit HiJackThis.

*===============================================*

Step #4: View hidden files and folders

Next, we need to enable the "Show Hidden Folders" Option. To do this, please do the following:

Click Start
Open My Computer
Select the Tools Menu and click Folder Options
Select the View Tab. Under the hidden files and folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm
Click OK.

*===============================================*

Step #5: Delete all bad folders

Open Windows Explorer by right clicking the Start button and left clicking Explore. Navigate to and find the following FOLDERS: If found, delete the following (some may not be present after previous steps):

F:\Program Files\Crawler

After deleting the above folder, please be sure to empty your recycle bin.

*===============================================*

Step #6: Update Java

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
First remove the older versions:

Download JavaRa and unzip it to your desktop.
Double-click on JavaRa.exe to start the program.
Click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now let's download and install the newest version:

Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
Click on Windows XP/Vista/2000/2003 Offline and save the downloaded file to your desktop.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.
Reboot your computer.

*===============================================*

Step #7: Run CCleaner

I see that you already have CCleaner installed on your system. Lets use that to remove all of the old temp files.

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.
- In the Windows Tab:
  - Clean all entries in the Internet Explorer section except Cookies
  - Clean all the entries in the Windows Explorer section
  - Clean all entries in the System section
  - Clean all entries in the Advanced section
  - Clean any others that you choose
- In the Applications Tab:
  - Clean all except cookies in the Firefox/Mozilla section if you use it
  - Clean all in the Opera section if you use it
  - Clean Sun Java in the Internet Section
  - Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO

CCleaner should be run with the above settings for each User Account!

*===============================================*

Step #8: Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

*===============================================*

Step #9: Things to put in your next reply

Please post the following in your next reply:

A New Hijack This Log
Contents of the JavaRa log
Contents of the Malwarebytes' Anti-Malware Log

Thanks,
Ken

by **Jane** » August 15th, 2008, 1:09 pm

Ken,

I've done part of the fix, but it's not going exactly as planned so I thought it best to stop and ask questions. I'll copy your response here, and add my comments to it in all capitals--sorry if you feel shouted at, it's just the best way I can think of to make my voice separate from yours. I'll cut some of the steps out to make this reply shorter, but you can assume I've only cut obvious stuff.

Here goes:

Step #1: Temporarily Disable TeaTimer

DONE FINE

Second:
Open Spybot S&D... Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

DONE WITH NO PROBLEMS

*==============================================*

Step #2: Remove programs using Add / Remove Programs

Please remove the following programs from your computer by completeing the following steps:

Crawler Toolbar with Web Security Guard
Do not panic if some programs listed are not present.
Once you have completed removing the above prgrams, you may exit the Control Panel

CRAWLER REMOVED WITH NO PROBLEMS, ONLY IT TRIED TO GET ME TO CONNECT TO THE INTERNET BEFORE UNINSTALLING. I DIDN'T DO THIS--HOPE THAT WAS RIGHT.

*==============================================*

Step #3: Remove malware lines using Hijack This

Please start HiJackThis as you did to generate a log, but this time click on "Do A System Scan Only".
Place a checkmark in the boxes to the left of the following entries by clicking on them:

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - F:\PROGRA~1\Crawler\Toolbar\ctbr.dll

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HIJACKTHIS and click on "Fix Checked".

Once complete, please exit HiJackThis.

KEN, ONLY ONE OF THOSE LINES WAS PRESENT:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

THE OTHERS WERE NOT THERE ALTHOUGH OTHER SIMILAR ONES WERE, SO I ONLY DELETED ALCMTR.EXE, AND CARRIED ON.

*===============================================*

Step #4: View hidden files and folders

AMAZINGLY, I MANAGED TO DO THIS BIT FINE!
*===============================================*

Step #5: Delete all bad folders

Open Windows Explorer by right clicking the Start button and left clicking Explore. Navigate to and find the following FOLDERS: If found, delete the following (some may not be present after previous steps):

F:\Program Files\Crawler

After deleting the above folder, please be sure to empty your recycle bin.

THAT FOLDER WAS NOT PRESENT, SO I DID NOTHING APART FROM EMPTY MY RECYCLE BIN JUST IN CASE...!

*===============================================*

Step #6: Update Java

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
First remove the older versions:

I ACTUALLY DOWNLOADED ALL THREE DOWNLOADS ONTO ANOTHER MACHINE BEFORE I STARTED, AS THE ONE IN NEED OF THE FIX IS TOO UNSTABLE TO USE.

Download JavaRa and unzip it to your desktop.
Double-click on JavaRa.exe to start the program.
Click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Now let's download and install the newest version:

INSTALLATION WORKED FINE ON UNSTABLE COMPUTER.

Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
Click on Windows XP/Vista/2000/2003 Offline and save the downloaded file to your desktop.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

COMPUTER SWITCHED ITSELF OFF AND ON AGAIN A COUPLE OF TIMES DURING INSTALLATION PROCESS: INSTALLATION WAS NOT COMPLETE, BUT THE PROGRAM WAS PARTIALLY INSTALLED; WHEN I TRIED TO INSTALL IT AGAIN I WAS TOLD IT WAS ALREADY THERE, ALTHOUGH IT WAS INCOMPLETE, SO EVENTUALLY I USED CONTROL PANEL/ADD AND REMOVE PROGRAMS TO UNINSTALL IT THEN STARTED AGAIN RIGHT FROM THE START OF THIS SECTION WITH JAVA-RA, THEN PUT IN JAVA AGAIN WHICH WORKED FINE.

CONSEQUENTLY I ENDED UP WITH TWO JAVA-RA LOGS, BOTH OF WHICH I'LL PASTE INTO THE END OF THIS REPLY.

Reboot your computer.

*===============================================*

Step #7: Run CCleaner

I DIDN'T DO THIS AS I AM NOT SURE WHAT TO CLEAN AND WHAT TO LEAVE. PLEASE SEE MY QUESTIONS IN EACH SECTION--I HOPE THIS IS CLEAR TO YOU.

I see that you already have CCleaner installed on your system. Lets use that to remove all of the old temp files.

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.

In the Windows Tab:

Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section

IN THIS SECTION, SHOULD I CLEAN THE TWO OPTIONS LABELLED "START MENU SHORTCUTS" AND " DESK TOP SHORTCUTS"? THEY ARE SELECTED AND YOU DID SAY TO CLEAN ALL ENTRIES: HOWEVER, TO CLEAN THESE ONES SEEMS WRONG, BUT I'LL ADMIT THAT I KNOW NOTHING ABOUT WHAT I'M DOING HERE.

Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it
DON'T USE, NO OPTION AVAILABLE

Clean all in the Opera section if you use it
DON'T USE, NO OPTION AVAILABLE

Clean Sun Java in the Internet Section
SHOULD I CLEAN "FRESH DOWNLOAD" OPTION? I USE IT TO DOWNLOAD STUFF AS MY DIAL-UP CONNECTION IS UNRELIABLE.

Clean any others that you choose

THERE ARE MANY OTHER OPTIONS AUTOMATICALLY SELECTED: SHOULD I UNSELECT THEM, OR ALLOW THEM? THEY ARE:
APPLICATIONS: ADOBE READER 8.0, MS OFFICE PICTURE MANAGER
MULTIMEDIA: ADOBE FLASH PLAYER; WINDOWS MEDIA PLAYER
UTILITES: SPYBOT SEARCH AND DESTRY
WINDOWS; MS MANAGEMENT CONSOLE; MS WORDPAD; REGEDIT

(THAT LAST ONE SEEMS PARTICULARLY SCARY).

THAT'S AS FAR AS I WENT WITH IT. MY NEW HIJACK THIS LOG FOLLOWS, ALONG WITH THE TWO JAVA-RA LOGS WHICH I GENERATED. THANKS FOR THE HELP, AND I'LL LOOK FORWARD TO HEARING FROM YOU AS SOON AS YOU CAN MANAGE IT (SOONER WOULD BE MUCH APPRECIATED, AS UNTIL I GET THIS FIXED I CAN'T WORK AND I'M ON DEADLINE FOR A COUPLE OF THINGS... BUT I DO KNOW YOU'RE BUSY, SO I WILL TRY MY BEST TO BE PATIENT!

FIRST JAVA RA LOG:

JavaRa 1.11 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Fri Aug 15 17:16:48 2008

Found and removed: F:\Program Files\Java\jre1.5.0
Found and removed: F:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64
Found and removed: F:\Windows\System32\jpicpl32.cpl
Found and removed: Software\JavaSoft\Java2D\1.5.0
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Classes\JavaPlugin.150
Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510000
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150000}
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01
------------------------------------
Finished reporting.

SECOND JAVA-RA LOG:

JavaRa 1.11 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Fri Aug 15 17:16:48 2008

Found and removed: F:\Program Files\Java\jre1.5.0
Found and removed: F:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64
Found and removed: F:\Windows\System32\jpicpl32.cpl
Found and removed: Software\JavaSoft\Java2D\1.5.0
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Classes\JavaPlugin.150
Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510000
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510000
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150000}
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01
------------------------------------
Finished reporting.

JavaRa 1.11 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Fri Aug 15 17:22:35 2008

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}
------------------------------------
Finished reporting.

by **Jane** » August 15th, 2008, 1:16 pm

Ken,

I just made the previous post, realised I'd not given you a fresh Hijack This log... and my computer restarted itself again. So here is a new one, now I'm back.

I'll look forward to your next round of instruction. Many thanks for your time, and your expertise--I'd be lost without you.

Jane

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:11:57, on 15/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\savedump.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\system32\igfxpers.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\dumprep.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Omnipage] F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Samsung Common SM] "F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dragon NaturallySpeaking.lnk = F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Global Startup: Device Detector 3.lnk = F:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = F:\Program Files\Olympus\DSSPlayerPro\DirectrecConfig.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FreshDownload - {A7C6D697-2B0C-4BAE-B203-E10EA815DFC1} - F:\Program Files\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/ ... 0330356531
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0092568248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0095313154
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 8407 bytes

by **ktreffin** » August 15th, 2008, 10:15 pm

Hi Jane,

You did really well!!

Awesome job! :thumbleft:

I know that was a lot to throw through at you, but you really did do well. Looking at your log, Crawler is gone which is good, and the log does show the current verison of Java. Yeah...You did it!!

Have you noticed any change in the system? Anything running better or worse?

Lets get you through the rest of it now.

CRAWLER REMOVED WITH NO PROBLEMS, ONLY IT TRIED TO GET ME TO CONNECT TO THE INTERNET BEFORE UNINSTALLING. I DIDN'T DO THIS--HOPE THAT WAS RIGHT.

Good choice....That program was bad, and who knows what it would have brought with it if you connected.

KEN, ONLY ONE OF THOSE LINES WAS PRESENT:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

THE OTHERS WERE NOT THERE ALTHOUGH OTHER SIMILAR ONES WERE, SO I ONLY DELETED ALCMTR.EXE, AND CARRIED ON.

That is fine. They were taken care of during the uninstalling of Crawler.

Step #4: View hidden files and folders

AMAZINGLY, I MANAGED TO DO THIS BIT FINE!

Awesome job!!

THAT FOLDER WAS NOT PRESENT, SO I DID NOTHING APART FROM EMPTY MY RECYCLE BIN JUST IN CASE...!

Again, no problem.

As far as the Temp files go. Lets try this, instead of CCleaner, lets go with something a little simpler for you to use:

Step #1 : Download and Run ATF Cleaner

Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

After you run ATF cleaner, Do the Malwarebytes' part:

*===============================================*

Step #2: Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

*===============================================*

Step #3: Things to put in your next reply

Please post the following in your next reply:

A New Hijack This Log
Contents of the Malwarebytes' Anti-Malware Log

You really are doing great. It was good that you stopped and asked questions when you needed to. Don't hesitate to do that again if needed.

Thanks,
Ken

by **Jane** » August 18th, 2008, 5:31 am

Ken,

I’m getting a friend to post this, as the phone cable to our house was dug up and snapped during drainage works today (Saturday), and I don’t know when it will be fixed: last time we had a phone problem it took BT over a month to fix it and we were without a phone for all that time. So don’t expect me back too soon, but please don’t close this thread until I’m back online: I’ll post here as soon as I can.

Thanks for your help so far. Before the phone cable went I downloaded and ran the ATF utility, the Malwarebytes scan (which found nothing), and rescanned with Hijack This: the two logfiles follow.

The computer hasn’t shut down and restarted itself since I started it up, which is what it was doing before. However, when I just restarted it, I got an error message which told me that the system had recovered from a serious error, and to please tell Microsoft about it. As I can’t connect to the internet at present I didn’t tell anyone but this is what I could copy from the error message, along with the log it created:

The system has recovered from a serious error.

Please tell Microsoft about this problem.

BCCode : 10000012 BCP1 : 00000002 BCP2 : 8001003B BCP3 : 00000000
BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

The overall speed and reliability of the computer is much improved compared to how it was before, but there are still a couple of problems.

I use Dragon Naturally Speaking Preferred v8 extensively and can’t load my user files. This is new, but I don’t think I’ve used DNS since I realised that the virus started. Each time I open the program now I get the following error message:

“The signal processing file could not be loaded. Check dragon.log for problems.”

I’ll add a copy of the more recent part of that dragon log to the end of this report: I won’t post it all, as it runs to over 200 pages in Word, and there are about 30 pages of it if I give you everything from when that error message first appeared. So I’ll just give you the most recent entry! Let me know if you need any more of it. Do you think that this is something significant? I guess I’ll have to reinstall Dragon, but let me know if there’s a better way round this.

I’ve also now got a problem with Word (the one I’m using is part of Office 2000): when I open a file (for example, that Dragon log I just pasted in), if I scroll down through the pages quickly, the computer can’t quite keep up: a single line of the text repeats itself down the screen, as if it’s stuck, and the only way to clear it is to click on another open window, and then back to Word, by which time it will usually have righted itself. This is a new problem so I do wonder if it’s part of the virus problem.

I’m hesitant to use the computer for much until I get the all-clear from you so I’m not sure if any other programs are affected. I’ll let you know if I find anything else.

Thanks for all your help so far. Let me know if you think it’s clean: I’ll come back as soon as I can.

Jane

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:19, on 16/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\system32\igfxpers.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Omnipage] F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Samsung Common SM] "F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dragon NaturallySpeaking.lnk = F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Global Startup: Device Detector 3.lnk = F:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = F:\Program Files\Olympus\DSSPlayerPro\DirectrecConfig.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FreshDownload - {A7C6D697-2B0C-4BAE-B203-E10EA815DFC1} - F:\Program Files\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/ ... 0330356531
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0092568248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0095313154
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 8277 bytes

Malwarebytes' Anti-Malware 1.24
Database version: 1056
Windows 5.1.2600 Service Pack 3

10:48:32 16/08/2008
mbam-log-8-16-2008 (10-48-32).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 118610
Time elapsed: 39 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Dragon.log:

Dragon Systems error log started Sunday, August 17, 2008 12:21:53
12:21:53 Starting process F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe (ENX)
12:21:53 LOG (MainWin): Windows user has administrative access to NatSpeak
12:21:53 WTSRegisterSessionNotification error 6a6
12:21:53 Dragon NaturallySpeaking Version 8.10.000.279
12:21:55 OS: Windows XP build 2600 (Service Pack 3)
12:21:55 Locale: 809
12:21:55 Multimedia: SB Live! 24-bit(1.101)
12:21:55 QuickStart
12:21:55 Marshaler: Microsoft, Version 4.0.4.2512
12:21:55 Doing QuickCheck of installation...
12:21:55 Edition: Preferred
12:21:55 Edition history: <empty>
12:21:55 File F:\WINDOWS\system32\comctl32.dll: Version 5.82.2900.5512
12:21:55 File F:\WINDOWS\system32\riched20.dll: Version 5.30.23.1230
12:21:55 File F:\WINDOWS\system32\riched32.dll: Version 5.1.2600.0, LanguageID 0x0409
12:21:55 File F:\WINDOWS\system32\comdlg32.dll: Version 6.0.2900.5512
12:21:55 File F:\WINDOWS\system32\user32.dll: Version 5.1.2600.5512
12:21:55 File F:\WINDOWS\system32\oleacc.dll: Version 4.2.5406.0
12:21:55 File F:\WINDOWS\speech\speech.dll: Version 4.0.4.2512
12:21:55 File F:\WINDOWS\speech\vcmd.exe: Version 4.0.4.2512
12:21:55 File F:\WINDOWS\speech\vcmshl.dll: Version 4.0.4.2512
12:21:55 File F:\PROGRA~1\ScanSoft\NATURA~1\Program\dnstk10.dll: Version 8.10.0.279
12:21:55 File F:\PROGRA~1\ScanSoft\NATURA~1\Program\dd10enum.dll: Version 8.10.0.279
12:21:55 File F:\PROGRA~1\ScanSoft\NATURA~1\Program\dd10edit.dll: Version 8.10.0.279
12:21:55 File f:\PROGRA~1\ScanSoft\NATURA~1\Program\nstex50.dll: Version 8.10.0.279
12:21:55 Internet Explorer: Version 7.0.5730.13
12:21:55 QuickCheck Passed.
12:21:56 Server Version 8.00.000.023
12:21:56 Tokenizer: 7.90.000.036
12:21:56 MREC version 0.11.9574 inmss (Intel Win32 MSVC++ 7.1 Small Ship)
12:21:56 Compiled 2005-02-24 15:52:21
12:21:56 MREC CPM: 3195919; SRSF: 3172.9; #CPUs: 2; PageSize: 4096; AllocGran: 65536
12:21:56 MREC CPUID: GenuineIntel, Fam 15, Mod 4, Step 3, Type 0, (Intel(R) Pentium(R) 4 CPU 3.20GHz) with MMX, CMOV, SSE(XMM), SSE2, HTT(2lpu), 12K L1I, ?K L1D, 0K L2, ?K L3
12:21:56 MREC MachineMemory: 2147483647 RAM, 4294967295 PageFile
12:21:56 Info: language from registry 1 2
12:21:56 Info: server language id 1
12:23:01 Starting process F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe (ENX)
12:23:02 NatSpeak was just started, but a previously running copy of NatSpeak was detected.
12:23:02 Passing command line to already running voicebar.
12:23:03 Copy protection check OK, you may proceed. State = 0x1
12:23:03 Final Termination
12:23:05 Info: found new voc version string
12:23:05 LOG (VBar): User 'F:\Documents and Settings\All Users\Application Data\ScanSoft\NaturallySpeaking8\Users\Jane Smith' is LOCAL
12:23:05 Roaming: roamingUserCurrentUserIsRoaming = 0
12:23:06 Opening user file F:\Documents and Settings\All Users\Application Data\ScanSoft\NaturallySpeaking8\Users\Jane Smith\current\voice\eng_large.usr
12:23:06 Roaming: Setting roamingUserCurrentUserIsRoaming reverting to 0
12:23:06 (d:\el4\ns\voicebar\voicebar.cpp,6917) : interfaces.pDgnSRTopic2()->Select() returned unexpected value E_FAIL (0x80004005).
12:23:06
12:23:06 The signal processing file could not be loaded. Check dragon.log for problems.
12:25:54 Final Termination

END OF DRAGON LOG

by **Jane** » August 18th, 2008, 10:57 am

Ken, our phone line is connected for a while so I've got online, and have managed a bit of work--but the computer has just shut down and restarted itself again, just as it did when the virus first started.

It took longer this time: about 30 minutes. But it was exactly the same: no warning, just an abrubt closedown as if the power had failed, then it started itself right up again.

I came here to let you know, and the computer froze for a while (couple of minutes), and wouldn't respond at all. I left it alone, and eventually it was responsive again.

It was as if I was running something very memory-intensive: but I wasn't, just this IE window and a MS Outlook window.

Any suggestions?

by **Jane** » August 18th, 2008, 12:57 pm

There's more going on. Spyware Terminator just tried to update itself automatically. On its update screen I read that Spyware Terminator was part of the Crawler Toolbar, which I remembered you warning me about: so I cut the internet connection, and closed down the update.

In an attempt to reduce the damage I then tried to uninstall Spyware Terminator, via control panel/add and remove programs, but got an error message which referred to "error: 6" I think: then the "add and remove programs" screen froze. I closed it using ctrl/alt/del, and have tried again and it's permanently frozen and unresponsive.

What do I do next?

by **ktreffin** » August 18th, 2008, 8:37 pm

Hi Jane,

Sounds like a whole bunch of things are happening. I am sorry to hear about all of the troubles. A little ray of hope....Malwarebytes' Anti-Malware didn't find anything which is good, and right now the HijackThis log that you posted looks good (except the Spyware Terminator entries). :thumbleft:

Seeing you have tried to uninstall Spyware Terminator since the last HijackThis log was done. Lets start by getting a new one.

Please post a new HijackThis log for review.

Jane, I do want you to understand that there are many things that can cause an unexpected system shut-down. One of the main culprits happens to be over-heating. So far, there is not a lot of indication that malware is to blame for this. This doesn't mean that we are quite done however. Lets get a new HijackThis log right now and see what that shows.

Couple of questions for you:
1) How old is your computer?
2) Have you ever cleaned the inside of the computer (i.e. open cover and blow out dust etc.)?

And one other question:
1) When your computer shuts down, do you see a blue screen with an error code (something like 0x000000)? If you see the blue screen, does it stop until you restart it, or does the blue screen flash and then the system restarts itself automatically?

I know that you are anxious to get this resolved, and trust me when I say that I am working hard to help you, however if you could resist the temptation to uninstall other components, or make any other significant changes, you will insure the process goes as smoothly as possible.

Let me know what else is happening, and if you could post a new HijackThis log, that would be great..

Thanks,
Ken

by **Jane** » August 19th, 2008, 2:43 am

Ken, thanks for getting back to me so quickly.

To answer your questions, my computer is a couple of years old; I had a new hard drive (F) installed under warranty a couple of months ago, as the original one failed, and at that time I cleared out all the fluff (which wasn't too bad: I'd done it before, as ours is a very dusty house).

When the computer shuts down the screen just goes black, without any warning. Then it restarts without my prompting, and sometimes I get a message asking me to send an error report to MS. There's no blue screen, and no error message before the shut-down.

I understand your concerns regarding the computer's own possible instability: I'll speak to my supplier, who also happens to be a friend, and ask him to look at it from that point of view, if that's not going to interfere with what you're doing here.

Meanwhile, last night it kept on shutting down, just like it did before you helped me clear that "Crawler bar" malware from it. It did have a while of behaving itself after you showed me how to clean it, and only started on the frequent shut-downs after Spyware Terminator did its update thing, where I spotted the reference to Crawler Toolbar. And do you have any idea why Spyware Terminator detailed Crawler when it started updating? Is it part of the program?

I've edited out the Hijack This log I posted here, as I've since uninstalled ST and posted a second new log. Let me know if you need to see the log that was here, and I'll put it up again.

Jane

by **Jane** » August 19th, 2008, 3:48 am

Ken, I've just had a better look at Spyware Terminator, and found that Crawler does seem to be part of it: here's what I did.

Open Spyware Terminator

Click on the “settings” tab on the top.
Click on the “Web Security Guard” tab on the left-hand side.

A window opens which contains the following text:

Spyware Terminator Setup Assistant

Install Web Security Guard
Enhance your Computer Security

(snipped some text out here)

Web Security Guard is part of Crawler Toolbar

I have now uninstalled it, just in case: so here's a new Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:47:47, on 19/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\system32\igfxpers.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\system32\wuauclt.exe
F:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Microsoft Office\Office\WINWORD.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] F:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Omnipage] F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Samsung Common SM] "F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dragon NaturallySpeaking.lnk = F:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Global Startup: Device Detector 3.lnk = F:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = F:\Program Files\Olympus\DSSPlayerPro\DirectrecConfig.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FreshDownload - {A7C6D697-2B0C-4BAE-B203-E10EA815DFC1} - F:\Program Files\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/ ... 0330356531
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0092568248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0095313154
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE4CAD89-825D-4131-ABA7-158C8978CA0E}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - F:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe

--
End of file - 8204 bytes

by **ktreffin** » August 19th, 2008, 2:51 pm

Hi Jane,

thanks for getting back to me so quickly.

No Problem! Hopefully we can get this resolved for you.

Your HijackThis log looks good. I do not see any signs of Spyware Terminator remaining so the un-install was successful. If Spyware Terminator was related to Crawler, then yes, it is definitely bad and you should stay away from it.

If we can, I would like to get a couple of more logs just to make sure nothing is being missed. Please do the following:

Step #1: Run Kaspersky Online Scan

Please go to Kaspersky website to perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to your desktop by changing the Files of type to Text file (.txt) before clicking on the Save button.
Now close the window.

*===============================================*

Step#2: Download and Run OTScanIt

Please download OTScanIt.exe from Bleeping Computer by OldTimer and save it to your desktop.
Double click on OTScanIt.exe to run it.
Click on Extract. Once done, you will be prompted. Click OK and click Close.
Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
Under Drivers section, select Non-Microsoft.
Click on the Run Scan button at the top left hand corner.
OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.

*===============================================*

Step #3: Things to put in your next reply

Please post the following in your next reply:

Contents of the Kaspersky Online Scan Log
Contents of the OTScanIt Log

Thanks,
Ken

by **Jane** » August 20th, 2008, 12:55 pm

Ken, that Kaspersky scan was interesting to do with only a dial-up connection--it took all day! It did report that there were a couple of viruses on the computer.

Here are the logfiles you asked for. Let me know what to do next.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 20, 2008 14:03:41
Records in database: 1113861
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 79186
Threat name: 5
Infected objects: 9
Suspicious objects: 46
Duration of the scan: 01:19:14

File name / Threat name / Threats count
iexplore.exe\FDCatch.dll/iexplore.exe\FDCatch.dll Infected: Backdoor.Win32.Hupigon.tsy 1
C:\Documents and Settings\Jane Smith\Email backup files\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.em 1
C:\Documents and Settings\Jane Smith\Email backup files\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Jane Smith\Jane--second disk\Email backup\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Jane Smith\Jane--second disk\Email backup\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\Jane Smith\Jane--second disk\My Documents\Email backup files\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.em 1
C:\Documents and Settings\Jane Smith\Jane--second disk\My Documents\Email backup files\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\My Documents\Email backup files\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.em 1
C:\My Documents\Email backup files\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
F:\Documents and Settings\Jane\Local Settings\Application Data\Identities\{A84C5CCA-9037-4DC0-B4A1-A308195E1B77}\Microsoft\Outlook Express\backup\Email backup\Sent Items2.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
F:\Documents and Settings\Jane\Local Settings\Application Data\Identities\{A84C5CCA-9037-4DC0-B4A1-A308195E1B77}\Microsoft\Outlook Express\backup\Email backup\Sent Items2.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
F:\Documents and Settings\Jane\Local Settings\Application Data\Identities\{A84C5CCA-9037-4DC0-B4A1-A308195E1B77}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
F:\Documents and Settings\Jane\Local Settings\Application Data\Identities\{A84C5CCA-9037-4DC0-B4A1-A308195E1B77}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
F:\Documents and Settings\Jane\Local Settings\Application Data\Identities\{A84C5CCA-9037-4DC0-B4A1-A308195E1B77}\Microsoft\Outlook Express\Sent Items2.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
F:\Documents and Settings\Jane\Local Settings\Application Data\Identities\{A84C5CCA-9037-4DC0-B4A1-A308195E1B77}\Microsoft\Outlook Express\Sent Items2.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
F:\Documents and Settings\Jane\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 11
F:\Documents and Settings\Jane\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Trojan-Downloader.HTML.Agent.km 3
F:\Documents and Settings\Jane\My Documents\Email backup files\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.em 1
F:\Documents and Settings\Jane\My Documents\Email backup files\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
F:\Documents and Settings\Jane\My Documents\Jane--second disk\Email backup\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
F:\Documents and Settings\Jane\My Documents\Jane--second disk\Email backup\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
F:\Documents and Settings\Jane\My Documents\Jane--second disk\My Documents\Email backup files\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.em 1
F:\Documents and Settings\Jane\My Documents\Jane--second disk\My Documents\Email backup files\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2

The selected area was scanned.

____________________________________________________

Code: Select all

OTScanIt logfile created on: 20/08/2008 17:51:10
OTScanIt by OldTimer - Version 1.0.16.2     Folder = F:\Documents and Settings\Jane\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
2.00 Gb Total Physical Memory | 1.99 Gb Available Physical Memory | 99.26% Memory free
4.00 Gb Paging File | 3.99 Gb Available in Paging File | 99.87% Paging File free
Paging file location(s): F:\pagefile.sys 2046 4092;
 
%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Program Files
Drive C: | 186.31 Gb Total Space | 175.53 Gb Free Space | 94.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 74.52 Gb Total Space | 55.37 Gb Free Space | 74.30% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JANE-B9A2F43222
Current User Name: Jane
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
incdsrv.exe -> %ProgramFiles%\Ahead\InCD\InCDsrv.exe -> Nero AG [Ver = 4, 3, 15, 1 | Size = 869888 bytes | Modified Date = 13/05/2005 17:11:14 | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 16056 bytes | Modified Date = 19/07/2008 15:25:06 | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 147640 bytes | Modified Date = 19/07/2008 15:38:28 | Attr =    ]
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4384 | Size = 77824 bytes | Modified Date = 24/08/2005 12:47:18 | Attr =    ]
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4384 | Size = 114688 bytes | Modified Date = 24/08/2005 12:51:12 | Attr =    ]
rthdcpl.exe -> %SystemRoot%\RTHDCPL.exe -> Realtek Semiconductor Corp. [Ver = 2.0.1.7 | Size = 14854144 bytes | Modified Date = 22/09/2005 13:36:20 | Attr =    ]
opware32.exe -> %ProgramFiles%\ScanSoft\OmniPageSE\opware32.exe -> ScanSoft, Inc [Ver = 11.0 | Size = 49152 bytes | Modified Date = 03/06/2002 11:38:12 | Attr =    ]
ssmmgr.exe -> %SystemRoot%\Samsung\ComSMMgr\SSMMgr.exe -> Samsung Electronics. [Ver = 1, 3, 0, 0 | Size = 372736 bytes | Modified Date = 03/07/2005 08:20:49 | Attr =    ]
incd.exe -> %ProgramFiles%\Ahead\InCD\InCD.exe -> Nero AG [Ver = 4, 3, 15, 1 | Size = 1397760 bytes | Modified Date = 13/05/2005 16:11:39 | Attr =    ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 78008 bytes | Modified Date = 19/07/2008 15:38:34 | Attr =    ]
hpztsb04.exe -> %SystemRoot%\system32\spool\drivers\w32x86\3\hpztsb04.exe -> HP [Ver = 2,80,0,0 | Size = 196608 bytes | Modified Date = 07/11/2001 17:45:11 | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 10/06/2008 04:27:04 | Attr =    ]
natspeak.exe -> %ProgramFiles%\ScanSoft\NaturallySpeaking8\Program\natspeak.exe -> ScanSoft [Ver = 8.10.000.279 | Size = 1994752 bytes | Modified Date = 12/05/2008 21:48:09 | Attr =    ]
dm1service.exe -> %ProgramFiles%\Olympus\DeviceDetector\DM1Service.exe -> OLYMPUS IMAGING CORP. [Ver = 1, 3, 0, 0 | Size = 69632 bytes | Modified Date = 30/07/2005 21:17:20 | Attr =    ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 12/07/2008 09:29:54 | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 16056 bytes | Modified Date = 19/07/2008 15:25:06 | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 147640 bytes | Modified Date = 19/07/2008 15:38:28 | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 250040 bytes | Modified Date = 19/07/2008 15:38:04 | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 8, 1229, 0 | Size = 348344 bytes | Modified Date = 23/07/2008 15:25:45 | Attr =    ]
(DM1Service) DM1Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Olympus\DeviceDetector\DM1Service.exe -> OLYMPUS IMAGING CORP. [Ver = 1, 3, 0, 0 | Size = 69632 bytes | Modified Date = 30/07/2005 21:17:20 | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 224768 bytes | Modified Date = 14/04/2008 01:12:17 | Attr =    ]
(InCDsrv) InCD Helper [Win32_Own | Auto | Running] -> %ProgramFiles%\Ahead\InCD\InCDsrv.exe -> Nero AG [Ver = 4, 3, 15, 1 | Size = 869888 bytes | Modified Date = 13/05/2005 17:11:14 | Attr =    ]

[Driver Services - Non-Microsoft Only]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 26944 bytes | Modified Date = 19/07/2008 15:32:15 | Attr =    ]
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswFsBlk.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 20560 bytes | Modified Date = 19/07/2008 15:37:42 | Attr =    ]
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %SystemRoot%\System32\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 94416 bytes | Modified Date = 19/07/2008 15:37:21 | Attr =    ]
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 23152 bytes | Modified Date = 19/07/2008 15:33:42 | Attr =    ]
(aswSP) avast! Self Protection [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aswSP.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 78416 bytes | Modified Date = 19/07/2008 15:35:18 | Attr =    ]
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 42912 bytes | Modified Date = 19/07/2008 15:32:36 | Attr =    ]
(b57w2k) Broadcom NetXtreme Gigabit Ethernet [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\b57xp32.sys -> Broadcom Corporation [Ver = 8.22.1.0 built by: WinDDK | Size = 132608 bytes | Modified Date = 17/03/2005 16:30:10 | Attr =    ]
(ctsfm2k) Creative SoundFont Management Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctsfm2k.sys -> Creative Technology Ltd [Ver = 5.12.01.1081-2.04.0050 | Size = 138752 bytes | Modified Date = 10/01/2005 10:15:24 | Attr =    ]
(DgiVecp) Team MFP Comm Driver [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\DGIVECP.SYS -> DeviceGuys, Inc. [Ver = 1.1.1.30 | Size = 41984 bytes | Modified Date = 17/05/2004 14:04:16 | Attr =    ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 799744 bytes | Modified Date = 13/04/2008 19:44:48 | Attr =    ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 153344 bytes | Modified Date = 13/04/2008 19:44:46 | Attr =    ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 04/08/2004 13:00:00 | Attr =    ]
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Hdaudio.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5012 built by: WinDDK | Size = 145920 bytes | Modified Date = 27/10/2004 15:21:30 | Attr =    ]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 144384 bytes | Modified Date = 13/04/2008 17:36:05 | Attr =    ]
(HSFHWBS2) HSFHWBS2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSFHWBS2.sys -> Conexant Systems, Inc. [Ver = 7.60.00 built by: WinDDK | Size = 257408 bytes | Modified Date = 08/11/2006 08:59:00 | Attr = R  ]
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSF_DPV.sys -> Conexant Systems, Inc. [Ver = 7.60.00 built by: WinDDK | Size = 989696 bytes | Modified Date = 08/11/2006 09:00:00 | Attr = R  ]
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ialmnt5.sys -> Intel Corporation [Ver = 6.14.10.4384 | Size = 1052732 bytes | Modified Date = 24/08/2005 13:20:08 | Attr =    ]
(InCDfs) InCD File System [File_System | Disabled | Running] -> %SystemRoot%\System32\drivers\InCDfs.sys -> Nero AG [Ver = 4, 3, 15, 1 | Size = 99584 bytes | Modified Date = 13/05/2005 17:03:52 | Attr =    ]
(InCDPass) InCDPass [Kernel | System | Running] -> %SystemRoot%\system32\drivers\InCDpass.sys -> Nero AG [Ver = 4, 3, 15, 1 | Size = 29696 bytes | Modified Date = 13/05/2005 17:03:30 | Attr =    ]
(incdrm) InCD Reader [Kernel | System | Running] -> %SystemRoot%\System32\drivers\InCDrm.sys -> Nero AG [Ver = 4, 3, 15, 1 | Size = 28160 bytes | Modified Date = 13/05/2005 16:03:25 | Attr =    ]
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> Realtek Semiconductor Corp. [Ver = 5.10.00.5172 built by: WinDDK | Size = 3966976 bytes | Modified Date = 23/09/2005 18:56:28 | Attr =    ]
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\mdmxsdk.sys -> Conexant [Ver = 1.0.2.012 | Size = 12672 bytes | Modified Date = 19/06/2006 06:26:00 | Attr = R  ]
(ossrv) Creative OS Services Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctoss2k.sys -> Creative Technology Ltd. [Ver = 5.12.01.1081-2.04.0050 | Size = 106496 bytes | Modified Date = 10/01/2005 10:15:30 | Attr =    ]
(P17) SB Live! 24-bit [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\P17.sys -> Creative Technology Ltd. [Ver = 5.12.01.514 | Size = 1127936 bytes | Modified Date = 15/06/2007 02:47:26 | Attr =    ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 04/08/2004 13:00:00 | Attr =    ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 13/04/2008 17:39:15 | Attr =    ]
(USRpdA) U.S. Robotics 56K PCI Faxmodem Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\USRpdA.sys -> U.S. Robotics Corporation [Ver = 4. 11. 22 | Size = 113762 bytes | Modified Date = 17/08/2001 14:28:26 | Attr =    ]
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSF_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.60.00 built by: WinDDK | Size = 730112 bytes | Modified Date = 08/11/2006 08:59:00 | Attr = R  ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe ["F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 11/01/2008 22:16:38 | Attr =    ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe [F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 78008 bytes | Modified Date = 19/07/2008 15:38:34 | Attr =    ]
High Definition Audio Property Page Shortcut -> %SystemRoot%\system32\HdAShCut.exe [HDAShCut.exe] -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5012 built by: WinDDK | Size = 61952 bytes | Modified Date = 27/10/2004 15:21:30 | Attr =    ]
HPDJ Taskbar Utility -> %SystemRoot%\system32\spool\drivers\w32x86\3\hpztsb04.exe [F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe] -> HP [Ver = 2,80,0,0 | Size = 196608 bytes | Modified Date = 07/11/2001 17:45:11 | Attr =    ]
igfxhkcmd -> %SystemRoot%\system32\hkcmd.exe [F:\WINDOWS\system32\hkcmd.exe] -> Intel Corporation [Ver = 3.0.0.4384 | Size = 77824 bytes | Modified Date = 24/08/2005 12:47:18 | Attr =    ]
igfxpers -> %SystemRoot%\system32\igfxpers.exe [F:\WINDOWS\system32\igfxpers.exe] -> Intel Corporation [Ver = 3.0.0.4384 | Size = 114688 bytes | Modified Date = 24/08/2005 12:51:12 | Attr =    ]
igfxtray -> %SystemRoot%\system32\igfxtray.exe [F:\WINDOWS\system32\igfxtray.exe] -> Intel Corporation [Ver = 3.0.0.4384 | Size = 94208 bytes | Modified Date = 24/08/2005 12:50:30 | Attr =    ]
InCD -> %ProgramFiles%\Ahead\InCD\InCD.exe [F:\Program Files\Ahead\InCD\InCD.exe] -> Nero AG [Ver = 4, 3, 15, 1 | Size = 1397760 bytes | Modified Date = 13/05/2005 16:11:39 | Attr =    ]
KernelFaultCheck ->  [%systemroot%\system32\dumprep 0 -k] -> File not found
NeroFilterCheck -> %SystemRoot%\system32\NeroCheck.exe [F:\WINDOWS\system32\NeroCheck.exe] -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 11:50:42 | Attr =    ]
Omnipage -> %ProgramFiles%\ScanSoft\OmniPageSE\opware32.exe [F:\Program Files\ScanSoft\OmniPageSE\opware32.exe] -> ScanSoft, Inc [Ver = 11.0 | Size = 49152 bytes | Modified Date = 03/06/2002 11:38:12 | Attr =    ]
RTHDCPL -> %SystemRoot%\RTHDCPL.exe [RTHDCPL.EXE] -> Realtek Semiconductor Corp. [Ver = 2.0.1.7 | Size = 14854144 bytes | Modified Date = 22/09/2005 13:36:20 | Attr =    ]
Samsung Common SM -> %SystemRoot%\Samsung\ComSMMgr\SSMMgr.exe ["F:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun] -> Samsung Electronics. [Ver = 1, 3, 0, 0 | Size = 372736 bytes | Modified Date = 03/07/2005 08:20:49 | Attr =    ]
SSBkgdUpdate -> %CommonProgramFiles%\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot] -> Scansoft, Inc. [Ver = 1, 0, 0, 6 | Size = 155648 bytes | Modified Date = 29/09/2003 16:00:20 | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 10/06/2008 04:27:04 | Attr =    ]
USRpdA ->  [F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA] -> File not found
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< All Users Startup Folder > -> F:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Device Detector 3.lnk -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS IMAGING CORP. [Ver = 3, 2, 1, 1 | Size = 114688 bytes | Modified Date = 03/02/2006 11:53:36 | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk -> %ProgramFiles%\Olympus\DSSPlayerPro\DirectrecConfig.exe -> OLYMPUS IMAGING CORP. [Ver = 1, 0, 0, 0 | Size = 122880 bytes | Modified Date = 31/01/2006 15:06:06 | Attr =    ]
< Jane Startup Folder > -> F:\Documents and Settings\Jane\Start Menu\Programs\Startup -> 
%UserProfile%\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk -> %ProgramFiles%\ScanSoft\NaturallySpeaking8\Program\natspeak.exe -> ScanSoft [Ver = 8.10.000.279 | Size = 1994752 bytes | Modified Date = 12/05/2008 21:48:09 | Attr =    ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 1033728 bytes | Modified Date = 14/04/2008 01:12:19 | Attr =    ]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
F:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 26112 bytes | Modified Date = 14/04/2008 01:12:38 | Attr =    ]
*MultiFile Done* -> -> 
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 514560 bytes | Modified Date = 14/04/2008 01:12:24 | Attr =    ]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 8461312 bytes | Modified Date = 14/04/2008 01:12:05 | Attr =    ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 300544 bytes | Modified Date = 14/04/2008 01:12:41 | Attr =    ]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4384 | Size = 135168 bytes | Modified Date = 24/08/2005 12:46:22 | Attr =    ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 13/04/2008 19:40:46 | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC     MBR-7    ->  -> File not found
NEC     MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomHL-DT-ST_RW/DVD_GCC-4482B_______________1.03____\5&2265ef5e&0&0.0.0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\1 -> IDE\CdRomSONY_DVD_RW_DW-Q30A_____________________YYS3____\5&2265ef5e&0&0.1.0 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 06/05/2008 12:44:15 | Attr =    ]
< HOSTS File > (256715 bytes) -> F:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.tesco.net -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Default_Page_URL -> http://www.tesco.net -> 
HKEY_CURRENT_USER\: Main\\Local Page -> F:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.co.uk/ -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4702 domain(s) found. -> 
43 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4702 domain(s) found. -> 
memberservices_tesco.net [https] -> Trusted sites -> 
register_tesco.net [https] -> Trusted sites -> 
43 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 22/10/2006 23:08:42 | Attr =    ]
{206E52E0-D52E-11D4-AD54-0000E86C26F6} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\FreshDevices\FreshDownload\fdcatch.dll [] -> FreshDevices Corp. [Ver = 3.6.1.0 | Size = 201728 bytes | Modified Date = 25/04/2007 10:06:00 | Attr =    ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 07/07/2008 09:41:58 | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 10/06/2008 04:27:02 | Attr =    ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{ED0E8CA5-42FB-4B18-997B-769E0408E79D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\FreshDevices\FreshDownload\fdiebar.dll [FreshDownload Bar] -> FreshDevices Corp. [Ver = 1.0.0.0 | Size = 685568 bytes | Modified Date = 21/04/2008 10:12:56 | Attr =    ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 10/06/2008 04:27:02 | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 10/06/2008 04:27:02 | Attr =    ]
{A7C6D697-2B0C-4BAE-B203-E10EA815DFC1}:Exec -> %ProgramFiles%\FreshDevices\FreshDownload\fd.exe [FreshDownload] -> FreshDevices Corp. [Ver = 8.00.0.0 | Size = 3047944 bytes | Modified Date = 21/04/2008 10:24:26 | Attr =    ]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 07/07/2008 09:41:58 | Attr =    ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 10/06/2008 04:27:02 | Attr =    ]
CmdMapping\\{A7C6D697-2B0C-4BAE-B203-E10EA815DFC1} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\FreshDevices\FreshDownload\fd.exe [FreshDownload] -> FreshDevices Corp. [Ver = 8.00.0.0 | Size = 3047944 bytes | Modified Date = 21/04/2008 10:24:26 | Attr =    ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
Extension\.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [] -> Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 01/08/2001 17:05:42 | Attr =    ]
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{C03A54DD-617A-45AC-8524-D23F50EF0187} ->    (Broadcom NetXtreme Gigabit Ethernet) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}[HKEY_LOCAL_MACHINE] -> http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab[Office Genuine Advantage Validation Tool] -> 
{0742B9EF-8C83-41CA-BFBA-830A59E23533}[HKEY_LOCAL_MACHINE] -> https://support.microsoft.com/OAS/ActiveX/MSDcode.cab[Microsoft Data Collection Control] -> 
{233C1507-6A77-46A4-9443-F871F945D258}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] -> 
{54BE6B6F-3056-470B-97E1-BB92E051B6C4}[HKEY_LOCAL_MACHINE] -> http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab[DeviceEnum Class] -> 
{5AE58FCF-6F6A-49B2-B064-02492C66E3F4}[HKEY_LOCAL_MACHINE] -> http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1210330356531[MUCatalogWebControl Class] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210092568248[WUWebControl Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210095313154[MUWebControl Class] -> 
{6F15128C-E66A-490C-B848-5000B5ABEEAC}[HKEY_LOCAL_MACHINE] -> https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab[HP Download Manager] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/officeupdate/content/opuc4.cab[Office Update Installation Engine] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab[Shockwave Flash Object] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\.Owner -> {D27CDB6E-AE6D-11CF-96B8-444553540000} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/HPDEXAXO.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/HPDEXAXO.dll\\.Owner -> {6F15128C-E66A-490C-B848-5000B5ABEEAC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/HPDEXAXO.dll\\{6F15128C-E66A-490C-B848-5000B5ABEEAC} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/MSDcode.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/MSDcode.dll\\.Owner -> {0742B9EF-8C83-41CA-BFBA-830A59E23533} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/MSDcode.dll\\{0742B9EF-8C83-41CA-BFBA-830A59E23533} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/opuc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/opuc.dll\\.Owner -> {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/opuc.dll\\{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/MicrosoftUpdateCatalogWebControl.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/MicrosoftUpdateCatalogWebControl.dll\\.Owner -> {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/MicrosoftUpdateCatalogWebControl.dll\\{5AE58FCF-6F6A-49B2-B064-02492C66E3F4} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/muweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/muweb.dll\\.Owner -> {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/muweb.dll\\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/OGACheckControl.DLL\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/OGACheckControl.DLL\\.Owner -> {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/OGACheckControl.DLL\\{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/wuweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/wuweb.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/system32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} ->  -> 



[Files/Folders - Created Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Created Date = 02/10/2008 08:40:47 | Attr =    ]
1 F:\*.tmp files -> F:\*.tmp -> 
HSFHWBS2.sys -> %SystemRoot%\System32\drivers\HSFHWBS2.sys -> Conexant Systems, Inc. [Ver = 7.60.00 built by: WinDDK | Size = 257408 bytes | Created Date = 03/08/2008 11:07:30 | Attr = R  ]
HSFProf.cty -> %SystemRoot%\System32\drivers\HSFProf.cty ->  [Ver =  | Size = 144201 bytes | Created Date = 03/08/2008 11:07:32 | Attr = R  ]
HSF_CNXT.sys -> %SystemRoot%\System32\drivers\HSF_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.60.00 built by: WinDDK | Size = 730112 bytes | Created Date = 03/08/2008 11:07:30 | Attr = R  ]
HSF_DPV.sys -> %SystemRoot%\System32\drivers\HSF_DPV.sys -> Conexant Systems, Inc. [Ver = 7.60.00 built by: WinDDK | Size = 989696 bytes | Created Date = 03/08/2008 11:07:31 | Attr = R  ]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Created Date = 16/08/2008 09:52:26 | Attr =    ]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Created Date = 16/08/2008 09:52:25 | Attr =    ]
java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 135168 bytes | Created Date = 15/08/2008 17:35:41 | Attr =    ]
javacpl.cpl -> %SystemRoot%\System32\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 73728 bytes | Created Date = 15/08/2008 17:35:41 | Attr =    ]
javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 135168 bytes | Created Date = 15/08/2008 17:35:41 | Attr =    ]
javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 139264 bytes | Created Date = 15/08/2008 17:35:41 | Attr =    ]
Uci32114.dll -> %SystemRoot%\System32\Uci32114.dll -> Conexant Systems, Inc [Ver = 2.0.0.14 | Size = 172032 bytes | Created Date = 03/08/2008 11:07:33 | Attr = R  ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Created Date = 15/08/2008 18:20:54 | Attr =    ]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Created Date = 01/08/2008 20:33:35 | Attr =    ]
10 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> 
MSOClip.232 -> %SystemRoot%\MSOClip.232 ->  [Ver =  | Size = 4544 bytes | Created Date = 25/07/2008 15:59:40 | Attr =    ]
MSOPrefs.232 -> %SystemRoot%\MSOPrefs.232 ->  [Ver =  | Size = 10304 bytes | Created Date = 25/07/2008 15:59:40 | Attr =    ]

[Files/Folders - Modified Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 19/08/2008 18:19:23 | Attr =    ]
1 F:\*.tmp files -> F:\*.tmp -> 
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 19/08/2008 08:41:41 | Attr = R  ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 20/08/2008 15:42:20 | Attr =    ]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 03/08/2008 14:13:53 | Attr =    ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts ->  [Ver =  | Size = 256715 bytes | Modified Date = 03/08/2008 14:13:53 | Attr = R  ]
hosts.20080803-141353.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080803-141353.backup ->  [Ver =  | Size = 255759 bytes | Modified Date = 25/07/2008 12:22:20 | Attr = R  ]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Modified Date = 30/07/2008 20:07:52 | Attr =    ]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Modified Date = 30/07/2008 20:07:56 | Attr =    ]
appmgmt -> %SystemRoot%\System32\appmgmt ->  [Folder | Modified Date = 03/08/2008 11:02:15 | Attr =    ]
1 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> 
CatRoot -> %SystemRoot%\System32\CatRoot ->  [Folder | Modified Date = 03/08/2008 11:06:48 | Attr =    ]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 19/08/2008 11:17:12 | Attr =    ]
config -> %SystemRoot%\System32\config ->  [Folder | Modified Date = 03/08/2008 11:03:14 | Attr =    ]
CONFIG.NT -> %SystemRoot%\System32\CONFIG.NT ->  [Ver =  | Size = 2626 bytes | Modified Date = 03/08/2008 11:53:16 | Attr =    ]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 19/08/2008 11:17:58 | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 19/08/2008 08:41:40 | Attr =    ]
Lang -> %SystemRoot%\System32\Lang ->  [Folder | Modified Date = 20/08/2008 15:42:36 | Attr =    ]
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 03/08/2008 11:03:04 | Attr =    ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 15/08/2008 17:02:00 | Attr =    ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 19/08/2008 11:17:35 | Attr =  H ]
10 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> 
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 20/08/2008 15:42:19 | Attr =   S]
Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 18/08/2008 17:58:48 | Attr =    ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 02/08/2008 10:30:35 | Attr =    ]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Modified Date = 19/08/2008 11:17:46 | Attr =    ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 19/08/2008 11:17:31 | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 19/08/2008 11:18:03 | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 19/08/2008 18:19:23 | Attr =  HS]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 20/08/2008 15:42:20 | Attr =    ]
MSOClip.232 -> %SystemRoot%\MSOClip.232 ->  [Ver =  | Size = 4544 bytes | Modified Date = 26/07/2008 17:52:07 | Attr =    ]
MSOPrefs.232 -> %SystemRoot%\MSOPrefs.232 ->  [Ver =  | Size = 10304 bytes | Modified Date = 26/07/2008 17:52:07 | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 20/08/2008 17:50:16 | Attr =    ]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 03/08/2008 11:03:04 | Attr =    ]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 19/08/2008 14:50:28 | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 25/07/2008 12:41:39 | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 20/08/2008 15:46:46 | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 20/08/2008 15:42:24 | Attr =  H ]
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 06/05/2008 12:52:19 | Attr =    ]
qmgr0.dat -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 77014 bytes | Modified Date = 20/08/2008 15:43:44 | Attr =    ]
qmgr1.dat -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 77014 bytes | Modified Date = 20/08/2008 15:43:44 | Attr =    ]
F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\ -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries ->  [Folder | Modified Date = 20/08/2008 16:22:57 | Attr =    ]
ScanningProcess.exe -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\ScanningProcess.exe -> Kaspersky Lab. [Ver = 5, 0, 1, 86 | Size = 139264 bytes | Modified Date = 20/08/2008 15:49:00 | Attr =    ]
34 F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\*.tmp files -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\*.tmp -> 
F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\ -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries ->  [Folder | Modified Date = 20/08/2008 16:22:57 | Attr =    ]
FSSync.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\FSSync.dll -> Kaspersky Lab [Ver = 6.0.5.678 | Size = 38400 bytes | Modified Date = 20/08/2008 15:49:00 | Attr =    ]
ikave.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\ikave.dll ->  [Ver = 5, 0, 1, 83 | Size = 65536 bytes | Modified Date = 20/08/2008 16:22:52 | Attr =    ]
kave.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\kave.dll -> Kaspersky Lab. [Ver = 5, 0, 1, 86 | Size = 282624 bytes | Modified Date = 20/08/2008 15:49:00 | Attr =    ]
kosglue-7.0.25.0.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\kosglue-7.0.25.0.dll -> Kaspersky Lab [Ver = 7.0.25.0 | Size = 729152 bytes | Modified Date = 20/08/2008 15:49:01 | Attr =    ]
msvcm80.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\msvcm80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 479232 bytes | Modified Date = 20/08/2008 16:22:51 | Attr =    ]
msvcp80.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\msvcp80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 548864 bytes | Modified Date = 20/08/2008 16:22:52 | Attr =    ]
msvcr80.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\msvcr80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 626688 bytes | Modified Date = 20/08/2008 16:22:52 | Attr =    ]
prLoader.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\prLoader.dll -> Kaspersky Lab [Ver = 6.0.2.678 | Size = 184320 bytes | Modified Date = 20/08/2008 15:49:00 | Attr =    ]
prremote.dll -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\prremote.dll -> Kaspersky Lab [Ver = 6.0.2.678 | Size = 90112 bytes | Modified Date = 20/08/2008 16:22:53 | Attr =    ]
34 F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\*.tmp files -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\*.tmp -> 
F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\engine\bases\ -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\engine\bases ->  [Folder | Modified Date = 20/08/2008 15:49:33 | Attr =    ]
sfdb.dat -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\engine\bases\sfdb.dat ->  [Ver =  | Size = 191076 bytes | Modified Date = 20/08/2008 16:23:09 | Attr =    ]
F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\ -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries ->  [Folder | Modified Date = 20/08/2008 16:22:57 | Attr =    ]
_kave.ini -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\_kave.ini ->  [Ver =  | Size = 102 bytes | Modified Date = 20/08/2008 16:22:52 | Attr =    ]
34 F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\*.tmp files -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\binaries\*.tmp -> 
F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\engine\bases\ -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\engine\bases ->  [Folder | Modified Date = 20/08/2008 15:49:33 | Attr =    ]
verdicts.ini -> F:\Documents and Settings\Jane\Local Settings\Temp\jkos-Jane\engine\bases\verdicts.ini ->  [Ver =  | Size = 4181 bytes | Modified Date = 20/08/2008 12:05:28 | Attr =    ]
F:\WINDOWS\Temp\ -> F:\WINDOWS\Temp ->  [Folder | Modified Date = 20/08/2008 15:46:46 | Attr =    ]
Perflib_Perfdata_414.dat -> F:\WINDOWS\Temp\Perflib_Perfdata_414.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 19/08/2008 18:20:51 | Attr =    ]
Perflib_Perfdata_41c.dat -> F:\WINDOWS\Temp\Perflib_Perfdata_41c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 19/08/2008 08:42:50 | Attr =    ]
Perflib_Perfdata_420.dat -> F:\WINDOWS\Temp\Perflib_Perfdata_420.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 18/08/2008 15:01:03 | Attr =    ]
Perflib_Perfdata_424.dat -> F:\WINDOWS\Temp\Perflib_Perfdata_424.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 19/08/2008 17:46:38 | Attr =    ]
Perflib_Perfdata_480.dat -> F:\WINDOWS\Temp\Perflib_Perfdata_480.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 20/08/2008 08:39:35 | Attr =    ]

< End of report >

Free Malware Removal Forum

Computer switches off at random following virus alert

Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Re: Computer switches off at random following virus alert

Who is online