Jump to content

El Tel

Advanced Member
  • Content Count

    322
  • Joined

  • Last visited

Everything posted by El Tel

  1. Hi No patches to install, all looks well there. Can this folder be deleted or moved, if so where to. Regards El Tel
  2. Hi Jacee Had a look in "Add Remove" and couldn't find this to Un-Install While these are on my PC these also are not installed, they were before I did a Complete Format and Re-Installed "Windows XP Professional" Downloaded this but have not run it, as I was already doing a complete scan with MalwareBytes. I need to run PCPitStop Scan and Up-Date my "Techexpress" details when all is sorted. PS (Edit) The result of Secunia Scan Regards El Tel
  3. Hi Dunn'a be asking me for details on the Laptop as I'm back at home right now, won't have that information until tomorrow. The operating system I can tell you is "Windows 7" This is a brand new Dell Laptop which I was asked to set up, daft idea but I took the job on knowing that you GR8 Gurus would be able to put me right. Having read the first 20 pages or so of the manual, well up to the point of where it says leave the power supply connect for the first 12Hrs' sorted some 4Hr's left to go; I left instruction to switch off the power supply when the 12Hr's are up, the Laptop is already turned off. After I first switched on the "Dell Welcome Screen" thanking you for purchasing your "Dell Laptop" it went into "Dell" let me take over your PC set up by default, I couldn't see away around this without accepting it. Anyway it done what ever it did insisted on making a back-up somewhere on the hard drive and then Re-Booted the Laptop, proceeded to ask for User account names etc, which was input as requested all sorted OK. My friends Hubby then chirped up saying that the man in the shop said "You need this to protect your PC" guess what it was "Norton PC Security" not installed as yet, but hubby insist in having it put on this Laptop as he bought the CD. As opposed to using all the FREE Security I use on my PC... Now if you can give me all the pro's & con's before I go back tomorrow then GR8, but not to worry. ? On installing "Norton" will it fight with what ever "Dell" set up on first start up. Regards El Tel
  4. One other thing that now shows on every start up is this Didn't ask for it, don't want it but seem to be stuck with it. Regards El Tel
  5. Hi Tanks for that info Well ever since the last "Windows Up-Date" my PC stalls 3 or 4 times out of 10 start up's. I decided to Restore my PC prior to the last Up-Dates hoping this will put the folder in the right place. Here are those last Up-Dates I think, well they have come back to be Re-Installed. Regards El Tel Edited (Typo Errors)
  6. Hi This folder has appeared from somewhere and google turn up with no results. Regards El Tel
  7. Thanks to all who took part. I can confirm that views did show up in the statistics view when I clicked, signed in to "Geovisite" FREE counter; six showed up from here I can also confirm that no personal details of any type apart from what you can see ie: Untd Kingdom 8, Thailand 1, Brazil 1, Untd States 1 & 5 showed up from elsewhere. Way cool Happy clicking Edit Put the wrong quote link
  8. I'm still clicking every day, even while on holiday. Now you can help me to, I have added a new FREE page counter on my " Windows Live Space " and would appreciate it if some of you could click from there allowing me to test the counter as well.
  9. Hi Juliet Well my PC has been behaving itself for 10 days now many Thanks for all your help Kind Regards El Tel
  10. Hi Juliet All went swimmingly well up to completing these This is set to Auto, but I choose what & when to install. From here on I got into all kinds of trouble I had FireFox but not the latest version. I stopped using it because it wouldn't display my Web Site http://www.picturesinpastels.co.uk/ As I already had FireFox, I opened it up and expected it to auto up-date; it had done in the past... But not this time, an error message came up saying a current FireFox window was open and should close it to proceed. I couldn't find it and it wasn't showing in "Windows Task Manager" either. I'm at a loss with this. I think I've now got it Un-Installed. Well not sure at all what if anything I did wrong... I just got lost. I went to their Web Site watched the Demo Video and thought cool, proceeded to install. I did see it in "Windows Task Manager" once, but couldn't see any "Traffic Lights" of any colour. What I did notice is my PC went very slow, switching between Tabs took ages, my hard drive temp went to 52'C and Speed-Fan that monitors it kept Beeping at me. I closed all open windows, the lot and waited for the temp' to drop, then it was time to shutdown. Next day my PC took twice as long to load up, everything was slow and sluggish. I know not what I did wrong or missed, I couldn't get it right; I decided to Restore back to when you had it working loverly and thats the point I'm at now... I've start reading this little lot and this will keep me occupied for the next four years for sure As this is a part of "Windows XP Professional" I didn't know I had, I decided to take a look and managed to back-up some files. It is a bit more involed than "Lazy Mirror" to which I do like. Decisions, decisions, decisions... Regards El Tel
  11. Hi Juliet My PC seems to be a whole lot faster now, many many thanks. As for all of these O15, they go back to my "Windows ME days and kinda stuck as in my original HJ log. I'm trying to rack my brain as to why I put them there in the first place. So here is a bit of waffle. It was more likely when I was sniffing around seeing what things was and do. As you can see even PCPitStop got a spot ... It could even have been to bypass cookie handling when I was having trouble accessing these sites. Basically I'm at a loss to the real reason. O15 - Trusted Zone: http://www.classicgolddigital.com O15 - Trusted Zone: http://www.download.com O15 - Trusted Zone: http://listings.ebay.co.uk O15 - Trusted Zone: http://www.forumfriendz.com O15 - Trusted Zone: http://larg1.free.fr O15 - Trusted Zone: http://*.drive.freevirtualservers.com O15 - Trusted Zone: http://*.gabbly.com O15 - Trusted Zone: http://www.gamerzforum.net O15 - Trusted Zone: http://free.grisoft.com O15 - Trusted Zone: http://forum.grisoft.cz O15 - Trusted Zone: http://www.grumbletext.co.uk O15 - Trusted Zone: http://pcpitstop.ibforums.com O15 - Trusted Zone: http://*.keir.net O15 - Trusted Zone: http://*.lavasoftsupport.com O15 - Trusted Zone: http://groups.msn.com O15 - Trusted Zone: http://freewarewiki.pbwiki.com O15 - Trusted Zone: http://www.royalmail.com O15 - Trusted Zone: http://forums.sygate.com O15 - Trusted Zone: http://www.thisisnottingham.co.uk O15 - Trusted Zone: http://www.topfreeforum.com I searched high & low for c:\windows\SYSTEM\mshost.exe<--this file c:\windows\SYSTEM\mshost.exe 2<--this file neither could be found. I did a wild search msho* while hidden files etc was accessible on my master drive C: Outlook Express is more annoying, but doesn't stop me as I send my mail now using G-Mail, I just prefer Outlook Express to G-Mail. When I'm given the all clear, I will go through your suggested links. Regards El Tel
  12. Hi Juliet No "Safesearch" Installed or found anywhere on my PC All processes killed Error: Unable to interpret <Files> in the current context! Error: Unable to interpret <c:\windows\SYSTEM\mshost.exe> in the current context! ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B256A5D-3BD2-8EC1-5CD2-0BBA7CAC3BCA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B256A5D-3BD2-8EC1-5CD2-0BBA7CAC3BCA}\ not found. ========== COMMANDS ========== [EMPTYTEMP] User: Default User ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: El Tel File delete failed. C:\Documents and Settings\El Tel\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 53027527 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: NetworkService File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32902 bytes User: LocalService File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32902 bytes User: Administrator ->Temporary Internet Files folder emptied: 67 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes Windows Temp folder emptied: 32768 bytes Session Manager Temp folder emptied: 0 bytes Session Manager Tmp folder emptied: 0 bytes RecycleBin emptied: 2919117 bytes Total Files Cleaned = 53.45 mb OTM by OldTimer - Version 3.0.0.6 log created on 08292009_204854 Files moved on Reboot... Registry entries deleted on Reboot... ................................................................................................... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:05:17, on 29/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NTR global\NTRconnect\NTRconnect.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\SpeedFan\speedfan.exe C:\PROGRA~1\KeirNet\K9\K9.exe C:\WINDOWS\notepad.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\SYSTEM32\SWEEPER.EXE C:\Program Files\MPK PopUp Stopper\mpk.exe C:\Program Files\MSN Messenger\MSNMSGR.EXE C:\Program Files\Virgin Broadband Wireless\ndis_events.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\All Users\Desktop\HiJack This V2\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=62.254.0.48:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.PicturesInPastels.co.uk;localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q O4 - HKCU\..\Run: [MyPopupKiller] C:\Program Files\MPK PopUp Stopper\mpk.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Launch K9.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O15 - Trusted Zone: http://www.classicgolddigital.com O15 - Trusted Zone: http://www.download.com O15 - Trusted Zone: http://listings.ebay.co.uk O15 - Trusted Zone: http://www.forumfriendz.com O15 - Trusted Zone: http://larg1.free.fr O15 - Trusted Zone: http://*.drive.freevirtualservers.com O15 - Trusted Zone: http://*.gabbly.com O15 - Trusted Zone: http://www.gamerzforum.net O15 - Trusted Zone: http://free.grisoft.com O15 - Trusted Zone: http://forum.grisoft.cz O15 - Trusted Zone: http://www.grumbletext.co.uk O15 - Trusted Zone: http://pcpitstop.ibforums.com O15 - Trusted Zone: http://*.keir.net O15 - Trusted Zone: http://*.lavasoftsupport.com O15 - Trusted Zone: http://groups.msn.com O15 - Trusted Zone: http://freewarewiki.pbwiki.com O15 - Trusted Zone: http://www.royalmail.com O15 - Trusted Zone: http://forums.sygate.com O15 - Trusted Zone: http://www.thisisnottingham.co.uk O15 - Trusted Zone: http://www.topfreeforum.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - https://www.ntrconnect.com/main/mod/setup/n...tivex118_24.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NTRconnect (ntrconnect) - NTRglobal - C:\Program Files\NTR global\NTRconnect\NTRconnect.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 8389 bytes Regards El Tel
  13. Hi Juliet Wow my PC seems fast, switching between Tab and Page Refresh there is no thinking time now... Also one other problem I was going to ask, now appearers to be fixed. That being I no longer have to manually sign in here or any other place I visit, My settings seem to be restored. Way cool... Now for the three possible "Explorer's" Yesterday it was "EXPLORER . EXE on two separate shut downs / Start Ups one with 27.536K & 27,316K of Mem Used. This Start Up "Explorer . EXE 24,552K Mem Used ? Sadly it has not sorted out Outlook Express Address Book I couldn't find this file anywhere, not even with "Show Hidden Files & Folder" unchecked. I could find 2 mswsock.dll C:\WINDOWS\SYSTEM32 & C:\WINDOWS\SoftwareDistribution\Downloads\97123dd72d0f61d4ed8c7a816ed338d7 both 240KB & are Application Extention ComboFix 09-08-28.04 - Administrator 29/08/2009 13:51.1.1 - FAT32x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.511.354 [GMT 1:00] Running from: c:\documents and settings\El Tel\Desktop\Combofix\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\WinPCap c:\program files\WinPCap\daemon_mgm.exe c:\program files\WinPCap\npf_mgm.exe c:\program files\WinPCap\rpcapd.exe c:\windows\a3kebook.ini c:\windows\akebook.ini c:\windows\ANS2000.INI c:\windows\Installer\131e75.msi c:\windows\Installer\131e7f.msi c:\windows\Installer\131eb4.msi c:\windows\Installer\131ed4.msi c:\windows\Installer\131ee1.msi c:\windows\Installer\131efa.msi c:\windows\Installer\131f1b.msi c:\windows\Installer\131f25.msi c:\windows\Installer\131f52.msi c:\windows\Installer\131f63.msi c:\windows\Installer\131f6f.msi c:\windows\Installer\131f80.msi c:\windows\Installer\131f98.msi c:\windows\Installer\131fa9.msi c:\windows\Installer\131fb9.msi c:\windows\Installer\131fc3.msi c:\windows\Installer\132101.msi c:\windows\Installer\3c2a0.msi c:\windows\Installer\3ef70a.msi c:\windows\Installer\43c8df.msi c:\windows\Installer\723a9a.msi c:\windows\Installer\b5da8.msi c:\windows\patch.exe c:\windows\regedit.com c:\windows\start.exe c:\windows\system\99930137--832107.exe c:\windows\system32\2435038701.dat c:\windows\system32\drivers\npf.sys c:\windows\system32\images c:\windows\system32\images\i1.gif c:\windows\system32\images\i2.gif c:\windows\system32\images\i3.gif c:\windows\system32\images\j1.gif c:\windows\system32\images\j2.gif c:\windows\system32\images\j3.gif c:\windows\system32\images\jj1.gif c:\windows\system32\images\jj2.gif c:\windows\system32\images\jj3.gif c:\windows\system32\images\l1.gif c:\windows\system32\images\l2.gif c:\windows\system32\images\l3.gif c:\windows\system32\images\pix.gif c:\windows\system32\images\t1.gif c:\windows\system32\images\t2.gif c:\windows\system32\images\up1.gif c:\windows\system32\images\up2.gif c:\windows\system32\images\w1.gif c:\windows\system32\images\w11.gif c:\windows\system32\images\w2.gif c:\windows\system32\images\w3.gif c:\windows\system32\images\w3.jpg c:\windows\system32\images\wt1.gif c:\windows\system32\images\wt2.gif c:\windows\system32\images\wt3.gif c:\windows\system32\mdm.exe c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\regsvr32.dll c:\windows\system32\twain.dll c:\windows\system32\WanPacket.dll c:\windows\system32\windows.scr c:\windows\system32\wpcap.dll c:\windows\Web\default.htt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FILEMON -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 ))))))))))))))))))))))))))))))) . 2009-08-28 17:29 . 2009-08-28 17:29 -------- d-----w- C:\_OTM 2009-08-28 10:56 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-08-28 10:56 . 2009-08-28 10:56 -------- d-----w- c:\program files\Panda Security 2009-08-26 21:40 . 2009-08-26 21:40 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-08-26 21:36 . 2009-08-26 21:36 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2009-08-26 21:35 . 2009-08-26 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-08-26 21:28 . 2009-08-26 21:27 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-08-26 20:34 . 2009-08-26 20:34 -------- d-----w- c:\documents and settings\El Tel\.SunDownloadManager 2009-08-22 07:33 . 2009-08-22 07:33 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-08-21 07:22 . 2009-08-21 07:22 -------- d-----w- c:\windows\system32\wbem\Repository 2009-08-14 14:47 . 2009-08-14 14:47 -------- d-----w- c:\windows\ServicePackFiles 2009-08-10 12:27 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-10 12:27 . 2009-08-10 12:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-10 12:27 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-23 08:07 . 2009-03-24 08:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-23 08:07 . 2009-03-24 08:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-23 08:07 . 2009-03-24 08:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-06 13:52 . 2008-12-24 21:04 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-08-05 09:11 . 2008-12-24 06:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-30 07:58 . 2009-07-30 07:58 -------- d-----w- c:\program files\Eusing Free Registry Cleaner 2009-07-17 18:55 . 2008-12-24 06:47 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 22:43 . 2008-12-24 07:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-06-25 18:36 . 2008-12-24 06:51 48640 ----a-w- c:\windows\system32\mqupgrd.dll 2009-06-25 18:36 . 2008-12-24 06:51 471552 ----a-w- c:\windows\system32\mqutil.dll 2009-06-25 18:36 . 2008-12-24 06:51 186880 ----a-w- c:\windows\system32\mqtrig.dll 2009-06-25 18:36 . 2008-12-24 06:51 95744 ----a-w- c:\windows\system32\mqsec.dll 2009-06-25 18:36 . 2008-12-24 06:51 517120 ----a-w- c:\windows\system32\mqsnap.dll 2009-06-25 18:36 . 2008-12-24 06:51 177152 ----a-w- c:\windows\system32\mqrt.dll 2009-06-25 18:36 . 2008-12-24 06:51 123392 ----a-w- c:\windows\system32\mqrtdep.dll 2009-06-25 18:36 . 2008-12-24 06:51 661504 ----a-w- c:\windows\system32\mqqm.dll 2009-06-25 18:36 . 2008-12-24 06:51 47104 ----a-w- c:\windows\system32\mqdscli.dll 2009-06-25 18:36 . 2008-12-24 06:51 225280 ----a-w- c:\windows\system32\mqoa.dll 2009-06-25 18:36 . 2008-12-24 06:51 16896 ----a-w- c:\windows\system32\mqise.dll 2009-06-25 18:36 . 2008-12-24 06:51 138240 ----a-w- c:\windows\system32\mqad.dll 2009-06-25 08:44 . 2008-12-24 06:55 59392 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:44 . 2008-12-24 06:54 56320 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:44 . 2008-12-24 06:54 168448 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:44 . 2008-12-24 06:52 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-25 08:44 . 2008-12-24 06:51 724480 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:44 . 2008-12-24 06:51 298496 ----a-w- c:\windows\system32\kerberos.dll 2009-06-22 11:49 . 2008-12-24 06:51 117248 ----a-w- c:\windows\system32\mqtgsvc.exe 2009-06-22 11:49 . 2008-12-24 06:51 19968 ----a-w- c:\windows\system32\mqbkup.exe 2009-06-22 11:49 . 2008-12-24 06:51 4608 ----a-w- c:\windows\system32\mqsvc.exe 2009-06-22 11:48 . 2008-12-24 06:51 91776 ----a-w- c:\windows\system32\drivers\mqac.sys 2009-06-22 11:34 . 2008-12-24 06:51 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:55 . 2008-12-24 06:55 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:55 . 2008-12-24 06:49 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 11:50 . 2008-12-24 06:55 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 11:50 . 2008-12-24 06:55 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:21 . 2008-12-24 06:47 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:32 . 2008-12-24 06:55 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-05 07:42 . 2008-12-24 07:32 655872 ----a-w- c:\windows\system32\mstscax.dll 2009-06-03 19:27 . 2008-12-24 06:53 1290752 ----a-w- c:\windows\system32\quartz.dll 2007-06-06 17:55 . 2004-05-25 00:29 123 ------w- c:\program files\craigsoftware.com.txt 2003-10-25 14:42 . 2003-10-25 14:42 23357 ---h--w- c:\program files\folder.htt 2003-07-07 14:56 . 2003-11-22 19:58 106498 ---h--w- c:\program files\sketch_2.GID 2003-03-14 20:20 . 2003-11-22 19:58 8628 ---h--w- c:\program files\sketch_1.GID 1998-10-05 16:33 . 2003-11-22 19:58 11264 ------w- c:\program files\README.WRI 1998-10-01 18:01 . 2003-11-22 19:58 16030 ------w- c:\program files\Autodesk License.txt 2008-10-01 19:47 . 2008-10-01 19:47 67696 ------w- c:\program files\mozilla firefox\components\jar50.dll 2008-10-01 19:47 . 2008-10-01 19:47 172144 ------w- c:\program files\mozilla firefox\components\xpinstal.dll 2008-10-01 19:47 . 2008-10-01 19:47 54376 ------w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-10-01 19:47 . 2008-10-01 19:47 34952 ------w- c:\program files\mozilla firefox\components\myspell.dll 2008-10-01 19:47 . 2008-10-01 19:47 46720 ------w- c:\program files\mozilla firefox\components\spellchk.dll 2009-01-18 08:15 . 2009-01-18 08:15 0 --sha-w- c:\windows\DRM\Cache\Indiv01.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MyPopupKiller"="c:\program files\MPK PopUp Stopper\mpk.exe" [2004-03-02 34816] "msnmsgr"="c:\program files\MSN Messenger\MSNMSGR.EXE" [2007-09-04 6856704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-12 222784] "SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632] "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832] "Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-26 149280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Internet Sweeper"="c:\windows\SYSTEM32\SWEEPER.EXE" [2002-05-05 159744] "nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] c:\documents and settings\El Tel\Start Menu\Programs\Startup\ Launch K9.lnk - c:\program files\KeirNet\K9\K9.exe [2004-4-18 82944] c:\documents and settings\All Users\Start Menu\Programs\Startup\ EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE [2009-3-25 121856] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2000-6-30 24633] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "EditLevel"= 0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "EditLevel"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-23 08:07 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "msnmsgr"="c:\program files\MSN MESSENGER\MSNMSGR.EXE" /background "Lazy Mirror"=c:\documents and settings\El Tel\Application Data\Microsoft\Internet Explorer\Quick Launch\Back Up\LazyMirror.exe /START [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s "msnmsgr"="c:\program files\MSN MESSENGER\MSNMSGR.EXE" /background "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot "WorksFUD"=c:\program files\Microsoft Works\wkfud.exe "Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "BullGuard Virus Shield"=c:\program files\BullGuard\\vsserv.exe "SafeSearch"=c:\program files\primesoft\safesearch\safesearch.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "Prolific_PLUtil"=c:\program files\Prolific\USB Flash Disk Utility\PLBkMon.exe "HidMonitor"=c:\windows\EICON.exe "WinPatrol"=c:\program files\BILLP STUDIOS\WINPATROL\winpatrol.exe "MyPopupKiller"=c:\program files\MPK PopUp Stopper\mpk.exe "SmcService"=c:\progra~1\SYGATE\SPF\SMC.EXE -startgui "Internet Sweeper"=c:\windows\SYSTEM32\SWEEPER.EXE /Q [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] "StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\Messenger\\MSMSGS.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\WINDOWS\\System32\\mmc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [05/02/2009 16:10 64160] R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [28/08/2009 11:56 28544] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [24/03/2009 09:11 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [24/03/2009 09:12 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [22/12/2008 11:06 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 11:05 55024] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [24/03/2009 09:11 297752] R2 ntrconnect;NTRconnect;c:\program files\NTR global\NTRconnect\NTRconnect.exe [29/10/2008 14:00 89600] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 21:34 951632] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 11:06 7408] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install "c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B256A5D-3BD2-8EC1-5CD2-0BBA7CAC3BCA}] c:\windows\SYSTEM\mshost.exe 2 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install "c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl . Contents of the 'Scheduled Tasks' folder 2009-08-29 c:\windows\Tasks\Launch K9.job - c:\progra~1\KeirNet\K9\K9.exe [2004-04-18 18:43] 2009-08-29 c:\windows\Tasks\User_Feed_Synchronization-{58F7E83D-EB8E-457A-A50C-3D9B0C6FB918}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 01:01] 2009-08-29 c:\windows\Tasks\SpeedFan.job - c:\progra~1\SpeedFan\speedfan.exe [2008-04-22 06:59] 2009-08-29 c:\windows\Tasks\System Restore.job - c:\windows\SYSTEM32\Restore\rstrui.exe [2008-12-24 11:00] . - - - - ORPHANS REMOVED - - - - Toolbar-Locked - (no file) ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file) . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uInternet Settings,ProxyServer = http=62.254.0.48:8080 uInternet Settings,ProxyOverride = hxxp://www.PicturesInPastels.co.uk;localhost IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM Trusted Zone: classicgolddigital.com\www Trusted Zone: download.com\www Trusted Zone: ebay.co.uk\listings Trusted Zone: forumfriendz.com\www Trusted Zone: forums4free.net\www Trusted Zone: free.fr\larg1 Trusted Zone: freevirtualservers.com\*.drive Trusted Zone: gabbly.com Trusted Zone: gamerzforum.net\www Trusted Zone: grisoft.com\free Trusted Zone: grisoft.cz\forum Trusted Zone: grumbletext.co.uk\www Trusted Zone: ibforums.com\pcpitstop Trusted Zone: keir.net Trusted Zone: lavasoftsupport.com Trusted Zone: msn.com\groups Trusted Zone: national-lottery.co.uk\www Trusted Zone: pbwiki.com\freewarewiki Trusted Zone: royalmail.com\www Trusted Zone: sygate.com\forums Trusted Zone: thisisnottingham.co.uk\www Trusted Zone: topfreeforum.com\www Trusted Zone: viking-direct.co.uk\www Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: Win32 Classes DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab FF - ProfilePath - . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-29 14:03 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant] "ImagePath"="" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2592) c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL c:\windows\system32\SSSensor.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Sygate\SPF\smc.exe c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\System32\snmp.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wscntfy.exe c:\program files\SPEEDFAN\SPEEDFAN.EXE c:\windows\system32\devldr32.exe c:\program files\Virgin Broadband Wireless\ndis_events.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Completion time: 2009-08-29 14:08 - machine was rebooted [El Tel] ComboFix-quarantined-files.txt 2009-08-29 13:07 Pre-Run: 21,800,845,312 bytes free Post-Run: 21,135,294,464 bytes free 370 --- E O F --- 2009-08-27 05:38 ................................................................................................ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:51:40, on 29/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NTR global\NTRconnect\NTRconnect.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\SpeedFan\speedfan.exe C:\PROGRA~1\KeirNet\K9\K9.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\SYSTEM32\SWEEPER.EXE C:\Program Files\MPK PopUp Stopper\mpk.exe C:\Program Files\MSN Messenger\MSNMSGR.EXE C:\Program Files\Virgin Broadband Wireless\ndis_events.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\All Users\Desktop\HiJack This V2\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=62.254.0.48:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.PicturesInPastels.co.uk;localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q O4 - HKCU\..\Run: [MyPopupKiller] C:\Program Files\MPK PopUp Stopper\mpk.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Launch K9.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O15 - Trusted Zone: http://www.classicgolddigital.com O15 - Trusted Zone: http://www.download.com O15 - Trusted Zone: http://listings.ebay.co.uk O15 - Trusted Zone: http://www.forumfriendz.com O15 - Trusted Zone: http://larg1.free.fr O15 - Trusted Zone: http://*.drive.freevirtualservers.com O15 - Trusted Zone: http://*.gabbly.com O15 - Trusted Zone: http://www.gamerzforum.net O15 - Trusted Zone: http://free.grisoft.com O15 - Trusted Zone: http://forum.grisoft.cz O15 - Trusted Zone: http://www.grumbletext.co.uk O15 - Trusted Zone: http://pcpitstop.ibforums.com O15 - Trusted Zone: http://*.keir.net O15 - Trusted Zone: http://*.lavasoftsupport.com O15 - Trusted Zone: http://groups.msn.com O15 - Trusted Zone: http://freewarewiki.pbwiki.com O15 - Trusted Zone: http://www.royalmail.com O15 - Trusted Zone: http://forums.sygate.com O15 - Trusted Zone: http://www.thisisnottingham.co.uk O15 - Trusted Zone: http://www.topfreeforum.com O16 - DPF: Win32 Classes - O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - https://www.ntrconnect.com/main/mod/setup/n...tivex118_24.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NTRconnect (ntrconnect) - NTRglobal - C:\Program Files\NTR global\NTRconnect\NTRconnect.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 8394 bytes Regards El Tel
  14. Hi Juliet I was one step ahead of you there, I had already used Virus Total about that "mswsock32 . dll" thingy out of curiosity All processes killed ========== FILES ========== c:\windows\downloaded program files\WinadX.inf moved successfully. c:\program files\common files\BTLINK moved successfully. c:\windows\downloaded program files\WUInst.inf moved successfully. ========== REGISTRY ========== Registry key hkey_current_user\software\infospace\ not found. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{669695BC-A811-4A9D-8CDF-BA8C795F261C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669695BC-A811-4A9D-8CDF-BA8C795F261C}\ not found. Registry key hkey_current_user\software\dynamic toolbar\ not found. Registry key hkey_classes_root\protocols\name-space handler\res\ not found. Registry key hkey_local_machine\software\classes\protocols\name-space handler\res\ deleted successfully. Registry key hkey_local_machine\software\winad client\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{4358161B-A4B8-498E-8019-3DAB50DFD578}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4358161B-A4B8-498E-8019-3DAB50DFD578}\ not found. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{068C36CF-483E-4CA8-A7F2-10EFFDA49C45}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{068C36CF-483E-4CA8-A7F2-10EFFDA49C45}\ not found. ========== COMMANDS ========== [EMPTYTEMP] User: Default User ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: El Tel File delete failed. C:\Documents and Settings\El Tel\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 59638337 bytes ->Java cache emptied: 13671192 bytes ->FireFox cache emptied: 21786623 bytes User: NetworkService File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32902 bytes User: LocalService File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32902 bytes User: Administrator ->Temporary Internet Files folder emptied: 67 bytes %systemdrive% .tmp files removed: 0 bytes C:\WINDOWS\msdownld.tmp folder deleted successfully. %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 43757304 bytes Windows Temp folder emptied: 114688 bytes Session Manager Temp folder emptied: 0 bytes Session Manager Tmp folder emptied: 0 bytes RecycleBin emptied: 128905987 bytes Total Files Cleaned = 255.53 mb OTM by OldTimer - Version 3.0.0.6 log created on 08282009_182919 Files moved on Reboot... Registry entries deleted on Reboot... .................................................................................... File mswsock32.dll received on 2009.08.28 07:36:26 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 13/41 (31.71%) Loading server information... Your file is queued in position: 2. Estimated start time is between 52 and 75 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.24 2009.08.28 Trojan.Win32.Agent!IK AhnLab-V3 5.0.0.2 2009.08.27 - AntiVir 7.9.1.7 2009.08.27 TR/Agent.aykf.1 Antiy-AVL 2.0.3.7 2009.08.24 - Authentium 5.1.2.4 2009.08.28 - Avast 4.8.1335.0 2009.08.27 - AVG 8.5.0.406 2009.08.27 - BitDefender 7.2 2009.08.28 - CAT-QuickHeal 10.00 2009.08.27 - ClamAV 0.94.1 2009.08.28 - Comodo 2114 2009.08.28 - DrWeb 5.0.0.12182 2009.08.28 - eSafe 7.0.17.0 2009.08.27 - eTrust-Vet 31.6.6705 2009.08.27 - F-Prot 4.5.1.85 2009.08.27 - F-Secure 8.0.14470.0 2009.08.28 Trojan.Win32.Agent.aykf Fortinet 3.120.0.0 2009.08.28 W32/Agent.AYKF!tr GData 19 2009.08.28 - Ikarus T3.1.1.68.0 2009.08.28 Trojan.Win32.Agent Jiangmin 11.0.800 2009.08.28 - K7AntiVirus 7.10.829 2009.08.27 - Kaspersky 7.0.0.125 2009.08.28 Trojan.Win32.Agent.aykf McAfee 5722 2009.08.27 - McAfee+Artemis 5722 2009.08.27 - McAfee-GW-Edition 6.8.5 2009.08.28 Trojan.Agent.aykf.1 Microsoft 1.5005 2009.08.28 - NOD32 4375 2009.08.28 - Norman 2009.08.27 - nProtect 2009.1.8.0 2009.08.27 Trojan/W32.Agent.61440.LJ Panda 10.0.2.2 2009.08.28 Trj/Downloader.MDW PCTools 4.4.2.0 2009.08.27 - Prevx 3.0 2009.08.28 Medium Risk Malware Rising 21.44.11.00 2009.08.25 Trojan.Win32.Nodef.jdh Sophos 4.45.0 2009.08.28 - Sunbelt 3.2.1858.2 2009.08.27 Trojan.Win32.Generic!BT Symantec 1.4.4.12 2009.08.28 - TheHacker 6.3.4.3.389 2009.08.27 - TrendMicro 8.950.0.1094 2009.08.28 - VBA32 3.12.10.10 2009.08.28 Trojan.Win32.Agent.aykf ViRobot 2009.8.28.1906 2009.08.28 - VirusBuster 4.6.5.0 2009.08.27 - Additional information File size: 61440 bytes MD5...: 809e6fcd17dbbf1b2204c486f6feac2b SHA1..: ea70aba12a234928109b010221b32d298ece074a SHA256: 2faf41950bd213d574a8c6d327f21c36937d7dac314bea12bd29ba6e4cdb4fed ssdeep: 768:lLp2hEfixYvI8ieRiQNXsgoIhhFsXl+Z3LodVyLvaFA4DCPobLqw:D2h+Ibe RTXcIhh21+5umaG4OPobG PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xa9fd timedatestamp.....: 0x4a115428 (Mon May 18 12:27:20 2009) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x2000 0xbbc5 0xbc00 6.20 7163005c34323a429e2ab90c05f2f331 .data 0xe000 0x6154 0x200 0.24 312651a6f76490d97aff95c683a68247 .CRT 0x16000 0x8 0x200 0.12 5206eb093d8b673bef241bce3ac620fe .rsrc 0x18000 0x20e0 0x2200 7.58 2c977d2797f6ca1f2de5afbc6fb54b2c .reloc 0x1c000 0x8da 0xa00 5.47 d6e11d15dbf38df910254287080834e4 ( 10 imports ) > WS2_32.dll: -, -, -, -, -, -, -, WSAEventSelect, -, - > KERNEL32.dll: HeapFree, WaitForSingleObject, SetEvent, GetProcessHeap, ExpandEnvironmentStringsA, WriteFile, InitializeCriticalSection, WideCharToMultiByte, Sleep, SizeofResource, CreateEventA, LeaveCriticalSection, lstrcpynW, ReadFile, GetSystemDirectoryA, lstrcatA, MultiByteToWideChar, lstrlenW, FindFirstFileA, InterlockedIncrement, SetLastError, GetProcAddress, EnterCriticalSection, FindClose, GetPrivateProfileStringA, GetLocalTime, LoadLibraryA, GetCurrentProcess, LockResource, WaitForMultipleObjects, GetModuleFileNameA, FindNextFileA, GetModuleHandleA, lstrcatW, CreateMutexA, DeleteCriticalSection, GetCurrentThreadId, RtlUnwind, CloseHandle, LocalFree, lstrcpyW, DeleteFileA, CreateThread, lstrcpyA, HeapAlloc, LoadResource, FreeLibrary, lstrcpynA, lstrlenA, SetFilePointer, lstrcmpA, FindResourceA, GetFileSize, CreateFileA, OpenMutexA, InterlockedDecrement, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, ReleaseMutex > ADVAPI32.dll: CryptDestroyHash, RegEnumValueW, RegEnumValueA, CryptCreateHash, RegDeleteValueA, RegOpenKeyExA, CryptAcquireContextA, CryptHashData, RegCloseKey, AdjustTokenPrivileges, RegCreateKeyExA, LookupPrivilegeValueA, RegEnumKeyExA, RegDeleteKeyA, RegQueryValueExW, CryptReleaseContext, RegQueryValueExA, RegSetValueExA, OpenProcessToken, CryptGetHashParam, RegOpenKeyExW > USER32.dll: SetTimer, GetMessageA, CharLowerA, wsprintfA, CharLowerW, wsprintfW, IsCharAlphaNumericA, DispatchMessageA > ole32.dll: CoInitialize, CoUninitialize, CoCreateInstance > OLEAUT32.dll: -, -, -, - > SHLWAPI.dll: StrStrA > SHELL32.dll: ShellExecuteA > urlmon.dll: URLDownloadToFileA > CRYPT32.dll: CryptUnprotectData ( 1 exports ) NSPStartup RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=75D1A4B100F5A5F7F04D00F50A1D94008D411DC6' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=75D1A4B100F5A5F7F04D00F50A1D94008D411DC6</a> Regards El Tel
  15. Hi Juliet It is hard to say exactly which bits are better. My PC looks to start up better, pages appearer quicker. Something I have observed is in Task Manager immediately after start up & before I start using my PC is I could have three different "Explorers" as it appearers "explorer . exe" "Explorer . EXE 15,428k" & "EXPLORER . exe" the one with the File size is what is running now, I will take a note of the next one after this post and I shut down to which one loads next time? ;*********************************************************************************************************************************************************************************** ANALYSIS: 2009-08-28 12:45:24 PROTECTIONS: 1 MALWARE: 9 SUSPECTS: 1 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== AVG Anti-Virus Free 8.5 Yes Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00027660 adware/savenow Adware No 0 Yes No c:\windows\downloaded program files\wuinst.inf 00032859 dialer.ix Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{068C36CF-483E-4CA8-A7F2-10EFFDA49C45} 00032859 dialer.ix Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{4358161B-A4B8-498E-8019-3DAB50DFD578} 00034463 adware/wupd Adware No 0 Yes No hkey_local_machine\software\winad client 00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\classes\protocols\name-space handler\res 00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\protocols\name-space handler\res 00040415 adware/wintools Adware No 0 Yes No c:\program files\common files\btlink 00041912 adware/toprebates Adware No 0 Yes No c:\windows\downloaded program files\winadx.inf 00096188 spyware/searchcentrix Spyware No 1 Yes No hkey_current_user\software\dynamic toolbar 00135099 adware/powerstrip Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{669695BC-A811-4A9D-8CDF-BA8C795F261C} 00269134 spyware/dogpile Spyware No 1 Yes No hkey_current_user\software\infospace 02531831 Trj/Downloader.MDW Virus/Trojan Yes 2 Yes No C:\WINDOWS\system32\mswsock32.dll ;=================================================================================================================================================================================== SUSPECTS Sent Location U ;=================================================================================================================================================================================== No C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe U ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description U ;=================================================================================================================================================================================== 210618 HIGH MS09-019 U 129976 MEDIUM MS06-052 U ;=================================================================================================================================================================================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:15:39, on 28/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\SpeedFan\speedfan.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NTR global\NTRconnect\NTRconnect.exe C:\PROGRA~1\KeirNet\K9\K9.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\WinPcap\rpcapd.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\SYSTEM32\SWEEPER.EXE C:\Program Files\MPK PopUp Stopper\mpk.exe C:\Program Files\MSN Messenger\MSNMSGR.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\Program Files\Virgin Broadband Wireless\ndis_events.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\All Users\Desktop\HiJack This V2\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Intern et Settings,ProxyServer = http=62.254.0.48:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Intern et Settings,ProxyOverride = http://www.PicturesInPastels.co.uk;localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q O4 - HKCU\..\Run: [MyPopupKiller] C:\Program Files\MPK PopUp Stopper\mpk.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Launch K9.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll O15 - Trusted Zone: http://www.classicgolddigital.com O15 - Trusted Zone: http://www.download.com O15 - Trusted Zone: http://listings.ebay.co.uk O15 - Trusted Zone: http://www.forumfriendz.com O15 - Trusted Zone: http://larg1.free.fr O15 - Trusted Zone: http://*.drive.freevirtualservers.com O15 - Trusted Zone: http://*.gabbly.com O15 - Trusted Zone: http://www.gamerzforum.net O15 - Trusted Zone: http://free.grisoft.com O15 - Trusted Zone: http://forum.grisoft.cz O15 - Trusted Zone: http://www.grumbletext.co.uk O15 - Trusted Zone: http://pcpitstop.ibforums.com O15 - Trusted Zone: http://*.keir.net O15 - Trusted Zone: http://*.lavasoftsupport.com O15 - Trusted Zone: http://groups.msn.com O15 - Trusted Zone: http://freewarewiki.pbwiki.com O15 - Trusted Zone: http://www.royalmail.com O15 - Trusted Zone: http://forums.sygate.com O15 - Trusted Zone: http://www.thisisnottingham.co.uk O15 - Trusted Zone: http://www.topfreeforum.com O16 - DPF: Win32 Classes - O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubi e.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/ flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.ca b O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - https://www.ntrconnect.com/main/mod/setup/ntractivex1 18_24.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NTRconnect (ntrconnect) - NTRglobal - C:\Program Files\NTR global\NTRconnect\NTRconnect.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 8875 bytes Regards El Tel
  16. Hi Juliet Wow that kept me out of trouble, I hope this informaion is more help to you; it reads like the book "War & Peace" I'll attempt the "Outlook Express" when we have sorted the other bits out... http://www.virustotal.com/analisis/9d34769...1274-1251301139 File ntoskrnl.exe received on 2009.08.26 15:38:59 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/41 (0%) Loading server information... Your file is queued in position: 3. Estimated start time is between 61 and 87 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.24 2009.08.26 - AhnLab-V3 5.0.0.2 2009.08.26 - AntiVir 7.9.1.7 2009.08.26 - Antiy-AVL 2.0.3.7 2009.08.24 - Authentium 5.1.2.4 2009.08.26 - Avast 4.8.1335.0 2009.08.26 - AVG 8.5.0.406 2009.08.25 - BitDefender 7.2 2009.08.26 - CAT-QuickHeal 10.00 2009.08.25 - ClamAV 0.94.1 2009.08.26 - Comodo 2102 2009.08.26 - DrWeb 5.0.0.12182 2009.08.26 - eSafe 7.0.17.0 2009.08.26 - eTrust-Vet None 2009.08.26 - F-Prot 4.5.1.85 2009.08.25 - F-Secure 8.0.14470.0 2009.08.26 - Fortinet 3.120.0.0 2009.08.26 - GData 19 2009.08.26 - Ikarus T3.1.1.68.0 2009.08.26 - Jiangmin 11.0.800 2009.08.26 - K7AntiVirus 7.10.827 2009.08.25 - Kaspersky 7.0.0.125 2009.08.26 - McAfee 5720 2009.08.25 - McAfee+Artemis 5720 2009.08.25 - McAfee-GW-Edition 6.8.5 2009.08.26 - Microsoft 1.4903 2009.08.26 - NOD32 4369 2009.08.26 - Norman 2009.08.26 - nProtect 2009.1.8.0 2009.08.26 - Panda 10.0.2.2 2009.08.26 - PCTools 4.4.2.0 2009.08.26 - Prevx 3.0 2009.08.26 - Rising 21.44.11.00 2009.08.25 - Sophos 4.44.0 2009.08.26 - Sunbelt 3.2.1858.2 2009.08.25 - Symantec 1.4.4.12 2009.08.26 - TheHacker 6.3.4.3.388 2009.08.25 - TrendMicro 8.950.0.1094 2009.08.26 - VBA32 3.12.10.10 2009.08.26 - ViRobot 2009.8.26.1903 2009.08.26 - VirusBuster 4.6.5.0 2009.08.26 - Additional information File size: 2180480 bytes MD5...: facebb0ca3154f77009cdfee78a00bbb SHA1..: 07af038dd77d1b1b219f1a56f348ce12917158a9 SHA256: 9d34769e7fee6e0e0245d4a3dd2a4e540430f18b9caa8a6d28e3636a549b1274 ssdeep: 24576:XIhP5mGsSfIT4zo2G3F6p+3sewzHsRLhEfmIctDQFXHea+NVXC0jMyR5+x kDDV75:4t5mMo283twnoN1j54evludi7rc PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1d56ce timedatestamp.....: 0x498c7241 (Fri Feb 06 17:24:17 2009) machinetype.......: 0x14c (I386) ( 21 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x580 0x71a01 0x71a80 6.62 b95a52e9f1c4c819415e0def819bce77 POOLMI 0x72000 0x12b3 0x1300 6.32 ffce6a76ba7af3969bb7ebde7a822812 MISYSPTE 0x73300 0x700 0x700 6.28 10a155b223fdcc0a87805d6826c91bfa POOLCODE 0x73a00 0x15a0 0x1600 6.41 f8e223ee5d9a37d1a0dd8c66524bfe94 .data 0x75000 0x16ca0 0x16d00 0.46 b7e9485e85b10c2bc7d153001c5fca6f PAGE 0x8bd00 0xf8e84 0xf8f00 6.65 4a3b5038ee6f6890666599de0579e475 PAGELK 0x184c00 0xe359 0xe380 6.72 adc4ba4b2b0c3814f3b4a37af2333fcb PAGEVRFY 0x192f80 0xf1cd 0xf200 6.69 4b451d46fe4518a589f736be31b9fa54 PAGEWMI 0x1a2180 0x17fd 0x1800 6.48 33362367cfb58d866800d1baff86b92c PAGEKD 0x1a3980 0x4052 0x4080 6.50 50bafe38223d132fa6aeac5fb7211d33 PAGESPEC 0x1a7a00 0xc43 0xc80 6.32 0b76a64ee7a124a9cad76d966a9b9e06 PAGEHDLS 0x1a8680 0x1dd8 0x1e00 6.26 67f9d5587e2632488652fa02887ffd64 .edata 0x1aa480 0xb55d 0xb580 6.02 236d3b967c64a9fe89026c1dce209020 PAGEDATA 0x1b5a00 0x1558 0x1580 2.72 d227f7662c449a4ec6d138191e5a46bf PAGEKD 0x1b6f80 0xc021 0xc080 0.00 6b21067ca0b28f26a1250999b7289fce PAGECONS 0x1c3000 0x18c 0x200 2.24 0cd998720649132167911c823555b81b PAGEVRFC 0x1c3200 0x3449 0x3480 5.25 bbf1cec10c9e66265a4e5403c43791ba PAGEVRFD 0x1c6680 0x648 0x680 2.74 2bfe9bd6c5d22ee3bb2acd11bf0b9c87 INIT 0x1c6d00 0x2d728 0x2d780 6.52 22c8c9907af16449ba6151e17d2c1de6 .rsrc 0x1f4480 0x10708 0x10780 5.30 540691c6dd6bcb4921869f038b2c8334 .reloc 0x204c00 0xf958 0xf980 6.79 596bf2d50cdd3370975e55a02645836d ( 3 imports ) > BOOTVID.dll: VidInitialize, VidDisplayString, VidSetTextColor, VidSolidColorFill, VidBitBlt, VidBufferToScreenBlt, VidScreenToBufferBlt, VidResetDisplay, VidCleanUp, VidSetScrollRegion > HAL.dll: HalReportResourceUsage, HalAllProcessorsStarted, HalQueryRealTimeClock, HalAllocateAdapterChannel, KeStallExecutionProcessor, HalTranslateBusAddress, KfReleaseSpinLock, KfAcquireSpinLock, HalGetBusDataByOffset, HalSetBusDataByOffset, KeQueryPerformanceCounter, HalReturnToFirmware, READ_PORT_UCHAR, READ_PORT_USHORT, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_USHORT, WRITE_PORT_ULONG, HalInitializeProcessor, HalCalibratePerformanceCounter, HalSetRealTimeClock, HalHandleNMI, HalBeginSystemInterrupt, HalEndSystemInterrupt, KeRaiseIrqlToSynchLevel, KeAcquireInStackQueuedSpinLockRaiseToSynch, HalInitSystem, HalDisableSystemInterrupt, HalEnableSystemInterrupt, KeRaiseIrql, KeLowerIrql, HalClearSoftwareInterrupt, KeReleaseSpinLock, KeAcquireSpinLock, ExTryToAcquireFastMutex, KeAcquireSpinLockRaiseToSynch, KeFlushWriteBuffer, HalProcessorIdle, HalReadDmaCounter, IoMapTransfer, IoFreeMapRegisters, IoFreeAdapterChannel, IoFlushAdapterBuffers, HalFreeCommonBuffer, HalAllocateCommonBuffer, HalAllocateCrashDumpRegisters, HalGetAdapter, HalSetTimeIncrement, HalGetEnvironmentVariable, HalSetEnvironmentVariable, KfRaiseIrql, HalGetInterruptVector, KeGetCurrentIrql, HalRequestSoftwareInterrupt, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeRaiseIrqlToDpcLevel, HalSystemVectorDispatchEntry, KfLowerIrql, HalStartProfileInterrupt, HalSetProfileInterval, HalStopProfileInterrupt > KDCOM.dll: KdD0Transition, KdD3Transition, KdRestore, KdReceivePacket, KdDebuggerInitialize0, KdSave, KdDebuggerInitialize1, KdSendPacket ( 1485 exports ) CcCanIWrite, CcCopyRead, CcCopyWrite, CcDeferWrite, CcFastCopyRead, CcFastCopyWrite, CcFastMdlReadWait, CcFastReadNotPossible, CcFastReadWait, CcFlushCache, CcGetDirtyPages, CcGetFileObjectFromBcb, CcGetFileObjectFromSectionPtrs, CcGetFlushedValidData, CcGetLsnForFileObject, CcInitializeCacheMap, CcIsThereDirtyData, CcMapData, CcMdlRead, CcMdlReadComplete, CcMdlWriteAbort, CcMdlWriteComplete, CcPinMappedData, CcPinRead, CcPrepareMdlWrite, CcPreparePinWrite, CcPurgeCacheSection, CcRemapBcb, CcRepinBcb, CcScheduleReadAhead, CcSetAdditionalCacheAttributes, CcSetBcbOwnerPointer, CcSetDirtyPageThreshold, CcSetDirtyPinnedData, CcSetFileSizes, CcSetLogHandleForFile, CcSetReadAheadGranularity, CcUninitializeCacheMap, CcUnpinData, CcUnpinDataForThread, CcUnpinRepinnedBcb, CcWaitForCurrentLazyWriterActivity, CcZeroData, CmRegisterCallback, CmUnRegisterCallback, DbgBreakPoint, DbgBreakPointWithStatus, DbgLoadImageSymbols, DbgPrint, DbgPrintEx, DbgPrintReturnControlC, DbgPrompt, DbgQueryDebugFilterState, DbgSetDebugFilterState, ExAcquireFastMutexUnsafe, ExAcquireResourceExclusiveLite, ExAcquireResourceSharedLite, ExAcquireRundownProtection, ExAcquireRundownProtectionEx, ExAcquireSharedStarveExclusive, ExAcquireSharedWaitForExclusive, ExAllocateFromPagedLookasideList, ExAllocatePool, ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag, ExAllocatePoolWithTagPriority, ExConvertExclusiveToSharedLite, ExCreateCallback, ExDeleteNPagedLookasideList, ExDeletePagedLookasideList, ExDeleteResourceLite, ExDesktopObjectType, ExDisableResourceBoostLite, ExEnumHandleTable, ExEventObjectType, ExExtendZone, ExFreePool, ExFreePoolWithTag, ExFreeToPagedLookasideList, ExGetCurrentProcessorCounts, ExGetCurrentProcessorCpuUsage, ExGetExclusiveWaiterCount, ExGetPreviousMode, ExGetSharedWaiterCount, ExInitializeNPagedLookasideList, ExInitializePagedLookasideList, ExInitializeResourceLite, ExInitializeRundownProtection, ExInitializeZone, ExInterlockedAddLargeInteger, ExInterlockedAddLargeStatistic, ExInterlockedAddUlong, ExInterlockedCompareExchange64, ExInterlockedDecrementLong, ExInterlockedExchangeUlong, ExInterlockedExtendZone, ExInterlockedFlushSList, ExInterlockedIncrementLong, ExInterlockedInsertHeadList, ExInterlockedInsertTailList, ExInterlockedPopEntryList, ExInterlockedPopEntrySList, ExInterlockedPushEntryList, ExInterlockedPushEntrySList, ExInterlockedRemoveHeadList, ExIsProcessorFeaturePresent, ExIsResourceAcquiredExclusiveLite, ExIsResourceAcquiredSharedLite, ExLocalTimeToSystemTime, ExNotifyCallback, ExQueryPoolBlockSize, ExQueueWorkItem, ExRaiseAccessViolation, ExRaiseDatatypeMisalignment, ExRaiseException, ExRaiseHardError, ExRaiseStatus, ExReInitializeRundownProtection, ExRegisterCallback, ExReinitializeResourceLite, ExReleaseFastMutexUnsafe, ExReleaseResourceForThreadLite, ExReleaseResourceLite, ExReleaseRundownProtection, ExReleaseRundownProtectionEx, ExRundownCompleted, ExSemaphoreObjectType, ExSetResourceOwnerPointer, ExSetTimerResolution, ExSystemExceptionFilter, ExSystemTimeToLocalTime, ExUnregisterCallback, ExUuidCreate, ExVerifySuite, ExWaitForRundownProtectionRelease, ExWindowStationObjectType, ExfAcquirePushLockExclusive, ExfAcquirePushLockShared, ExfInterlockedAddUlong, ExfInterlockedCompareExchange64, ExfInterlockedInsertHeadList, ExfInterlockedInsertTailList, ExfInterlockedPopEntryList, ExfInterlockedPushEntryList, ExfInterlockedRemoveHeadList, ExfReleasePushLock, Exfi386InterlockedDecrementLong, Exfi386InterlockedExchangeUlong, Exfi386InterlockedIncrementLong, Exi386InterlockedDecrementLong, Exi386InterlockedExchangeUlong, Exi386InterlockedIncrementLong, FsRtlAcquireFileExclusive, FsRtlAddLargeMcbEntry, FsRtlAddMcbEntry, FsRtlAddToTunnelCache, FsRtlAllocateFileLock, FsRtlAllocatePool, FsRtlAllocatePoolWithQuota, FsRtlAllocatePoolWithQuotaTag, FsRtlAllocatePoolWithTag, FsRtlAllocateResource, FsRtlAreNamesEqual, FsRtlBalanceReads, FsRtlCheckLockForReadAccess, FsRtlCheckLockForWriteAccess, FsRtlCheckOplock, FsRtlCopyRead, FsRtlCopyWrite, FsRtlCreateSectionForDataScan, FsRtlCurrentBatchOplock, FsRtlDeleteKeyFromTunnelCache, FsRtlDeleteTunnelCache, FsRtlDeregisterUncProvider, FsRtlDissectDbcs, FsRtlDissectName, FsRtlDoesDbcsContainWildCards, FsRtlDoesNameContainWildCards, FsRtlFastCheckLockForRead, FsRtlFastCheckLockForWrite, FsRtlFastUnlockAll, FsRtlFastUnlockAllByKey, FsRtlFastUnlockSingle, FsRtlFindInTunnelCache, FsRtlFreeFileLock, FsRtlGetFileSize, FsRtlGetNextFileLock, FsRtlGetNextLargeMcbEntry, FsRtlGetNextMcbEntry, FsRtlIncrementCcFastReadNoWait, FsRtlIncrementCcFastReadNotPossible, FsRtlIncrementCcFastReadResourceMiss, FsRtlIncrementCcFastReadWait, FsRtlInitializeFileLock, FsRtlInitializeLargeMcb, FsRtlInitializeMcb, FsRtlInitializeOplock, FsRtlInitializeTunnelCache, FsRtlInsertPerFileObjectContext, FsRtlInsertPerStreamContext, FsRtlIsDbcsInExpression, FsRtlIsFatDbcsLegal, FsRtlIsHpfsDbcsLegal, FsRtlIsNameInExpression, FsRtlIsNtstatusExpected, FsRtlIsPagingFile, FsRtlIsTotalDeviceFailure, FsRtlLegalAnsiCharacterArray, FsRtlLookupLargeMcbEntry, FsRtlLookupLastLargeMcbEntry, FsRtlLookupLastLargeMcbEntryAndIndex, FsRtlLookupLastMcbEntry, FsRtlLookupMcbEntry, FsRtlLookupPerFileObjectContext, FsRtlLookupPerStreamContextInternal, FsRtlMdlRead, FsRtlMdlReadComplete, FsRtlMdlReadCompleteDev, FsRtlMdlReadDev, FsRtlMdlWriteComplete, FsRtlMdlWriteCompleteDev, FsRtlNormalizeNtstatus, FsRtlNotifyChangeDirectory, FsRtlNotifyCleanup, FsRtlNotifyFilterChangeDirectory, FsRtlNotifyFilterReportChange, FsRtlNotifyFullChangeDirectory, FsRtlNotifyFullReportChange, FsRtlNotifyInitializeSync, FsRtlNotifyReportChange, FsRtlNotifyUninitializeSync, FsRtlNotifyVolumeEvent, FsRtlNumberOfRunsInLargeMcb, FsRtlNumberOfRunsInMcb, FsRtlOplockFsctrl, FsRtlOplockIsFastIoPossible, FsRtlPostPagingFileStackOverflow, FsRtlPostStackOverflow, FsRtlPrepareMdlWrite, FsRtlPrepareMdlWriteDev, FsRtlPrivateLock, FsRtlProcessFileLock, FsRtlRegisterFileSystemFilterCallbacks, FsRtlRegisterUncProvider, FsRtlReleaseFile, FsRtlRemoveLargeMcbEntry, FsRtlRemoveMcbEntry, FsRtlRemovePerFileObjectContext, FsRtlRemovePerStreamContext, FsRtlResetLargeMcb, FsRtlSplitLargeMcb, FsRtlSyncVolumes, FsRtlTeardownPerStreamContexts, FsRtlTruncateLargeMcb, FsRtlTruncateMcb, FsRtlUninitializeFileLock, FsRtlUninitializeLargeMcb, FsRtlUninitializeMcb, FsRtlUninitializeOplock, HalDispatchTable, HalExamineMBR, HalPrivateDispatchTable, HeadlessDispatch, InbvAcquireDisplayOwnership, InbvCheckDisplayOwnership, InbvDisplayString, InbvEnableBootDriver, InbvEnableDisplayString, InbvInstallDisplayStringFilter, InbvIsBootDriverInstalled, InbvNotifyDisplayOwnershipLost, InbvResetDisplay, InbvSetScrollRegion, InbvSetTextColor, InbvSolidColorFill, InitSafeBootMode, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, IoAcquireCancelSpinLock, IoAcquireRemoveLockEx, IoAcquireVpbSpinLock, IoAdapterObjectType, IoAllocateAdapterChannel, IoAllocateController, IoAllocateDriverObjectExtension, IoAllocateErrorLogEntry, IoAllocateIrp, IoAllocateMdl, IoAllocateWorkItem, IoAssignDriveLetters, IoAssignResources, IoAttachDevice, IoAttachDeviceByPointer, IoAttachDeviceToDeviceStack, IoAttachDeviceToDeviceStackSafe, IoBuildAsynchronousFsdRequest, IoBuildDeviceIoControlRequest, IoBuildPartialMdl, IoBuildSynchronousFsdRequest, IoCallDriver, IoCancelFileOpen, IoCancelIrp, IoCheckDesiredAccess, IoCheckEaBufferValidity, IoCheckFunctionAccess, IoCheckQuerySetFileInformation, IoCheckQuerySetVolumeInformation, IoCheckQuotaBufferValidity, IoCheckShareAccess, IoCompleteRequest, IoConnectInterrupt, IoCreateController, IoCreateDevice, IoCreateDisk, IoCreateDriver, IoCreateFile, IoCreateFileSpecifyDeviceObjectHint, IoCreateNotificationEvent, IoCreateStreamFileObject, IoCreateStreamFileObjectEx, IoCreateStreamFileObjectLite, IoCreateSymbolicLink, IoCreateSynchronizationEvent, IoCreateUnprotectedSymbolicLink, IoCsqInitialize, IoCsqInsertIrp, IoCsqRemoveIrp, IoCsqRemoveNextIrp, IoDeleteController, IoDeleteDevice, IoDeleteDriver, IoDeleteSymbolicLink, IoDetachDevice, IoDeviceHandlerObjectSize, IoDeviceHandlerObjectType, IoDeviceObjectType, IoDisconnectInterrupt, IoDriverObjectType, IoEnqueueIrp, IoEnumerateDeviceObjectList, IoEnumerateRegisteredFiltersList, IoFastQueryNetworkAttributes, IoFileObjectType, IoForwardAndCatchIrp, IoForwardIrpSynchronously, IoFreeController, IoFreeErrorLogEntry, IoFreeIrp, IoFreeMdl, IoFreeWorkItem, IoGetAttachedDevice, IoGetAttachedDeviceReference, IoGetBaseFileSystemDeviceObject, IoGetBootDiskInformation, IoGetConfigurationInformation, IoGetCurrentProcess, IoGetDeviceAttachmentBaseRef, IoGetDeviceInterfaceAlias, IoGetDeviceInterfaces, IoGetDeviceObjectPointer, IoGetDeviceProperty, IoGetDeviceToVerify, IoGetDiskDeviceObject, IoGetDmaAdapter, IoGetDriverObjectExtension, IoGetFileObjectGenericMapping, IoGetInitialStack, IoGetLowerDeviceObject, IoGetRelatedDeviceObject, IoGetRequestorProcess, IoGetRequestorProcessId, IoGetRequestorSessionId, IoGetStackLimits, IoGetTopLevelIrp, IoInitializeIrp, IoInitializeRemoveLockEx, IoInitializeTimer, IoInvalidateDeviceRelations, IoInvalidateDeviceState, IoIsFileOriginRemote, IoIsOperationSynchronous, IoIsSystemThread, IoIsValidNameGraftingBuffer, IoIsWdmVersionAvailable, IoMakeAssociatedIrp, IoOpenDeviceInterfaceRegistryKey, IoOpenDeviceRegistryKey, IoPageRead, IoPnPDeliverServicePowerNotification, IoQueryDeviceDescription, IoQueryFileDosDeviceName, IoQueryFileInformation, IoQueryVolumeInformation, IoQueueThreadIrp, IoQueueWorkItem, IoRaiseHardError, IoRaiseInformationalHardError, IoReadDiskSignature, IoReadOperationCount, IoReadPartitionTable, IoReadPartitionTableEx, IoReadTransferCount, IoRegisterBootDriverReinitialization, IoRegisterDeviceInterface, IoRegisterDriverReinitialization, IoRegisterFileSystem, IoRegisterFsRegistrationChange, IoRegisterLastChanceShutdownNotification, IoRegisterPlugPlayNotification, IoRegisterShutdownNotification, IoReleaseCancelSpinLock, IoReleaseRemoveLockAndWaitEx, IoReleaseRemoveLockEx, IoReleaseVpbSpinLock, IoRemoveShareAccess, IoReportDetectedDevice, IoReportHalResourceUsage, IoReportResourceForDetection, IoReportResourceUsage, IoReportTargetDeviceChange, IoReportTargetDeviceChangeAsynchronous, IoRequestDeviceEject, IoReuseIrp, IoSetCompletionRoutineEx, IoSetDeviceInterfaceState, IoSetDeviceToVerify, IoSetFileOrigin, IoSetHardErrorOrVerifyDevice, IoSetInformation, IoSetIoCompletion, IoSetPartitionInformation, IoSetPartitionInformationEx, IoSetShareAccess, IoSetStartIoAttributes, IoSetSystemPartition, IoSetThreadHardErrorMode, IoSetTopLevelIrp, IoStartNextPacket, IoStartNextPacketByKey, IoStartPacket, IoStartTimer, IoStatisticsLock, IoStopTimer, IoSynchronousInvalidateDeviceRelations, IoSynchronousPageWrite, IoThreadToProcess, IoUnregisterFileSystem, IoUnregisterFsRegistrationChange, IoUnregisterPlugPlayNotification, IoUnregisterShutdownNotification, IoUpdateShareAccess, IoValidateDeviceIoControlAccess, IoVerifyPartitionTable, IoVerifyVolume, IoVolumeDeviceToDosName, IoWMIAllocateInstanceIds, IoWMIDeviceObjectToInstanceName, IoWMIExecuteMethod, IoWMIHandleToInstanceName, IoWMIOpenBlock, IoWMIQueryAllData, IoWMIQueryAllDataMultiple, IoWMIQuerySingleInstance, IoWMIQuerySingleInstanceMultiple, IoWMIRegistrationControl, IoWMISetNotificationCallback, IoWMISetSingleInstance, IoWMISetSingleItem, IoWMISuggestInstanceName, IoWMIWriteEvent, IoWriteErrorLogEntry, IoWriteOperationCount, IoWritePartitionTable, IoWritePartitionTableEx, IoWriteTransferCount, IofCallDriver, IofCompleteRequest, KdDebuggerEnabled, KdDebuggerNotPresent, KdDisableDebugger, KdEnableDebugger, KdEnteredDebugger, KdPollBreakIn, KdPowerTransition, Ke386CallBios, Ke386IoSetAccessProcess, Ke386QueryIoAccessMap, Ke386SetIoAccessMap, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeAcquireInterruptSpinLock, KeAcquireSpinLockAtDpcLevel, KeAddSystemServiceTable, KeAreApcsDisabled, KeAttachProcess, KeBugCheck, KeBugCheckEx, KeCancelTimer, KeCapturePersistentThreadState, KeClearEvent, KeConnectInterrupt, KeDcacheFlushCount, KeDelayExecutionThread, KeDeregisterBugCheckCallback, KeDeregisterBugCheckReasonCallback, KeDetachProcess, KeDisconnectInterrupt, KeEnterCriticalRegion, KeEnterKernelDebugger, KeFindConfigurationEntry, KeFindConfigurationNextEntry, KeFlushEntireTb, KeFlushQueuedDpcs, KeGetCurrentThread, KeGetPreviousMode, KeGetRecommendedSharedDataAlignment, KeI386AbiosCall, KeI386AllocateGdtSelectors, KeI386Call16BitCStyleFunction, KeI386Call16BitFunction, KeI386FlatToGdtSelector, KeI386GetLid, KeI386MachineType, KeI386ReleaseGdtSelectors, KeI386ReleaseLid, KeI386SetGdtSelector, KeIcacheFlushCount, KeInitializeApc, KeInitializeDeviceQueue, KeInitializeDpc, KeInitializeEvent, KeInitializeInterrupt, KeInitializeMutant, KeInitializeMutex, KeInitializeQueue, KeInitializeSemaphore, KeInitializeSpinLock, KeInitializeTimer, KeInitializeTimerEx, KeInsertByKeyDeviceQueue, KeInsertDeviceQueue, KeInsertHeadQueue, KeInsertQueue, KeInsertQueueApc, KeInsertQueueDpc, KeIsAttachedProcess, KeIsExecutingDpc, KeLeaveCriticalRegion, KeLoaderBlock, KeNumberProcessors, KeProfileInterrupt, KeProfileInterruptWithSource, KePulseEvent, KeQueryActiveProcessors, KeQueryInterruptTime, KeQueryPriorityThread, KeQueryRuntimeThread, KeQuerySystemTime, KeQueryTickCount, KeQueryTimeIncrement, KeRaiseUserException, KeReadStateEvent, KeReadStateMutant, KeReadStateMutex, KeReadStateQueue, KeReadStateSemaphore, KeReadStateTimer, KeRegisterBugCheckCallback, KeRegisterBugCheckReasonCallback, KeReleaseInStackQueuedSpinLockFromDpcLevel, KeReleaseInterruptSpinLock, KeReleaseMutant, KeReleaseMutex, KeReleaseSemaphore, KeReleaseSpinLockFromDpcLevel, KeRemoveByKeyDeviceQueue, KeRemoveByKeyDeviceQueueIfBusy, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, KeRemoveQueue, KeRemoveQueueDpc, KeRemoveSystemServiceTable, KeResetEvent, KeRestoreFloatingPointState, KeRevertToUserAffinityThread, KeRundownQueue, KeSaveFloatingPointState, KeSaveStateForHibernate, KeServiceDescriptorTable, KeSetAffinityThread, KeSetBasePriorityThread, KeSetDmaIoCoherency, KeSetEvent, KeSetEventBoostPriority, KeSetIdealProcessorThread, KeSetImportanceDpc, KeSetKernelStackSwapEnable, KeSetPriorityThread, KeSetProfileIrql, KeSetSystemAffinityThread, KeSetTargetProcessorDpc, KeSetTimeIncrement, KeSetTimeUpdateNotifyRoutine, KeSetTimer, KeSetTimerEx, KeStackAttachProcess, KeSynchronizeExecution, KeTerminateThread, KeTickCount, KeUnstackDetachProcess, KeUpdateRunTime, KeUpdateSystemTime, KeUserModeCallback, KeWaitForMultipleObjects, KeWaitForMutexObject, KeWaitForSingleObject, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, Kei386EoiHelper, KiAcquireSpinLock, KiBugCheckData, KiCoprocessorError, KiDeliverApc, KiDispatchInterrupt, KiEnableTimerWatchdog, KiIpiServiceRoutine, KiReleaseSpinLock, KiUnexpectedInterrupt, Kii386SpinOnSpinLock, LdrAccessResource, LdrEnumResources, LdrFindResourceDirectory_U, LdrFindResource_U, LpcPortObjectType, LpcRequestPort, LpcRequestWaitReplyPort, LsaCallAuthenticationPackage, LsaDeregisterLogonProcess, LsaFreeReturnBuffer, LsaLogonUser, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, Mm64BitPhysicalAddress, MmAddPhysicalMemory, MmAddVerifierThunks, MmAdjustWorkingSetSize, MmAdvanceMdl, MmAllocateContiguousMemory, MmAllocateContiguousMemorySpecifyCache, MmAllocateMappingAddress, MmAllocateNonCachedMemory, MmAllocatePagesForMdl, MmBuildMdlForNonPagedPool, MmCanFileBeTruncated, MmCommitSessionMappedView, MmCreateMdl, MmCreateSection, MmDisableModifiedWriteOfSection, MmFlushImageSection, MmForceSectionClosed, MmFreeContiguousMemory, MmFreeContiguousMemorySpecifyCache, MmFreeMappingAddress, MmFreeNonCachedMemory, MmFreePagesFromMdl, MmGetPhysicalAddress, MmGetPhysicalMemoryRanges, MmGetSystemRoutineAddress, MmGetVirtualForPhysical, MmGrowKernelStack, MmHighestUserAddress, MmIsAddressValid, MmIsDriverVerifying, MmIsNonPagedSystemAddressValid, MmIsRecursiveIoFault, MmIsThisAnNtAsSystem, MmIsVerifierEnabled, MmLockPagableDataSection, MmLockPagableImageSection, MmLockPagableSectionByHandle, MmMapIoSpace, MmMapLockedPages, MmMapLockedPagesSpecifyCache, MmMapLockedPagesWithReservedMapping, MmMapMemoryDumpMdl, MmMapUserAddressesToPage, MmMapVideoDisplay, MmMapViewInSessionSpace, MmMapViewInSystemSpace, MmMapViewOfSection, MmMarkPhysicalMemoryAsBad, MmMarkPhysicalMemoryAsGood, MmPageEntireDriver, MmPrefetchPages, MmProbeAndLockPages, MmProbeAndLockProcessPages, MmProbeAndLockSelectedPages, MmProtectMdlSystemAddress, MmQuerySystemSize, MmRemovePhysicalMemory, MmResetDriverPaging, MmSectionObjectType, MmSecureVirtualMemory, MmSetAddressRangeModified, MmSetBankedSection, MmSizeOfMdl, MmSystemRangeStart, MmTrimAllSystemPagableMemory, MmUnlockPagableImageSection, MmUnlockPages, MmUnmapIoSpace, MmUnmapLockedPages, MmUnmapReservedMapping, MmUnmapVideoDisplay, MmUnmapViewInSessionSpace, MmUnmapViewInSystemSpace, MmUnmapViewOfSection, MmUnsecureVirtualMemory, MmUserProbeAddress, NlsAnsiCodePage, NlsLeadByteInfo, NlsMbCodePageTag, NlsMbOemCodePageTag, NlsOemCodePage, NlsOemLeadByteInfo, NtAddAtom, NtAdjustPrivilegesToken, NtAllocateLocallyUniqueId, NtAllocateUuids, NtAllocateVirtualMemory, NtBuildNumber, NtClose, NtConnectPort, NtCreateEvent, NtCreateFile, NtCreateSection, NtDeleteAtom, NtDeleteFile, NtDeviceIoControlFile, NtDuplicateObject, NtDuplicateToken, NtFindAtom, NtFreeVirtualMemory, NtFsControlFile, NtGlobalFlag, NtLockFile, NtMakePermanentObject, NtMapViewOfSection, NtNotifyChangeDirectoryFile, NtOpenFile, NtOpenProcess, NtOpenProcessToken, NtOpenProcessTokenEx, NtOpenThread, NtOpenThreadToken, NtOpenThreadTokenEx, NtQueryDirectoryFile, NtQueryEaFile, NtQueryInformationAtom, NtQueryInformationFile, NtQueryInformationProcess, NtQueryInformationThread, NtQueryInformationToken, NtQueryQuotaInformationFile, NtQuerySecurityObject, NtQuerySystemInformation, NtQueryVolumeInformationFile, NtReadFile, NtRequestPort, NtRequestWaitReplyPort, NtSetEaFile, NtSetEvent, NtSetInformationFile, NtSetInformationProcess, NtSetInformationThread, NtSetQuotaInformationFile, NtSetSecurityObject, NtSetVolumeInformationFile, NtShutdownSystem, NtTraceEvent, NtUnlockFile, NtVdmControl, NtWaitForSingleObject, NtWriteFile, ObAssignSecurity, ObCheckCreateObjectAccess, ObCheckObjectAccess, ObCloseHandle, ObCreateObject, ObCreateObjectType, ObDereferenceObject, ObDereferenceSecurityDescriptor, ObFindHandleForObject, ObGetObjectSecurity, ObInsertObject, ObLogSecurityDescriptor, ObMakeTemporaryObject, ObOpenObjectByName, ObOpenObjectByPointer, ObQueryNameString, ObQueryObjectAuditingByHandle, ObReferenceObjectByHandle, ObReferenceObjectByName, ObReferenceObjectByPointer, ObReferenceSecurityDescriptor, ObReleaseObjectSecurity, ObSetHandleAttributes, ObSetSecurityDescriptorInfo, ObSetSecurityObjectByPointer, ObfDereferenceObject, ObfReferenceObject, PfxFindPrefix, PfxInitialize, PfxInsertPrefix, PfxRemovePrefix, PoCallDriver, PoCancelDeviceNotify, PoQueueShutdownWorkItem, PoRegisterDeviceForIdleDetection, PoRegisterDeviceNotify, PoRegisterSystemState, PoRequestPowerIrp, PoRequestShutdownEvent, PoSetHiberRange, PoSetPowerState, PoSetSystemState, PoShutdownBugCheck, PoStartNextPowerIrp, PoUnregisterSystemState, ProbeForRead, ProbeForWrite, PsAssignImpersonationToken, PsChargePoolQuota, PsChargeProcessNonPagedPoolQuota, PsChargeProcessPagedPoolQuota, PsChargeProcessPoolQuota, PsCreateSystemProcess, PsCreateSystemThread, PsDereferenceImpersonationToken, PsDereferencePrimaryToken, PsDisableImpersonation, PsEstablishWin32Callouts, PsGetContextThread, PsGetCurrentProcess, PsGetCurrentProcessId, PsGetCurrentProcessSessionId, PsGetCurrentThread, PsGetCurrentThreadId, PsGetCurrentThreadPreviousMode, PsGetCurrentThreadStackBase, PsGetCurrentThreadStackLimit, PsGetJobLock, PsGetJobSessionId, PsGetJobUIRestrictionsClass, PsGetProcessCreateTimeQuadPart, PsGetProcessDebugPort, PsGetProcessExitProcessCalled, PsGetProcessExitStatus, PsGetProcessExitTime, PsGetProcessId, PsGetProcessImageFileName, PsGetProcessInheritedFromUniqueProcessId, PsGetProcessJob, PsGetProcessPeb, PsGetProcessPriorityClass, PsGetProcessSectionBaseAddress, PsGetProcessSecurityPort, PsGetProcessSessionId, PsGetProcessWin32Process, PsGetProcessWin32WindowStation, PsGetThreadFreezeCount, PsGetThreadHardErrorsAreDisabled, PsGetThreadId, PsGetThreadProcess, PsGetThreadProcessId, PsGetThreadSessionId, PsGetThreadTeb, PsGetThreadWin32Thread, PsGetVersion, PsImpersonateClient, PsInitialSystemProcess, PsIsProcessBeingDebugged, PsIsSystemThread, PsIsThreadImpersonating, PsIsThreadTerminating, PsJobType, PsLookupProcessByProcessId, PsLookupProcessThreadByCid, PsLookupThreadByThreadId, PsProcessType, PsReferenceImpersonationToken, PsReferencePrimaryToken, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, PsRestoreImpersonation, PsReturnPoolQuota, PsReturnProcessNonPagedPoolQuota, PsReturnProcessPagedPoolQuota, PsRevertThreadToSelf, PsRevertToSelf, PsSetContextThread, PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetJobUIRestrictionsClass, PsSetLegoNotifyRoutine, PsSetLoadImageNotifyRoutine, PsSetProcessPriorityByClass, PsSetProcessPriorityClass, PsSetProcessSecurityPort, PsSetProcessWin32Process, PsSetProcessWindowStation, PsSetThreadHardErrorsAreDisabled, PsSetThreadWin32Thread, PsTerminateSystemThread, PsThreadType, READ_REGISTER_BUFFER_UCHAR, READ_REGISTER_BUFFER_ULONG, READ_REGISTER_BUFFER_USHORT, READ_REGISTER_UCHAR, READ_REGISTER_ULONG, READ_REGISTER_USHORT, RtlAbsoluteToSelfRelativeSD, RtlAddAccessAllowedAce, RtlAddAccessAllowedAceEx, RtlAddAce, RtlAddAtomToAtomTable, RtlAddRange, RtlAllocateHeap, RtlAnsiCharToUnicodeChar, RtlAnsiStringToUnicodeSize, RtlAnsiStringToUnicodeString, RtlAppendAsciizToString, RtlAppendStringToString, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlAreAllAccessesGranted, RtlAreAnyAccessesGranted, RtlAreBitsClear, RtlAreBitsSet, RtlAssert, RtlCaptureContext, RtlCaptureStackBackTrace, RtlCharToInteger, RtlCheckRegistryKey, RtlClearAllBits, RtlClearBit, RtlClearBits, RtlCompareMemory, RtlCompareMemoryUlong, RtlCompareString, RtlCompareUnicodeString, RtlCompressBuffer, RtlCompressChunks, RtlConvertLongToLargeInteger, RtlConvertSidToUnicodeString, RtlConvertUlongToLargeInteger, RtlCopyLuid, RtlCopyRangeList, RtlCopySid, RtlCopyString, RtlCopyUnicodeString, RtlCreateAcl, RtlCreateAtomTable, RtlCreateHeap, RtlCreateRegistryKey, RtlCreateSecurityDescriptor, RtlCreateSystemVolumeInformationFolder, RtlCreateUnicodeString, RtlCustomCPToUnicodeN, RtlDecompressBuffer, RtlDecompressChunks, RtlDecompressFragment, RtlDelete, RtlDeleteAce, RtlDeleteAtomFromAtomTable, RtlDeleteElementGenericTable, RtlDeleteElementGenericTableAvl, RtlDeleteNoSplay, RtlDeleteOwnersRanges, RtlDeleteRange, RtlDeleteRegistryValue, RtlDescribeChunk, RtlDestroyAtomTable, RtlDestroyHeap, RtlDowncaseUnicodeString, RtlEmptyAtomTable, RtlEnlargedIntegerMultiply, RtlEnlargedUnsignedDivide, RtlEnlargedUnsignedMultiply, RtlEnumerateGenericTable, RtlEnumerateGenericTableAvl, RtlEnumerateGenericTableLikeADirectory, RtlEnumerateGenericTableWithoutSplaying, RtlEnumerateGenericTableWithoutSplayingAvl, RtlEqualLuid, RtlEqualSid, RtlEqualString, RtlEqualUnicodeString, RtlExtendedIntegerMultiply, RtlExtendedLargeIntegerDivide, RtlExtendedMagicDivide, RtlFillMemory, RtlFillMemoryUlong, RtlFindClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, RtlFindFirstRunClear, RtlFindLastBackwardRunClear, RtlFindLeastSignificantBit, RtlFindLongestRunClear, RtlFindMessage, RtlFindMostSignificantBit, RtlFindNextForwardRunClear, RtlFindRange, RtlFindSetBits, RtlFindSetBitsAndClear, RtlFindUnicodePrefix, RtlFormatCurrentUserKeyPath, RtlFreeAnsiString, RtlFreeHeap, RtlFreeOemString, RtlFreeRangeList, RtlFreeUnicodeString, RtlGUIDFromString, RtlGenerate8dot3Name, RtlGetAce, RtlGetCallersAddress, RtlGetCompressionWorkSpaceSize, RtlGetDaclSecurityDescriptor, RtlGetDefaultCodePage, RtlGetElementGenericTable, RtlGetElementGenericTableAvl, RtlGetFirstRange, RtlGetGroupSecurityDescriptor, RtlGetNextRange, RtlGetNtGlobalFlags, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetSetBootStatusData, RtlGetVersion, RtlHashUnicodeString, RtlImageDirectoryEntryToData, RtlImageNtHeader, RtlInitAnsiString, RtlInitCodePageTable, RtlInitString, RtlInitUnicodeString, RtlInitializeBitMap, RtlInitializeGenericTable, RtlInitializeGenericTableAvl, RtlInitializeRangeList, RtlInitializeSid, RtlInitializeUnicodePrefix, RtlInsertElementGenericTable, RtlInsertElementGenericTableAvl, RtlInsertElementGenericTableFull, RtlInsertElementGenericTableFullAvl, RtlInsertUnicodePrefix, RtlInt64ToUnicodeString, RtlIntegerToChar, RtlIntegerToUnicode, RtlIntegerToUnicodeString, RtlInvertRangeList, RtlIpv4AddressToStringA, RtlIpv4AddressToStringExA, RtlIpv4AddressToStringExW, RtlIpv4AddressToStringW, RtlIpv4StringToAddressA, RtlIpv4StringToAddressExA, RtlIpv4StringToAddressExW, RtlIpv4StringToAddressW, RtlIpv6AddressToStringA, RtlIpv6AddressToStringExA, RtlIpv6AddressToStringExW, RtlIpv6AddressToStringW, RtlIpv6StringToAddressA, RtlIpv6StringToAddressExA, RtlIpv6StringToAddressExW, RtlIpv6StringToAddressW, RtlIsGenericTableEmpty, RtlIsGenericTableEmptyAvl, RtlIsNameLegalDOS8Dot3, RtlIsRangeAvailable, RtlIsValidOemCharacter, RtlLargeIntegerAdd, RtlLargeIntegerArithmeticShift, RtlLargeIntegerDivide, RtlLargeIntegerNegate, RtlLargeIntegerShiftLeft, RtlLargeIntegerShiftRight, RtlLargeIntegerSubtract, RtlLengthRequiredSid, RtlLengthSecurityDescriptor, RtlLengthSid, RtlLockBootStatusData, RtlLookupAtomInAtomTable, RtlLookupElementGenericTable, RtlLookupElementGenericTableAvl, RtlLookupElementGenericTableFull, RtlLookupElementGenericTableFullAvl, RtlMapGenericMask, RtlMapSecurityErrorToNtStatus, RtlMergeRangeLists, RtlMoveMemory, RtlMultiByteToUnicodeN, RtlMultiByteToUnicodeSize, RtlNextUnicodePrefix, RtlNtStatusToDosError, RtlNtStatusToDosErrorNoTeb, RtlNumberGenericTableElements, RtlNumberGenericTableElementsAvl, RtlNumberOfClearBits, RtlNumberOfSetBits, RtlOemStringToCountedUnicodeString, RtlOemStringToUnicodeSize, RtlOemStringToUnicodeString, RtlOemToUnicodeN, RtlPinAtomInAtomTable, RtlPrefetchMemoryNonTemporal, RtlPrefixString, RtlPrefixUnicodeString, RtlQueryAtomInAtomTable, RtlQueryRegistryValues, RtlQueryTimeZoneInformation, RtlRaiseException, RtlRandom, RtlRandomEx, RtlRealPredecessor, RtlRealSuccessor, RtlRemoveUnicodePrefix, RtlReserveChunk, RtlSecondsSince1970ToTime, RtlSecondsSince1980ToTime, RtlSelfRelativeToAbsoluteSD, RtlSelfRelativeToAbsoluteSD2, RtlSetAllBits, RtlSetBit, RtlSetBits, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSetTimeZoneInformation, RtlSizeHeap, RtlSplay, RtlStringFromGUID, RtlSubAuthorityCountSid, RtlSubAuthoritySid, RtlSubtreePredecessor, RtlSubtreeSuccessor, RtlTestBit, RtlTimeFieldsToTime, RtlTimeToElapsedTimeFields, RtlTimeToSecondsSince1970, RtlTimeToSecondsSince1980, RtlTimeToTimeFields, RtlTraceDatabaseAdd, RtlTraceDatabaseCreate, RtlTraceDatabaseDestroy, RtlTraceDatabaseEnumerate, RtlTraceDatabaseFind, RtlTraceDatabaseLock, RtlTraceDatabaseUnlock, RtlTraceDatabaseValidate, RtlUlongByteSwap, RtlUlonglongByteSwap, RtlUnicodeStringToAnsiSize, RtlUnicodeStringToAnsiString, RtlUnicodeStringToCountedOemString, RtlUnicodeStringToInteger, RtlUnicodeStringToOemSize, RtlUnicodeStringToOemString, RtlUnicodeToCustomCPN, RtlUnicodeToMultiByteN, RtlUnicodeToMultiByteSize, RtlUnicodeToOemN, RtlUnlockBootStatusData, RtlUnwind, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, RtlUpcaseUnicodeStringToAnsiString, RtlUpcaseUnicodeStringToCountedOemString, RtlUpcaseUnicodeStringToOemString, RtlUpcaseUnicodeToCustomCPN, RtlUpcaseUnicodeToMultiByteN, RtlUpcaseUnicodeToOemN, RtlUpperChar, RtlUpperString, RtlUshortByteSwap, RtlValidRelativeSecurityDescriptor, RtlValidSecurityDescriptor, RtlValidSid, RtlVerifyVersionInfo, RtlVolumeDeviceToDosName, RtlWalkFrameChain, RtlWriteRegistryValue, RtlZeroHeap, RtlZeroMemory, RtlxAnsiStringToUnicodeSize, RtlxOemStringToUnicodeSize, RtlxUnicodeStringToAnsiSize, RtlxUnicodeStringToOemSize, SeAccessCheck, SeAppendPrivileges, SeAssignSecurity, SeAssignSecurityEx, SeAuditHardLinkCreation, SeAuditingFileEvents, SeAuditingFileEventsWithContext, SeAuditingFileOrGlobalEvents, SeAuditingHardLinkEvents, SeAuditingHardLinkEventsWithContext, SeCaptureSecurityDescriptor, SeCaptureSubjectContext, SeCloseObjectAuditAlarm, SeCreateAccessState, SeCreateClientSecurity, SeCreateClientSecurityFromSubjectContext, SeDeassignSecurity, SeDeleteAccessState, SeDeleteObjectAuditAlarm, SeExports, SeFilterToken, SeFreePrivileges, SeImpersonateClient, SeImpersonateClientEx, SeLockSubjectContext, SeMarkLogonSessionForTerminationNotification, SeOpenObjectAuditAlarm, SeOpenObjectForDeleteAuditAlarm, SePrivilegeCheck, SePrivilegeObjectAuditAlarm, SePublicDefaultDacl, SeQueryAuthenticationIdToken, SeQueryInformationToken, SeQuerySecurityDescriptorInfo, SeQuerySessionIdToken, SeRegisterLogonSessionTerminatedRoutine, SeReleaseSecurityDescriptor, SeReleaseSubjectContext, SeSetAccessStateGenericMapping, SeSetSecurityDescriptorInfo, SeSetSecurityDescriptorInfoEx, SeSinglePrivilegeCheck, SeSystemDefaultDacl, SeTokenImpersonationLevel, SeTokenIsAdmin, SeTokenIsRestricted, SeTokenIsWriteRestricted, SeTokenObjectType, SeTokenType, SeUnlockSubjectContext, SeUnregisterLogonSessionTerminatedRoutine, SeValidSecurityDescriptor, VerSetConditionMask, VfFailDeviceNode, VfFailDriver, VfFailSystemBIOS, VfIsVerificationEnabled, WRITE_REGISTER_BUFFER_UCHAR, WRITE_REGISTER_BUFFER_ULONG, WRITE_REGISTER_BUFFER_USHORT, WRITE_REGISTER_UCHAR, WRITE_REGISTER_ULONG, WRITE_REGISTER_USHORT, WmiFlushTrace, WmiGetClock, WmiQueryTrace, WmiQueryTraceInformation, WmiStartTrace, WmiStopTrace, WmiTraceMessage, WmiTraceMessageVa, WmiUpdateTrace, XIPDispatch, ZwAccessCheckAndAuditAlarm, ZwAddBootEntry, ZwAdjustPrivilegesToken, ZwAlertThread, ZwAllocateVirtualMemory, ZwAssignProcessToJobObject, ZwCancelIoFile, ZwCancelTimer, ZwClearEvent, ZwClose, ZwCloseObjectAuditAlarm, ZwConnectPort, ZwCreateDirectoryObject, ZwCreateEvent, ZwCreateFile, ZwCreateJobObject, ZwCreateKey, ZwCreateSection, ZwCreateSymbolicLinkObject, ZwCreateTimer, ZwDeleteBootEntry, ZwDeleteFile, ZwDeleteKey, ZwDeleteValueKey, ZwDeviceIoControlFile, ZwDisplayString, ZwDuplicateObject, ZwDuplicateToken, ZwEnumerateBootEntries, ZwEnumerateKey, ZwEnumerateValueKey, ZwFlushInstructionCache, ZwFlushKey, ZwFlushVirtualMemory, ZwFreeVirtualMemory, ZwFsControlFile, ZwInitiatePowerAction, ZwIsProcessInJob, ZwLoadDriver, ZwLoadKey, ZwMakeTemporaryObject, ZwMapViewOfSection, ZwNotifyChangeKey, ZwOpenDirectoryObject, ZwOpenEvent, ZwOpenFile, ZwOpenJobObject, ZwOpenKey, ZwOpenProcess, ZwOpenProcessToken, ZwOpenProcessTokenEx, ZwOpenSection, ZwOpenSymbolicLinkObject, ZwOpenThread, ZwOpenThreadToken, ZwOpenThreadTokenEx, ZwOpenTimer, ZwPowerInformation, ZwPulseEvent, ZwQueryBootEntryOrder, ZwQueryBootOptions, ZwQueryDefaultLocale, ZwQueryDefaultUILanguage, ZwQueryDirectoryFile, ZwQueryDirectoryObject, ZwQueryEaFile, ZwQueryFullAttributesFile, ZwQueryInformationFile, ZwQueryInformationJobObject, ZwQueryInformationProcess, ZwQueryInformationThread, ZwQueryInformationToken, ZwQueryInstallUILanguage, ZwQueryKey, ZwQueryObject, ZwQuerySection, ZwQuerySecurityObject, ZwQuerySymbolicLinkObject, ZwQuerySystemInformation, ZwQueryValueKey, ZwQueryVolumeInformationFile, ZwReadFile, ZwReplaceKey, ZwRequestWaitReplyPort, ZwResetEvent, ZwRestoreKey, ZwSaveKey, ZwSaveKeyEx, ZwSetBootEntryOrder, ZwSetBootOptions, ZwSetDefaultLocale, ZwSetDefaultUILanguage, ZwSetEaFile, ZwSetEvent, ZwSetInformationFile, ZwSetInformationJobObject, ZwSetInformationObject, ZwSetInformationProcess, ZwSetInformationThread, ZwSetSecurityObject, ZwSetSystemInformation, ZwSetSystemTime, ZwSetTimer, ZwSetValueKey, ZwSetVolumeInformationFile, ZwTerminateJobObject, ZwTerminateProcess, ZwTranslateFilePath, ZwUnloadDriver, ZwUnloadKey, ZwUnmapViewOfSection, ZwWaitForMultipleObjects, ZwWaitForSingleObject, ZwWriteFile, ZwYieldExecution, _CIcos, _CIsin, _CIsqrt, _abnormal_termination, _alldiv, _alldvrm, _allmul, _alloca_probe, _allrem, _allshl, _allshr, _aulldiv, _aulldvrm, _aullrem, _aullshr, _except_handler2, _except_handler3, _global_unwind2, _itoa, _itow, _local_unwind2, _purecall, _snprintf, _snwprintf, _stricmp, _strlwr, _strnicmp, _strnset, _strrev, _strset, _strupr, _vsnprintf, _vsnwprintf, _wcsicmp, _wcslwr, _wcsnicmp, _wcsnset, _wcsrev, _wcsupr, atoi, atol, isdigit, islower, isprint, isspace, isupper, isxdigit, mbstowcs, mbtowc, memchr, memcpy, memmove, memset, qsort, rand, sprintf, srand, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strspn, strstr, swprintf, tolower, toupper, towlower, towupper, vDbgPrintEx, vDbgPrintExWithPrefix, vsprintf, wcscat, wcschr, wcscmp, wcscpy, wcscspn, wcslen, wcsncat, wcsncmp, wcsncpy, wcsrchr, wcsspn, wcsstr, wcstombs, wctomb RDS...: NSRL Reference Data Set - pdfid.: - trid..: OS/2 Executable (generic) (52.8%) Win32 Executable Generic (32.0%) Generic Win/DOS Executable (7.5%) DOS Executable Generic (7.5%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) ........................................................................... Malwarebytes' Anti-Malware 1.40 Database version: 2702 Windows 5.1.2600 Service Pack 2 27/08/2009 00:10:30 mbam-log-2009-08-27 (00-10-30).txt Scan type: Quick Scan Objects scanned: 97520 Time elapsed: 18 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\wispex.html (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully. ........................................................................... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:13:18, on 27/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NTR global\NTRconnect\NTRconnect.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\WinPcap\rpcapd.exe C:\PROGRA~1\SpeedFan\speedfan.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\KeirNet\K9\K9.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\SYSTEM32\SWEEPER.EXE C:\Program Files\MPK PopUp Stopper\mpk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MSNMSGR.EXE C:\Program Files\Virgin Broadband Wireless\ndis_events.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\All Users\Desktop\HiJack This V2\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=62.254.0.48:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.PicturesInPastels.co.uk;localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q O4 - HKCU\..\Run: [MyPopupKiller] C:\Program Files\MPK PopUp Stopper\mpk.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Launch K9.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll O15 - Trusted Zone: http://www.classicgolddigital.com O15 - Trusted Zone: http://www.download.com O15 - Trusted Zone: http://listings.ebay.co.uk O15 - Trusted Zone: http://www.forumfriendz.com O15 - Trusted Zone: http://larg1.free.fr O15 - Trusted Zone: http://*.drive.freevirtualservers.com O15 - Trusted Zone: http://*.gabbly.com O15 - Trusted Zone: http://www.gamerzforum.net O15 - Trusted Zone: http://free.grisoft.com O15 - Trusted Zone: http://forum.grisoft.cz O15 - Trusted Zone: http://www.grumbletext.co.uk O15 - Trusted Zone: http://pcpitstop.ibforums.com O15 - Trusted Zone: http://*.keir.net O15 - Trusted Zone: http://*.lavasoftsupport.com O15 - Trusted Zone: http://groups.msn.com O15 - Trusted Zone: http://freewarewiki.pbwiki.com O15 - Trusted Zone: http://www.royalmail.com O15 - Trusted Zone: http://forums.sygate.com O15 - Trusted Zone: http://www.thisisnottingham.co.uk O15 - Trusted Zone: http://www.topfreeforum.com O16 - DPF: Win32 Classes - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - https://www.ntrconnect.com/main/mod/setup/n...tivex118_24.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NTRconnect (ntrconnect) - NTRglobal - C:\Program Files\NTR global\NTRconnect\NTRconnect.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 8681 bytes Regards El Tel
  17. Hi Juliet Kind of, but I'm patient No Yes I still have the same PC with no hardware updates. I have had the operating system updated to XP below is a fresh log file. The Windows XP update ended up with "Fat32" with no formating of the hard drive. I am running two 80G hard drive "Master Slave" Now for my problems. 1. I still get various "Port Scan Attacks" mainly "ntoskrnl . exe" 2. Every time I do a search "All Files and Folders" on my PC I get "Windows Premium 2000" tries 4 attempts to install itself from a CD which I don't have or require. 3. Unable to access my address book in "Outlook Express" I have tried Un-Installing, Unchecked "Read Only" and Renaming User file. I receive mail OK, just can't send any E-Mails. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 06:42:59, on 26/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\NTR global\NTRconnect\NTRconnect.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\WinPcap\rpcapd.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SpeedFan\speedfan.exe C:\PROGRA~1\KeirNet\K9\K9.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe C:\WINDOWS\SYSTEM32\SWEEPER.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\MPK PopUp Stopper\mpk.exe C:\Program Files\MSN Messenger\MSNMSGR.EXE C:\Program Files\Virgin Broadband Wireless\ndis_events.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\All Users\Desktop\HiJack This V2\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=62.254.0.48:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.PicturesInPastels.co.uk;localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe, O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q O4 - HKCU\..\Run: [MyPopupKiller] C:\Program Files\MPK PopUp Stopper\mpk.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Launch K9.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll O15 - Trusted Zone: http://www.classicgolddigital.com O15 - Trusted Zone: http://www.download.com O15 - Trusted Zone: http://listings.ebay.co.uk O15 - Trusted Zone: http://www.forumfriendz.com O15 - Trusted Zone: http://larg1.free.fr O15 - Trusted Zone: http://*.drive.freevirtualservers.com O15 - Trusted Zone: http://*.gabbly.com O15 - Trusted Zone: http://www.gamerzforum.net O15 - Trusted Zone: http://free.grisoft.com O15 - Trusted Zone: http://forum.grisoft.cz O15 - Trusted Zone: http://www.grumbletext.co.uk O15 - Trusted Zone: http://pcpitstop.ibforums.com O15 - Trusted Zone: http://*.keir.net O15 - Trusted Zone: http://*.lavasoftsupport.com O15 - Trusted Zone: http://groups.msn.com O15 - Trusted Zone: http://freewarewiki.pbwiki.com O15 - Trusted Zone: http://www.royalmail.com O15 - Trusted Zone: http://forums.sygate.com O15 - Trusted Zone: http://www.thisisnottingham.co.uk O15 - Trusted Zone: http://www.topfreeforum.com O16 - DPF: Win32 Classes - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - https://www.ntrconnect.com/main/mod/setup/n...tivex118_24.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NTRconnect (ntrconnect) - NTRglobal - C:\Program Files\NTR global\NTRconnect\NTRconnect.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 8117 bytes
  18. Hi... GR8 advice comes to he who waits patiently is approximately 4 years long enough Regards
  19. 'Elaine's SkyDrive' could be a user on your PC Because when I click on the link it takes me straight to my own SkyDive folders.
  20. I was kind of hoping that someone here was going to explain this one for us...
  21. Not a day without a Click, even Christmas day & New Year Day I Thank all that clicked from my "Live Space" page
  22. One thing I've noticed since getting my new "Windows XP" security bolted down... is that my modem syncs faster and consequently my Up-Load & Down-Load lights merrily flash away even before I've managed to log into my account, therefore my firewall is not up and running. My Second Best Tip Ever Is never turn on your means of connecting to the Internet, until your PC is up and running complete with all your security in place first... Then turn on your modem and wait for it to sync...
  23. I click daily from my Plus the other forum I've added it to, now has 8 pages of clicks
×
×
  • Create New...