# Spyware Trojan



## perfectm

Hi - I was wondering if anyone could point me in the right direction for a free fix for a spyware trojan.  My partner decided to download it onto our laptop and it is currently rubber ducked!! Any help would be much appreciated.


----------



## cohen

OK, do the following:

If after that you are still infected, please post a Hijackthis log. To post a Hijackthis log, please do the following:
Click *Here* to download HJTsetup.exe


    * Save HJTsetup.exe to your desktop.
    * Double click on the HJTsetup.exe icon on your desktop.
    * By default it will install to C:\Program Files\Hijack This.
    * Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    * Put a check by Create a desktop icon then click Next again.
    * Continue to follow the rest of the prompts from there.
    * At the final dialogue box click Finish and it will launch Hijack This.
    * Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    * Click Save to save the log file and then the log will open in notepad.
    * Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    * Come back Paste the log in a new post, using *Hijackthis* in your Subject bar
    * DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


We will look at your log as soon as we see it, and give you further instructions on how to fix your computer. Most of the time it will involve downloading more programs that will either give us logs to locate the malware or delete those malware.

Once you have posted a HJT Thread DO NOT make any changes to your PC unless the advisor helping you has instructed you to do so!


----------



## perfectm

Sorry if this is a stupid question but am I doing a log only??
Thanks.


----------



## cohen

perfectm said:


> Sorry if this is a stupid question but am I doing a log only??
> Thanks.



At the moment, so we can determine what we need to do, to get rid of the virus / trojan.


----------



## Punk

Click on *Do a system scan and save a log*.

Post the log you got in notepad.


----------



## perfectm

*Hijackthis Log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41: VIRUS ALERT!, on 23/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: qndsfmao - {F4A52746-813B-4276-A8D7-E2ABD0C8C8A8} - C:\WINDOWS\qndsfmao.dll
O4 - HKLM\..\Run: [Sys1.exe] C:\Windows\Sys1.exe
O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\fwftoanw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Sys1.exe] C:\Windows\Sys1.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O21 - SSODL: evgratsm - {82955011-CE07-44AF-A29A-83B7775A8C92} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: kvxqmtre - {8CE6BA66-B3F0-4B86-93B1-0E6EA2FD46DA} - C:\WINDOWS\kvxqmtre.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5713 bytes


----------



## cohen

OK, Pls do the following:

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## perfectm

*Combofix Log*

ComboFix 08-07-23.2 - pnw 2008-07-23 23:15:51.1 - NTFSx86
Running from: C:\Documents and Settings\pnw\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\pnw\Application Data\FunWebProducts
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\avatar.dat
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\register.dat
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\zbucks.dat
C:\Documents and Settings\pnw\Desktop\Error Cleaner.url
C:\Documents and Settings\pnw\Desktop\Privacy Protector.url
C:\Documents and Settings\pnw\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\pnw\Favorites\Error Cleaner.url
C:\Documents and Settings\pnw\Favorites\Privacy Protector.url
C:\Documents and Settings\pnw\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\pnw\Start Menu\Programs\Startup\.protected
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\WINDOWS\.protected
C:\WINDOWS\edel.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\kgxmotaptbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\system32\agsjruwd.dll
C:\WINDOWS\system32\bpbopurc.dll
C:\WINDOWS\system32\cbXPfDsP.dll
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\dwurjsga.ini
C:\WINDOWS\system32\ebtdgjcr.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\hpxpds.dll
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\lgukgmxg.dll
C:\WINDOWS\system32\ogleuv.dll
C:\WINDOWS\system32\opnoLccB.dll
C:\WINDOWS\system32\qwmlloyr.dll
C:\WINDOWS\system32\rqRJbyyV.dll
C:\WINDOWS\system32\urorlp.dll
C:\WINDOWS\system32\VyybJRqr.ini
C:\WINDOWS\system32\VyybJRqr.ini2
C:\WINDOWS\system32\wintisv.exe
C:\WINDOWS\system32\ykrgzc.dll

.
(((((((((((((((((((((((((   Files Created from 2008-06-24 to 2008-07-24  )))))))))))))))))))))))))))))))
.

2008-07-23 22:55 . 2008-07-23 22:55	94,848	--a------	C:\WINDOWS\system32\rqwhjduk.dll
2008-07-23 22:55 . 2008-07-24 00:13	44,689	---hs----	C:\WINDOWS\system32\kudjhwqr.ini
2008-07-22 20:47 . 2008-07-22 22:21	<DIR>	d--------	C:\Program Files\XoftSpySE
2008-07-22 19:58 . 2008-07-23 22:54	44,449	--ahs----	C:\WINDOWS\system32\wnaotfwf.ini
2008-07-21 19:13 . 2008-07-21 19:13	43,521	--ahs----	C:\WINDOWS\system32\fujnhkhw.ini
2008-07-21 18:51 . 2008-07-17 10:14	155,648	--a------	C:\WINDOWS\agpqlrfm.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 23:19	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-04 06:57	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-07-02 21:57	---------	d-----w	C:\Program Files\Microsoft AutoRoute
2008-07-02 21:55	---------	d-----w	C:\Program Files\PokerStars.NET
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10	272,128	----a-w	C:\WINDOWS\system32\drivers\bthport.sys
2008-05-27 17:44	---------	d-----w	C:\Documents and Settings\pnw\Application Data\Centra
2008-05-26 16:25	---------	d-----w	C:\Program Files\PokerStars
2007-08-06 11:14	6,479,904	-csha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-06 11:14	179,744	-csha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 10:52 376912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"04d8880a"="C:\WINDOWS\system32\rqwhjduk.dll" [2008-07-23 22:55 94848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2005-12-29 10:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
--a------ 2003-05-21 17:37 229437 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2003-09-01 10:52 376912 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 10:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule]
--a------ 2005-06-08 20:31 96256 C:\Program Files\iolo\System Mechanic Professional 6\Delay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2006-02-06 17:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
--a------ 2006-12-20 16:47 557056 C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-01-22 16:08 495616 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-01-22 16:09 98304 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-05 02:24 65536 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 13:52]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-23 22:47:39 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-12 10:09:25 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2004-08-21 16:04:52 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2004-08-21 16:04:54 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-07-23 22:49:32 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-07-22 20:47:28 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
Toolbar-{F4A52746-813B-4276-A8D7-E2ABD0C8C8A8} - C:\WINDOWS\qndsfmao.dll
HKCU-Run-Sys1.exe - C:\Windows\Sys1.exe
HKLM-Run-Sys1.exe - C:\Windows\Sys1.exe
SSODL-evgratsm-{82955011-CE07-44AF-A29A-83B7775A8C92} - C:\WINDOWS\evgratsm.dll
SSODL-kvxqmtre-{8CE6BA66-B3F0-4B86-93B1-0E6EA2FD46DA} - C:\WINDOWS\kvxqmtre.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.search.msn.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R0 -: HKLM-Main,Search Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.genie.co.uk/
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} - hxxp://static.photobox.co.uk/sg/common/ImageUploader4.cab
C:\WINDOWS\Downloaded Program Files\ImageUploader4.inf
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 00:14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rqwhjduk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-24  0:31:36 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-24 00:31:01

Pre-Run: 23,291,969,536 bytes free
Post-Run: 23,298,826,240 bytes free

210	--- E O F ---	2008-07-21 18:16:44


----------



## cohen

can you pls post a fresh hijackthis log.

How is your system running now???


----------



## GameMaster

Hi, your system must be running much better.
One step more to do, however.

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Files to delete:
> C:\WINDOWS\system32\rqwhjduk.dll
> C:\WINDOWS\system32\kudjhwqr.ini
> C:\WINDOWS\system32\wnaotfwf.ini
> C:\WINDOWS\system32\fujnhkhw.ini
> C:\WINDOWS\agpqlrfm.exe



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.*


----------



## perfectm

*After Running Combofix*

Computer is running much better now - although is quite slow.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:54, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\rqwhjduk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4993 bytes


----------



## perfectm

*Log file after running Avenger*

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\rqwhjduk.dll" deleted successfully.
File "C:\WINDOWS\system32\kudjhwqr.ini" deleted successfully.
File "C:\WINDOWS\system32\wnaotfwf.ini" deleted successfully.
File "C:\WINDOWS\system32\fujnhkhw.ini" deleted successfully.
File "C:\WINDOWS\agpqlrfm.exe" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


----------



## cohen

OK, 

Please do a scan with Kaspersky Online Scanner

Click on the *Accept* button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the *Scan* section select *My Computer*.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on *View scan report*
Now, click on the *Save Report as* button.
In the drop down box labeled *Files of type* change the type to *Text file*.
Save the file to your desktop.
Copy and paste that information in your next post.


----------



## perfectm

Hi,  Am trying to run the Kapersky Online Scanner and my system keeps hanging - i've tried at least a dozen times now and each time it does the same thing?  Do you have any suggestions??


----------



## cohen

perfectm said:


> Hi,  Am trying to run the Kapersky Online Scanner and my system keeps hanging - i've tried at least a dozen times now and each time it does the same thing?  Do you have any suggestions??



OK, tried a different browser???

Otherwise try this:

Ok let's get a log from Panda online scanners:

*Run Panda Online Scan*
Run *Panda's ActiveScan* from *here* and perform a full system scan.
- Once you are on the Panda site click the "*Scan your PC*" button
- A new window will open...click the big "*Check Now*" button
- Enter your *Country*
- Enter your *State/Province*
- Enter your *e-mail address* and click *send*
- Select either *Home User* or *Company*
- Click the big *Scan Now* button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan *(Note: It will take a couple minutes)*
- Click on "*Local Disks*" to start the scan
- Save the log file to your desktop


----------



## GameMaster

You should use Internet Explorer to do the scan.


----------



## perfectm

*Active Scan Log*

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-01 18:02:22
PROTECTIONS: 0
MALWARE: 42
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===================================================================================================================================================================================
00024343  adware/keenvalue                   Adware              No        0         Yes            No           c:\windows\system32\drivers\etc\hosts.bho
00139060  Cookie/Casalemedia                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@casalemedia[1].txt
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@atdmt[2].txt
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@fastclick[2].txt
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@tribalfusion[2].txt
00145738  Cookie/Mediaplex                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@mediaplex[1].txt
00147824  Cookie/Clickbank                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@clickbank[2].txt
00167642  Cookie/Com.com                     TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@com[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@ad.yieldmanager[1].txt
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@apmebf[2].txt
00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@burstnet[2].txt
00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@advertising[2].txt
00170556  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@realmedia[2].txt
00172221  Cookie/Zedo                        TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@zedo[2].txt
00184846  Cookie/Adrevolver                  TrackingCookie      No        0         Yes            No           C:\Documents and Settings\pnw\Cookies\pnw@adrevolver[2].txt
00217379  adware/dollarrevenue               Adware              No        0         Yes            No           hkey_local_machine\software\microsoft\drsmartload
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120724.EXE
01253216  Generic Malware                    Virus/Trojan        No        0         Yes            No           C:\syssxxz.exe
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120712.sys
02909997  Adware/SystemDefender              Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0115631.exe
03324220  Adware/VistaAntivirus              Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0117653.cpl
03324220  Adware/VistaAntivirus              Adware              No        0         No             No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir[vav.cpl]
03324220  Adware/VistaAntivirus              Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0117649.cpl
03324220  Adware/VistaAntivirus              Adware              No        0         No             No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe[vav.cpl]
03324615  Adware/VistaAntivirus              Adware              No        0         No             No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe[vav.exe]
03324615  Adware/VistaAntivirus              Adware              No        0         No             No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir[vav.exe]
03324615  Adware/VistaAntivirus              Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0118663.exe
03329533  Trj/Downloader.MDW                 Virus/Trojan        No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113621.exe
03329533  Trj/Downloader.MDW                 Virus/Trojan        No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120681.exe
03329533  Trj/Downloader.MDW                 Virus/Trojan        No        1         Yes            No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\4.exe.vir
03329564  Generic Trojan                     Virus/Trojan        No        0         Yes            No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\7.exe.vir
03329564  Generic Trojan                     Virus/Trojan        No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120683.exe
03339148  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120688.dll
03339148  Adware/VapSup                      Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\evgratsm.dll.vir
03339166  Adware/Antivirus2008               Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir
03339166  Adware/Antivirus2008               Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe
03348898  Adware/VapSup                      Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\kgxmotapktx.dll.vir
03348898  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120690.dll
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\urorlp.dll.vir
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\lgukgmxg.dll.vir
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120697.dll
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120702.dll
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\bpbopurc.dll.vir
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120694.dll
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\ogleuv.dll.vir
03363333  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120698.dll
03363397  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP409\A0120825.exe
03363399  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120706.exe
03363399  Adware/VapSup                      Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\erms.exe.vir
03378081  Adware/AVMaster                    Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0114620.exe
03378081  Adware/AVMaster                    Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir
03378081  Adware/AVMaster                    Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113622.exe
03378081  Adware/AVMaster                    Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120678.exe
03378093  Adware/AVMaster                    Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir
03378093  Adware/AVMaster                    Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120679.exe
03378138  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\qwmlloyr.dll.vir
03378138  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\hpxpds.dll.vir
03378138  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120700.dll
03378138  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120696.dll
03378431  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\agsjruwd.dll.vir
03378431  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120693.dll
03378431  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113623.dll
03378566  Application/Winantivirus2006       HackTools           No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120680.exe
03378566  Application/Winantivirus2006       HackTools           No        0         Yes            No           C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir
03378566  Application/Winantivirus2006       HackTools           No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113620.exe
03393186  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP409\A0120828.dll
03398311  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120689.dll
03398311  Adware/VapSup                      Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\kvxqmtre.dll.vir
03398312  Adware/VapSup                      Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\edel.exe.vir
03398312  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120705.exe
03398327  Adware/VapSup                      Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\kgxmotaptbp.dll.vir
03398327  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120691.dll
03403509  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\ebtdgjcr.dll.vir
03403509  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120703.dll
03403509  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\ykrgzc.dll.vir
03403509  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120695.dll
03421794  Adware/VapSup                      Adware              No        0         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120687.dll
03421794  Adware/VapSup                      Adware              No        0         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\qndsfmao.dll.vir
03431663  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120711.dll
;===================================================================================================================================================================================
SUSPECTS
Sent      Location                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              }
;===================================================================================================================================================================================
No        C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir                                                                                                                                                                                                                                                                                                                                                                                                                                                         }
;===================================================================================================================================================================================
VULNERABILITIES
Id        Severity   Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                }
;===================================================================================================================================================================================
;===================================================================================================================================================================================


----------



## perfectm

any advice on my last post??  Thanks.


----------



## ceewi1

My apologies for the delay.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*
[*]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
[*]O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
[*]O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\rqwhjduk.dll",b
[*]O24 - Desktop Component 0: (no name) - (no file)
*
Please close all open windows except for HijackThis and choose *Fix checked*

Please delete the following file:
C:\*syssxxz.exe*

Please reboot your PC.

Please rename HijackThis.exe to scanner.exe (or anything else that's not HijackThis.exe) and post a new HijackThis log.  How is your system running now?


----------



## perfectm

*Latest Log!! System still a little slow!*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59, on 05/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4935 bytes


----------



## ceewi1

Please rename HijackThis to scanner.exe (or anything else that's not HijackThis.exe) by right clicking on HijackThis.exe and choosing rename.  This infection hides itself from any process called HijackThis.exe.

Once done, please post a new HijackThis log.


----------



## perfectm

*Latest Log- computer still slow!*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41, on 24/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\pnw\Desktop\Scanner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\update\update.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5177 bytes


----------



## ceewi1

It appears that the infection has been removed.

Please click on *Start* -> *Run*.  Type *ComboFix /u* and click *OK*.
Note the space between the ComboFix and the /u
This will remove the backups that ComboFix has created as well as the program itself.

Please download *OTCleanIt* and save it to desktop.
Double-click *OTCleanIt.exe*.
Click the *CleanUp!* button.
Select *Yes* when the Begin cleanup Process? prompt appears.
If you are prompted to Reboot during the cleanup, select *Yes*.
The tool will delete itself once it finishes, if not delete it by yourself.

With regards to your speed problems, please register (it's free, don't worry) with PCPitStop and run the full tests *here*. When the tests are complete, a results page will pop up. Click *Share these results with TechExpress* on the right-hand side. Then copy the URL provided and post it here for me.


----------



## perfectm

I've tried running the PCpitstop and it hangs when it gets to the 3d test - also my machine has gone incredibly slow on the internet.  It kept logging me out of computer forum last night so I was unable to post a reply - any clues??


----------



## ceewi1

OK, try running a speed test at http://www.speedtest.net/ so that we can get some exact numbers.  What sort of Internet connection do you have?

With regards to PCPitstop, try updating your video drivers and see if that makes a difference.

Given the length of time it's been since your last logs, I'd like to see a few new ones.

Download *OTViewIt* to your desktop.

Close all windows and open it
Click *Run Scan* and let the program run uninterrupted
It will produce two logs for you, one will pop up called *OTViewIt.txt*, the other will be saved on your desktop and called *Extras*. Post both those logs here.
You may need to use two posts to get it all on the forum

Please also post a new HijackThis log.


----------



## perfectm

*Latest Logs*

OTViewIt logfile created on: 04/09/2008 17:39:44 - Run 1
OTViewIt by OldTimer - Version 1.0.1.8     Folder = C:\Documents and Settings\pnw\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

191.48 Mb Total Physical Memory | 78.45 Mb Available Physical Memory | 40.97% Memory free
466.70 Mb Paging File | 287.69 Mb Available in Paging File | 61.64% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 17.90 Gb Free Space | 48.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PETE
Current User Name: pnw
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On

===== Processes - Non-Microsoft Only =====

[03/09/2004 07:27 PM | 00,397,312 | ---- | M] () - C:\WINDOWS\system32\ati2evxx.exe
[03/09/2004 07:27 PM | 00,397,312 | ---- | M] () - C:\WINDOWS\system32\ati2evxx.exe
[03/04/2004 03:41 PM | 00,028,672 | ---- | M] (TOSHIBA CORPORATION) - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
[04/28/2008 11:20 AM | 00,415,072 | R--- | M] (WinZip Computing, S.L.) - C:\Program Files\WinZip\WZQKPICK.EXE
[03/03/2006 12:18 PM | 00,200,704 | ---- | M] (Yahoo!, Inc.) - C:\Program Files\Yahoo!\browser\ycommon.exe

===== Win32 Services - Non-Microsoft Only =====

(Ati HotKey Poller) Ati HotKey Poller [Auto | Running] 
[03/09/2004 07:27 PM | 00,397,312 | ---- | M] () - C:\WINDOWS\system32\ati2evxx.exe

(CFSvcs) ConfigFree Service [Auto | Running] 
[03/04/2004 03:41 PM | 00,028,672 | ---- | M] (TOSHIBA CORPORATION) - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

===== Driver Services - Non-Microsoft Only =====

(AgereSoftModem) TOSHIBA V92 Software Modem [On_Demand | Running] 
[02/20/2004 02:00 PM | 01,265,388 | ---- | M] (Agere Systems) - C:\WINDOWS\system32\drivers\AGRSM.sys

(ALCXSENS) Service for WDM 3D Audio Driver [On_Demand | Running] 
[02/24/2004 10:08 AM | 00,400,384 | ---- | M] (Sensaura) - C:\WINDOWS\system32\drivers\ALCXSENS.SYS

(AR5211) Atheros Wireless Network Adapter Service [On_Demand | Stopped] 
[05/28/2004 10:45 AM | 00,390,944 | ---- | M] (Atheros Communications, Inc.) - C:\WINDOWS\system32\drivers\ar5211.sys

(DevUpper) TI UltraMedia CardBus Controller Filter Driver [Boot | Running] 
[12/10/2002 03:13 PM | 00,007,552 | ---- | M] (Texas Instruments Inc.) - C:\WINDOWS\system32\drivers\tiumflt.sys

(MRENDIS5) MRENDIS5 NDIS Protocol Driver [On_Demand | Stopped] 
[03/24/2006 04:53 PM | 00,018,003 | ---- | M] (Motive, Inc.) - C:\Program Files\Common Files\Motive\MRENDIS5.sys

(Netdevio) TOSHIBA Network Device Usermode I/O Protocol [Auto | Running] 
[01/29/2003 01:35 PM | 00,012,032 | ---- | M] (TOSHIBA Corporation.) - C:\WINDOWS\system32\drivers\Netdevio.sys

(pavboot) pavboot [Boot | Running] 
[06/19/2008 05:24 PM | 00,028,544 | ---- | M] (Panda Security, S.L.) - C:\WINDOWS\system32\drivers\pavboot.sys

(RTL8023) Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver [On_Demand | Stopped] 
[12/05/2003 06:53 PM | 00,068,352 | ---- | M] (Realtek Semiconductor Corporation                           ) - C:\WINDOWS\system32\drivers\Rtlnic51.sys

(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [On_Demand | Stopped] 
[08/04/2004 05:31 AM | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) - C:\WINDOWS\system32\drivers\rtl8139.sys

(SE27bus) Sony Ericsson Device 039 Driver driver (WDM) [On_Demand | Stopped] 
[04/28/2006 03:24 PM | 00,061,600 | R--- | M] (MCCI) - C:\WINDOWS\system32\drivers\SE27bus.sys

(SE27mdfl) Sony Ericsson Device 039 USB WMC Modem Filter [On_Demand | Stopped] 
[04/28/2006 03:25 PM | 00,009,360 | R--- | M] (MCCI) - C:\WINDOWS\system32\drivers\SE27mdfl.sys

(SE27mdm) Sony Ericsson Device 039 USB WMC Modem Driver [On_Demand | Stopped] 
[04/28/2006 03:25 PM | 00,097,184 | R--- | M] (MCCI) - C:\WINDOWS\system32\drivers\SE27mdm.sys

(SE27mgmt) Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM) [On_Demand | Stopped] 
[04/28/2006 03:26 PM | 00,088,688 | R--- | M] (MCCI) - C:\WINDOWS\system32\drivers\SE27mgmt.sys

(se27nd5) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS) [On_Demand | Stopped] 
[04/28/2006 03:24 PM | 00,018,704 | R--- | M] (MCCI) - C:\WINDOWS\system32\drivers\se27nd5.sys

(SE27obex) Sony Ericsson Device 039 USB WMC OBEX Interface [On_Demand | Stopped] 
[04/28/2006 03:27 PM | 00,086,560 | R--- | M] (MCCI) - C:\WINDOWS\system32\drivers\SE27obex.sys

(se27unic) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM) [On_Demand | Stopped] 
[04/28/2006 03:24 PM | 00,090,800 | R--- | M] (MCCI) - C:\WINDOWS\system32\drivers\se27unic.sys

(Ser2pl) MAT Serial port driver [On_Demand | Stopped] 
[07/16/2003 06:27 AM | 00,043,264 | R--- | M] (Prolific Technology Inc.) - C:\WINDOWS\system32\drivers\ser2pl.sys

(SMCIRDA) SMC IrCC Miniport Device Driver [On_Demand | Running] 
[11/05/2002 03:00 PM | 00,039,424 | ---- | M] (SMC) - C:\WINDOWS\system32\drivers\smcirda.sys

(SynTP) Synaptics TouchPad Driver [On_Demand | Running] 
[01/22/2004 04:04 PM | 00,178,816 | ---- | M] (Synaptics, Inc.) - C:\WINDOWS\system32\drivers\SynTP.sys

(tiumfwl) tiumfwl [On_Demand | Stopped] 
[02/18/2003 06:02 PM | 00,042,092 | ---- | M] (Texas Instruments Inc.) - C:\WINDOWS\system32\drivers\tiumfwl.sys

(TVALD) Toshiba Mobile PC Service [On_Demand | Running] 
[02/27/2004 12:31 AM | 00,004,224 | ---- | M] (Toshiba Corporation) - C:\WINDOWS\system32\drivers\NBSMI.sys

========== Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Pitstop Optimize Reminder" = C:\Program Files\PCPitstop\Optimize2\Reminder.exe File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Key does not exist or could not be opened.
"run" = Reg Error: Key does not exist or could not be opened.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

========== Startup Folders ==========

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
[04/28/2008 11:20 AM | 00,415,072 | R--- | M] (WinZip Computing, S.L.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

[pnw Startup Folder - C:\Documents and Settings\pnw\Start Menu\Programs\Startup]

========== BHO's ==========

========== Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [09/29/2006 11:53 AM | 00,440,384 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

========== AppInit_Dlls ==========

========== HKLM Security Providers ==========

========== HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
= Explorer.exe
>Explorer.exe - [06/13/2007 10:23 AM | 01,033,216 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
= C:\WINDOWS\system32\userinit.exe,
>C:\WINDOWS\system32\userinit.exe - [08/04/2004 07:56 AM | 00,024,576 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
= logonui.exe
>logonui.exe - [08/04/2004 07:56 AM | 00,514,560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
= rundll32 shell32,Control_RunDLL "sysdm.cpl"
>rundll32 shell32 - [10/26/2007 03:36 AM | 08,454,656 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
>Control_RunDLL "sysdm.cpl" - [08/04/2004 07:56 AM | 00,298,496 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

========== User's Winlogon Settings ==========

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DllName" = C:\WINDOWS\system32\ati2evxx.dll [03/09/2004 07:27 PM | 00,086,016 | ---- | M] ()

========== Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun" = 67108863
"NoDriveTypeAutoRun" = 255
"NoDrives" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" = 
"legalnoticetext" = 
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"DisableRegistryTools" = 0
"HideLegacyLogonScripts" = 0
"HideLogoffScripts" = 0
"RunLogonScriptSync" = 1
"RunStartupScriptSync" = 0
"HideStartupScripts" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoDrives" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts" = 0
"HideLogoffScripts" = 0
"RunLogonScriptSync" = 1
"RunStartupScriptSync" = 0
"HideStartupScripts" = 0
"disableregistrytools" = 0

========== Lsa Authentication Packages ==========

========== Lsa Security Packages ==========

========== Desktop Components ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = ""
"Source" = ""
"SubscribedURL" = ""

========== Safeboot Options ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

========== Disabled MsConfig Items ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"item" = Adobe Gamma Loader
"command" = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/04/1999 03:06 PM | 00,113,664 | ---- | M] (Adobe Systems, Inc.)
"location" = Common Startup
"path" = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk File not found
"backup" = C:\WINDOWS\pss\Adobe Gamma Loader.lnk File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"item" = WinZip Quick Pick
"command" = C:\Program Files\WinZip\WZQKPICK.EXE [04/28/2008 11:20 AM | 00,415,072 | R--- | M] (WinZip Computing, S.L.)
"location" = Common Startup

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\btbb_wcm_McciTrayApp]
"item" = btbb_wcm_McciTrayApp
"command" = C:\Program Files\btbb_wcm\McciTrayApp.exe [12/29/2005 10:22 AM | 00,543,232 | ---- | M] (Motive Communications, Inc.)
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe]
"item" = C:\WINDOWS\system32\ctfmon.exe [08/04/2004 07:56 AM | 00,015,360 | ---- | M] (Microsoft Corporation)
"command" = C:\WINDOWS\system32\ctfmon.exe [08/04/2004 07:56 AM | 00,015,360 | ---- | M] (Microsoft Corporation)
"hkey" = HKEY_CURRENT_USER
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeviceDiscovery]
"item" = DeviceDiscovery
"command" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [05/21/2003 05:37 PM | 00,229,437 | ---- | M] (Hewlett-Packard)
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\H/PC Connection Agent]
"item" = H/PC Connection Agent
"command" = C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [09/01/2003 10:52 AM | 00,376,912 | ---- | M] (Microsoft Corporation)
"hkey" = HKEY_CURRENT_USER
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
"item" = HP Software Update
"command" = C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe [06/25/2003 10:24 AM | 00,049,152 | ---- | M] (Hewlett-Packard)
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ioloDelayModule]
"item" = ioloDelayModule
"command" = C:\Program Files\iolo\System Mechanic Professional 6\Delay.exe [06/08/2005 08:31 PM | 00,096,256 | ---- | M] ()
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Motive SmartBridge]
"item" = Motive SmartBridge
"command" = C:\Program Files\BT Home Hub\Help\SmartBridge\BTHelpNotifier.exe [02/06/2006 05:52 PM | 00,462,935 | ---- | M] (Motive)
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
"item" = MSMSGS
"command" = C:\Program Files\Messenger\msmsgs.exe [10/13/2004 04:24 PM | 01,694,208 | ---- | M] (Microsoft Corporation)
"hkey" = HKEY_CURRENT_USER
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SDTray]
"item" = SDTray
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SMSystemAnalyzer]
"item" = SMSystemAnalyzer
"command" = C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe [12/20/2006 04:47 PM | 00,557,056 | ---- | M] ()
"hkey" = HKEY_CURRENT_USER
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPEnh]
"item" = SynTPEnh
"command" = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [01/22/2004 04:08 PM | 00,495,616 | ---- | M] (Synaptics, Inc.)
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPLpr]
"item" = SynTPLpr
"command" = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [01/22/2004 04:09 PM | 00,098,304 | ---- | M] (Synaptics, Inc.)
"hkey" = HKLM
"key" = Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TOSCDSPD]
"item" = TOSCDSPD
"command" = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [09/05/2003 02:24 AM | 00,065,536 | ---- | M] (TOSHIBA)
"hkey" = HKEY_CURRENT_USER
"key" = Run

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3145e705-f591-11dc-8b6e-d00cde7a7b61}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72e413c4-441d-11dc-8a60-f67c44f1dcb7}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b88f66cb-ede7-11dc-8b65-ac5f460e2baa}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc3347f6-d646-11db-89f8-9d9f0a8e40b0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc3347f7-d646-11db-89f8-9d9f0a8e40b0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b2bc30-775b-11dd-8c2f-0218f65c501d}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell]
"" = AutoRun

========== DNS Name Servers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{274D4655-CFBA-497F-B736-90617712061B}]
Servers:  | Description: Thomson ST Remote NDIS Device

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{6D3BAC9E-B4CC-4B44-B1BF-B9B5F9383EE0}]
Servers:  | Description: Sony Ericsson Device 039 USB Ethernet Emulation (NDIS 5)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{80A29970-8844-400B-8EDB-4BD790710F99}]
Servers:  | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{AF36FD5E-C27D-43B6-9B78-CDC5DA660868}]
Servers:  | Description: Thomson ST Remote NDIS Device

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{F6D3DEA3-E736-41E7-A31E-E94F63FAFE02}]
Servers:  | Description: Realtek RTL8139/810x Family Fast Ethernet NIC

========== Hosts File ==========

HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1       localhost



========== Files/Folders - Created Within 30 days ==========

[08/05/2008 08:53 PM | -HSD | C] - C:\RECYCLER
[08/23/2008 10:08 PM | 00,001,374 | ---- | C] () - C:\WINDOWS\imsins.BAK
[08/31/2008 06:20 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\PCPitstop
[08/31/2008 12:56 PM | ---D | C] - C:\Documents and Settings\pnw\Application Data\U3
[08/05/2008 08:51 PM | ---D | C] - C:\Documents and Settings\pnw\Desktop\backups
[09/03/2008 06:41 PM | 00,012,656 | ---- | C] () - C:\Documents and Settings\pnw\Desktop\Flint Labour Party.docx
[09/04/2008 05:38 PM | 00,010,051 | ---- | C] () - C:\Documents and Settings\pnw\Desktop\a href.docx

========== Files - Modified Within 30 days ==========

[09/04/2008 05:03 PM | 20,085,5552 | -HS- | M] () - C:\hiberfil.sys
[2 C:\WINDOWS\System32\*.tmp files]
[09/03/2008 06:16 PM | 00,001,158 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[1 C:\WINDOWS\*.tmp files]
[08/24/2008 12:47 PM | 00,001,374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08/31/2008 07:20 PM | 00,000,669 | ---- | M] () - C:\WINDOWS\win.ini
[09/04/2008 05:03 PM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[09/29/2008 03:12 PM | 00,000,554 | ---- | M] () - C:\WINDOWS\SysMech6.INI
[09/04/2008 05:03 PM | 00,000,006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[09/04/2008 05:03 PM | 00,000,434 | ---- | M] () - C:\WINDOWS\tasks\RegCure Program Check.job
[09/04/2008 05:04 PM | 00,000,444 | ---- | M] () - C:\WINDOWS\tasks\XoftSpySE 2.job
[08/12/2008 05:18 PM | 00,052,275 | ---- | M] () - C:\Documents and Settings\pnw\My Documents\My book 2008.rtf
[09/03/2008 06:41 PM | 00,012,656 | ---- | M] () - C:\Documents and Settings\pnw\Desktop\Flint Labour Party.docx
[09/04/2008 05:38 PM | 00,010,051 | ---- | M] () - C:\Documents and Settings\pnw\Desktop\a href.docx

< End of report >


----------



## perfectm

*Extra Log*

OTViewIt Extras logfile created on: 04/09/2008 17:39:45 - Run 1
OTViewIt by OldTimer - Version 1.0.1.8     Folder = C:\Documents and Settings\pnw\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

191.48 Mb Total Physical Memory | 78.45 Mb Available Physical Memory | 40.97% Memory free
466.70 Mb Paging File | 287.69 Mb Available in Paging File | 61.64% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 17.90 Gb Free Space | 48.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
[08/04/2004 07:56 AM | 00,140,800 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
[08/04/2004 07:56 AM | 00,140,800 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Yahoo!\Messenger\ypager.exe" = C:\Program Files\Yahoo!\Messenger\ypager.exe:*isabled:Yahoo! Messenger
[08/31/2005 04:11 PM | 02,478,080 | ---- | M] ()

"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" = C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*isabled:Connection Manager
[09/01/2003 10:52 AM | 00,376,912 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
[05/21/2008 04:37 AM | 12,844,576 | ---- | M] (Microsoft Corporation)

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - "%1" %*
.cmd [@ = cmdfile] - "%1" %*
.com [@ = ComFile] - "%1" %*
.exe [@ = exefile] - "%1" %*
.html [@ = YBrowser.HTML] - [09/19/2006 03:28 PM | 00,668,152 | ---- | M] (Yahoo!, Inc.) - C:\Program Files\Yahoo!\browser\ybrowser.exe
.pif [@ = piffile] - "%1" %*
.scr [@ = scrfile] - "%1" /S

========== Winsock2 Catalogs ==========

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========


========== HKEY_CURRENT_USER Protocol Defaults ==========


========== Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]

cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKLM - CZipHandler Object]
[10/23/2003 06:51 PM | 00,081,920 | ---- | M] (Hewlett-Packard Company) C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]

========== Protocol Filters ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI card Driver
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{188BA1CC-F3A1-49B0-A34D-8C861C64E1AE}" = TOSHIBA Manuals
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2
"{3470FBE6-B743-420F-B5CE-0D27FA749C16}" = Touch and Launch
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}" = TOSHIBA Console
"{41DC35DD-1E9B-4254-AE64-16F9B740785A}" = Navman SmartST Version 2 Desktop
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{68D368EE-F5AC-4402-BD45-B454B5453FE1}" = SRS WOW XT Plug-In for Windows Media Player for Toshiba version 1.0.1
"{7148F0A8-6813-11D6-A77B-00B0D0142040}" = Java 2 Runtime Environment, SE v1.4.2_04
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{1AFF2298-CC00-4A3B-866A-C62B8373794E}" = Security Update for 2007 Microsoft Office System (KB951596)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{4AD3A076-427C-491F-A5B7-7D1DE788A756}" = Update for Microsoft Office Outlook 2007 (KB952142)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{558B709B-821B-4FC5-90FC-9A8890641E77}" = Security Update for Microsoft Office PowerPoint 2007 (KB951338)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6BAD036C-261F-4BEF-96CF-C20678D07A41}" = Security Update for Visio 2007 (KB947590)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{7399DD71-8E24-4E60-B6A8-6CED89C0AC26}" = Security Update for Microsoft Office Excel 2007 (KB951546)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{8F375E11-4FD6-4B89-9E2B-A76D48B51E00}" = Security Update for Microsoft Office system 2007 (KB951808)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{A420F522-7395-4872-9882-C591B4B92278}" = Update for Office 2007 (KB946691)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{AD72BABE-C733-4FCF-9674-4314466191B9}" = Security Update for Microsoft Office Word 2007 (KB950113)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{D9806966-6AA1-4B55-9528-6748E37CEE86}" = Update for Outlook 2007 Junk Email Filter (kb955433)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}" = Security Update for Microsoft Office Publisher 2007 (KB950114)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for Toshiba
"{91A10409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office OneNote 2003
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{AC76BA86-7AD7-1033-7646-A00000000001}" = Adobe Reader 6.0.1
"{AE2310DC-B261-4D84-BE03-BD318EB41B78}" = PCI1620 Ultramedia Controller
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C04E32E0-0416-434D-AFB9-6969D703A9EF}" = MSXML 4.0 SP2 (KB936181)
"{C7EC0699-D82C-4451-B701-C98C330D43AF}" = hp deskjet 3500
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}" = WinZip 11.2
"{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1" = NOD32 FiX 2.3.2
"{E0828692-FD9D-459F-9312-C645C3CA6650}" = HP Photo and Imaging 2.0 - Deskjet Series
"{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}" = SMSC IrCC V5.1.3600.3 SP1
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"BT Home Hub" = BT Home Hub
"BT Wireless Connection Manager" = BT Wireless Connection Manager
"BT Yahoo! Applications" = BT Yahoo! Applications
"btbb.MCCInstall" = BT Broadband Desktop Help
"CCleaner" = CCleaner (remove only)
"HijackThis" = HijackThis 2.0.2
"hp print screen utility" = hp print screen utility
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{68D368EE-F5AC-4402-BD45-B454B5453FE1}" = SRS WOW XT Plug-In for Windows Media Player for Toshiba version 1.0.1
"InstallShield_{AE2310DC-B261-4D84-BE03-BD318EB41B78}" = PCI 1620 Cardbus Controller and Software
"KB932823-v3" = Update for Windows XP (KB932823-v3)
"KB938127-IE7" = Security Update for Windows Internet Explorer 7 (KB938127)
"KB941693" = Security Update for Windows XP (KB941693)
"KB942615-IE7" = Security Update for Windows Internet Explorer 7 (KB942615)
"KB944533-IE7" = Security Update for Windows Internet Explorer 7 (KB944533)
"KB945553" = Security Update for Windows XP (KB945553)
"KB946648" = Security Update for Windows XP (KB946648)
"KB947864-IE7" = Hotfix for Windows Internet Explorer 7 (KB947864)
"KB948590" = Security Update for Windows XP (KB948590)
"KB948881" = Security Update for Windows XP (KB948881)
"KB950749" = Security Update for Windows XP (KB950749)
"KB950759-IE7" = Security Update for Windows Internet Explorer 7 (KB950759)
"KB950760" = Security Update for Windows XP (KB950760)
"KB950762" = Security Update for Windows XP (KB950762)
"KB950974" = Security Update for Windows XP (KB950974)
"KB951066" = Security Update for Windows XP (KB951066)
"KB951072-v2" = Update for Windows XP (KB951072-v2)
"KB951376-v2" = Security Update for Windows XP (KB951376-v2)
"KB951698" = Security Update for Windows XP (KB951698)
"KB951748" = Security Update for Windows XP (KB951748)
"KB952287" = Hotfix for Windows XP (KB952287)
"KB952954" = Security Update for Windows XP (KB952954)
"KB953838-IE7" = Security Update for Windows Internet Explorer 7 (KB953838)
"KB953839" = Security Update for Windows XP (KB953839)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"Power Saver" = TOSHIBA Power Saver
"PROPLUS" = Microsoft Office Professional Plus 2007
"RegCure" = RegCure 1.5.0.0
"Sierra Utilities" = Sierra Utilities
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"System Mechanic Professional 6_is1" = iolo technologies' System Mechanic Professional 6
"TOSHIBA Hotkey Utility for Display Devices" = TOSHIBA Hotkey Utility for Display Devices
"TOSHIBA Utilities" = TOSHIBA Utilities
"Windows CE Services" = Microsoft ActiveSync 3.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XoftSpySE" = XoftSpySE
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========


========== Last 10 Event Log Errors ==========


[ Application Events ]
Error - 25/02/2008 18:00:23 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.

Error - 25/02/2008 18:00:25 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 - Update '{411EDCF7-755D-414E-A74B-3DCD6583F589}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 02/03/2008 18:03:16 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.

Error - 02/03/2008 18:03:18 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 - Update '{411EDCF7-755D-414E-A74B-3DCD6583F589}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 02/03/2008 18:39:35 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.

Error - 02/03/2008 18:39:37 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 - Update '{411EDCF7-755D-414E-A74B-3DCD6583F589}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 03/03/2008 21:41:19 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.

Error - 03/03/2008 21:41:22 - Computer Name = PETE - User Name = NT AUTHORITY\SYSTEM - Source = MsiInstaller
Description = Product: Microsoft .NET Framework 1.1 - Update '{411EDCF7-755D-414E-A74B-3DCD6583F589}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 04/03/2008 11:49:00 - Computer Name = PETE - User Name = User SID not found - Source = Application Hang
Description = Hanging application explorer.exe, version 6.0.2900.3156, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 04/03/2008 11:52:35 - Computer Name = PETE - User Name = User SID not found - Source = Microsoft Office 12
Description = EventType offdiag12, P1 5da3919a-c05b-49fe-b8f4-786d3f8121621f4e26f8-669b-48f3-9320-158d69f80839,
 P2 NIL, P3 NIL, P4 NIL, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.


[ Internet Explorer Events ]

[ ODiag Events ]

[ OSession Events ]

[ Security Events ]

[ System Events ]
Error - 30/08/2008 19:50:00 - Computer Name = PETE - User Name = User SID not found - Source = Service Control Manager
Description = The HID Input Service service terminated with the following error:
   %%2

Error - 30/08/2008 20:51:03 - Computer Name = PETE - User Name = User SID not found - Source = Windows Update Agent
Description = Installation Failure: Windows failed to install the following update
 with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1.

Error - 31/08/2008 08:28:48 - Computer Name = PETE - User Name = User SID not found - Source = Service Control Manager
Description = The HID Input Service service terminated with the following error:
   %%2

Error - 31/08/2008 12:51:01 - Computer Name = PETE - User Name = User SID not found - Source = Service Control Manager
Description = The HID Input Service service terminated with the following error:
   %%2

Error - 31/08/2008 18:58:25 - Computer Name = PETE - User Name = User SID not found - Source = Windows Update Agent
Description = Installation Failure: Windows failed to install the following update
 with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1.

Error - 31/08/2008 19:43:22 - Computer Name = PETE - User Name = User SID not found - Source = Service Control Manager
Description = The HID Input Service service terminated with the following error:
   %%2

Error - 31/08/2008 21:20:26 - Computer Name = PETE - User Name = User SID not found - Source = Windows Update Agent
Description = Installation Failure: Windows failed to install the following update
 with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1.

Error - 01/09/2008 17:45:16 - Computer Name = PETE - User Name = User SID not found - Source = Service Control Manager
Description = The HID Input Service service terminated with the following error:
   %%2

Error - 03/09/2008 18:16:32 - Computer Name = PETE - User Name = User SID not found - Source = Service Control Manager
Description = The HID Input Service service terminated with the following error:
   %%2

Error - 04/09/2008 17:04:28 - Computer Name = PETE - User Name = User SID not found - Source = Service Control Manager
Description = The HID Input Service service terminated with the following error:
   %%2


< End of report >


----------



## perfectm

*Scan Results*

<a href="http://www.speedtest.net"><img src="http://www.speedtest.net/result/318346341.png"></a>


----------



## ceewi1

Those speed test results are reasonably fast, so I don't think that's responsible for your problems.  There's no malware showing in those logs, but it appears that you have only 256MB of RAM, and due to the fact that some of that is shared with the video adaptor, only 191MB is available for Windows.  

With this little available RAM it is not surprising that your system is running slowly, a RAM upgrade would improve your system speed significantly.


----------



## perfectm

Thanks for all your help - computer is running fine now.


----------

