Hijack this LOG: Trojan wrecked registry...
Hi,
My PC is going to be inoperable within a few hours as this attack has rewritten tthe registry and de-registered XPpro (initially 3 days now 1). I have been struggling all weekend tryong to get various AV & Spyware packages to clean up but I am not sure where to go. I did have McAfee installed but I suspect it was disabled and most packages I suspect are being nobbled. The most interesting files I found I am going to attach as I suspect I have stopped the total takeover by catching this and deleting some suspicious things out of the registry. IE will not load rporting a problem with GoogleToolbar8.dll which I found but cannot delete (I uninstalled the toolbar to no effect) I have renamed a stack of these files as they could not be deleted... Probably my changes to the regisitry will need repair but as I will not have a system later today that is the leasty of my worries... Nothing was found by anything I can run. Both Directory & Logfile names were edited 'just in case' for the two interesting attachments.
Using the tools I can't even run the first the ATF cleaner as it just hangs.
Please respond soonest.
thanks,
Richard.
My PC is going to be inoperable within a few hours as this attack has rewritten tthe registry and de-registered XPpro (initially 3 days now 1). I have been struggling all weekend tryong to get various AV & Spyware packages to clean up but I am not sure where to go. I did have McAfee installed but I suspect it was disabled and most packages I suspect are being nobbled. The most interesting files I found I am going to attach as I suspect I have stopped the total takeover by catching this and deleting some suspicious things out of the registry. IE will not load rporting a problem with GoogleToolbar8.dll which I found but cannot delete (I uninstalled the toolbar to no effect) I have renamed a stack of these files as they could not be deleted... Probably my changes to the regisitry will need repair but as I will not have a system later today that is the leasty of my worries... Nothing was found by anything I can run. Both Directory & Logfile names were edited 'just in case' for the two interesting attachments.
Using the tools I can't even run the first the ATF cleaner as it just hangs.
Please respond soonest.
thanks,
Richard.
0
This discussion has been closed.
Comments
Ad-Aware SE Build 1.06r1
Logfile Created on:18 November 2006 22:35:47
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R133 16.11.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
18-11-2006 22:35:47 - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 304
ThreadCreationTime : 20-11-2006 08:00:44
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINXP\system32\
ProcessID : 356
ThreadCreationTime : 20-11-2006 08:00:51
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINXP\system32\
ProcessID : 380
ThreadCreationTime : 20-11-2006 08:00:53
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINXP\system32\
ProcessID : 424
ThreadCreationTime : 20-11-2006 08:00:56
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINXP\system32\
ProcessID : 436
ThreadCreationTime : 20-11-2006 08:00:57
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINXP\system32\
ProcessID : 592
ThreadCreationTime : 20-11-2006 08:01:00
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINXP\system32\
ProcessID : 856
ThreadCreationTime : 20-11-2006 08:01:06
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINXP\System32\
ProcessID : 1032
ThreadCreationTime : 20-11-2006 08:01:07
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 1056
ThreadCreationTime : 20-11-2006 08:01:07
BasePriority : Normal
FileVersion : 4, 3, 11, 1
ProductVersion : 4, 3, 11, 1
ProductName : Nero AG incdsrv
CompanyName : Nero AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2005 Nero AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Nero AG
OriginalFilename : incdsrv.exe
#:10 [svchost.exe]
FilePath : C:\WINXP\System32\
ProcessID : 1204
ThreadCreationTime : 20-11-2006 08:01:11
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [svchost.exe]
FilePath : C:\WINXP\System32\
ProcessID : 1244
ThreadCreationTime : 20-11-2006 08:01:12
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:12 [spoolsv.exe]
FilePath : C:\WINXP\system32\
ProcessID : 1316
ThreadCreationTime : 20-11-2006 08:01:13
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:13 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1448
ThreadCreationTime : 20-11-2006 08:01:19
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE
#:14 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1476
ThreadCreationTime : 20-11-2006 08:01:20
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE
#:15 [avgrssvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1504
ThreadCreationTime : 20-11-2006 08:01:20
BasePriority : Normal
FileVersion : 7.5.0.429
ProductVersion : 7.5.0.429
ProductName : AVG Anti-Virus system
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Resident Shield Service
InternalName : avgrssvc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgrssvc.exe
#:16 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1516
ThreadCreationTime : 20-11-2006 08:01:22
BasePriority : Normal
FileVersion : 7.5.0.429
ProductVersion : 7.5.0.429
ProductName : AVG Anti-Virus system
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgemc.exe
#:17 [ctsvccda.exe]
FilePath : C:\WINXP\System32\
ProcessID : 1608
ThreadCreationTime : 20-11-2006 08:01:25
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE
#:18 [mcdetect.exe]
FilePath : c:\program files\mcafee.com\agent\
ProcessID : 1716
ThreadCreationTime : 20-11-2006 08:01:29
BasePriority : Normal
FileVersion : 6, 0, 0, 19
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee WSC Integration Service
InternalName : McDetect
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McDetect.exe
Comments : McAfee WSC Integration Service
#:19 [mctskshd.exe]
FilePath : c:\PROGRA~1\mcafee.com\agent\
ProcessID : 1760
ThreadCreationTime : 20-11-2006 08:01:33
BasePriority : Normal
FileVersion : 6, 0, 0, 13
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee Task Scheduler
InternalName : McTskshd
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McTskshd.exe
#:20 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1932
ThreadCreationTime : 20-11-2006 08:01:40
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe
#:21 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 1980
ThreadCreationTime : 20-11-2006 08:01:41
BasePriority : Normal
FileVersion : 6.1.0.44
ProductVersion : 6.1.0.44
ProductName : McAfee Personal Firewall
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MpfService.exe
Comments : McAfee Personal Firewall Service
#:22 [explorer.exe]
FilePath : C:\WINXP\
ProcessID : 2024
ThreadCreationTime : 20-11-2006 08:01:42
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:23 [taskmgr.exe]
FilePath : C:\WINXP\system32\
ProcessID : 1092
ThreadCreationTime : 20-11-2006 08:03:38
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe
#:24 [sdhelp.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 1900
ThreadCreationTime : 20-11-2006 08:04:25
BasePriority : Normal
FileVersion : 3.6.0.2026
ProductVersion : 3.6
ProductName : Spyware Doctor
CompanyName : PC Tools Research Pty Ltd
#:25 [tcpsvcs.exe]
FilePath : C:\WINXP\System32\
ProcessID : 548
ThreadCreationTime : 20-11-2006 08:04:28
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : TCP/IP Services Application
InternalName : TCPSVCS.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : TCPSVCS.EXE
#:26 [snmp.exe]
FilePath : C:\WINXP\System32\
ProcessID : 156
ThreadCreationTime : 20-11-2006 08:04:30
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : SNMP Service
InternalName : snmp.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : snmp.exe
#:27 [svchost.exe]
FilePath : C:\WINXP\System32\
ProcessID : 1152
ThreadCreationTime : 20-11-2006 08:04:31
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:28 [syslogdm.exe]
FilePath : C:\Program Files\Cisco\PIX Firewall Syslog Server\
ProcessID : 1164
ThreadCreationTime : 20-11-2006 08:04:34
BasePriority : Normal
#:29 [wdfmgr.exe]
FilePath : C:\WINXP\system32\
ProcessID : 1776
ThreadCreationTime : 20-11-2006 08:04:49
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe
#:30 [mspmspsv.exe]
FilePath : C:\WINXP\System32\
ProcessID : 2084
ThreadCreationTime : 20-11-2006 08:04:50
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE
#:31 [svchost.exe]
FilePath : C:\WINXP\system32\
ProcessID : 2096
ThreadCreationTime : 20-11-2006 08:04:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:32 [alg.exe]
FilePath : C:\WINXP\System32\
ProcessID : 2780
ThreadCreationTime : 20-11-2006 08:05:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:33 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1684
ThreadCreationTime : 20-11-2006 08:12:32
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:34 [siteadv.exe]
FilePath : C:\Program Files\SiteAdvisor\
ProcessID : 520
ThreadCreationTime : 20-11-2006 08:12:35
BasePriority : Normal
FileVersion : 1.5.0.0
ProductVersion : 1.5.0.0
ProductName : McAfee SiteAdvisor
CompanyName : McAfee
FileDescription : McAfee SiteAdvisor
InternalName : MSA
LegalCopyright : Copyright McAfee, Inc. All rights reserved.
OriginalFilename : SiteAdv
#:35 [swdoctor.exe]
FilePath : C:\PROGRA~1\SPYWAR~1\
ProcessID : 2488
ThreadCreationTime : 20-11-2006 08:12:51
BasePriority : Normal
FileVersion : 4.0.0.2620
ProductVersion : 3.6
ProductName : Spyware Doctor
CompanyName : PC Tools Research Pty Ltd
FileDescription : Spyware Doctor
InternalName : Spyware Doctor
LegalCopyright : Copyright (c) 2005. Distributed by PC Tools Research Pty Ltd
OriginalFilename : swdoctor.exe
#:36 [cmd.exe]
FilePath : C:\WINXP\system32\
ProcessID : 644
ThreadCreationTime : 20-11-2006 08:13:58
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Command Processor
InternalName : cmd
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Cmd.Exe
#:37 [opera.exe]
FilePath : C:\Program Files\Opera\
ProcessID : 1624
ThreadCreationTime : 20-11-2006 08:14:50
BasePriority : Normal
FileVersion : 7700
ProductVersion : 8.50
ProductName : Opera Internet Browser
CompanyName : Opera Software
FileDescription : Opera Internet Browser
InternalName : Opera
LegalCopyright : Copyright © Opera Software 1995-2005
OriginalFilename : Opera.exe
#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 5940
ThreadCreationTime : 18-11-2006 22:34:24
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
#:39 [noadware4.exe]
FilePath : C:\Program Files\NoAdware4\
ProcessID : 256
ThreadCreationTime : 18-11-2006 22:34:52
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Noadware4 Application
FileDescription : Noadware4 Application
InternalName : Noadware4
LegalCopyright : Copyright (C) 2004-2006
OriginalFilename : Noadware4.EXE
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Scanning Hosts file......
Hosts file location:"C:\WINXP\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0
01:26:13 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:02:50:26.335
Objects scanned:537207
Objects identified:0
Objects ignored:0
New critical objects:0
/2006 19:07:34 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINXP\system32\msiexec.exe ===
MSI (c) (F0:F8) [19:07:34:023]: Resetting cached policy values
MSI (c) (F0:F8) [19:07:34:023]: Machine policy value 'Debug' is 0
MSI (c) (F0:F8) [19:07:34:023]: ******* RunEngine:
******* Product: c:\8a2e36c880be055aa52833\msxml.msi
******* Action:
******* CommandLine: **********
MSI (c) (F0:F8) [19:07:34:033]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (F0:F8) [19:07:34:033]: Grabbed execution mutex.
MSI (c) (F0:F8) [19:07:34:303]: Cloaking enabled.
MSI (c) (F0:F8) [19:07:34:303]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (F0:F8) [19:07:34:343]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B4:34) [19:07:34:443]: Grabbed execution mutex.
MSI (s) (B4:80) [19:07:34:493]: Resetting cached policy values
MSI (s) (B4:80) [19:07:34:493]: Machine policy value 'Debug' is 0
MSI (s) (B4:80) [19:07:34:493]: ******* RunEngine:
******* Product: c:\8a2e36c880be055aa52833\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (B4:80) [19:07:34:503]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (B4:80) [19:07:34:553]: File will have security applied from OpCode.
MSI (s) (B4:80) [19:07:34:714]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'c:\8a2e36c880be055aa52833\msxml.msi' against software restriction policy
MSI (s) (B4:80) [19:07:34:714]: SOFTWARE RESTRICTION POLICY: c:\8a2e36c880be055aa52833\msxml.msi has a digital signature
MSI (s) (B4:80) [19:07:35:545]: SOFTWARE RESTRICTION POLICY: c:\8a2e36c880be055aa52833\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (B4:80) [19:07:35:545]: End dialog not enabled
MSI (s) (B4:80) [19:07:35:545]: Original package ==> c:\8a2e36c880be055aa52833\msxml.msi
MSI (s) (B4:80) [19:07:35:545]: Package we're running from ==> c:\WINXP\Installer\61709.msi
MSI (s) (B4:80) [19:07:35:595]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (B4:80) [19:07:35:595]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (B4:80) [19:07:35:625]: MSCOREE not loaded loading copy from system32
MSI (s) (B4:80) [19:07:35:815]: Machine policy value 'TransformsSecure' is 0
MSI (s) (B4:80) [19:07:35:815]: User policy value 'TransformsAtSource' is 0
MSI (s) (B4:80) [19:07:35:815]: Machine policy value 'DisablePatch' is 0
MSI (s) (B4:80) [19:07:35:815]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (B4:80) [19:07:35:815]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (B4:80) [19:07:35:815]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (B4:80) [19:07:35:815]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (B4:80) [19:07:35:815]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (B4:80) [19:07:35:815]: Transforms are not secure.
MSI (s) (B4:80) [19:07:35:825]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=c:\8a2e36c880be055aa52833 CLIENTUILEVEL=3 CLIENTPROCESSID=4080
MSI (s) (B4:80) [19:07:35:825]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
MSI (s) (B4:80) [19:07:35:825]: Product Code passed to Engine.Initialize: ''
MSI (s) (B4:80) [19:07:35:825]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (B4:80) [19:07:35:825]: Product Code from property table after transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (B4:80) [19:07:35:825]: Product not registered: beginning first-time install
MSI (s) (B4:80) [19:07:35:825]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (B4:80) [19:07:35:825]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (B4:80) [19:07:35:825]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (B4:80) [19:07:35:855]: Adding new sources is allowed.
MSI (s) (B4:80) [19:07:35:855]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (B4:80) [19:07:35:855]: Package name extracted from package path: 'msxml.msi'
MSI (s) (B4:80) [19:07:35:865]: Package to be registered: 'msxml.msi'
MSI (s) (B4:80) [19:07:35:865]: Note: 1: 2729
MSI (s) (B4:80) [19:07:35:865]: Note: 1: 2729
MSI (s) (B4:80) [19:07:35:865]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (B4:80) [19:07:35:865]: Machine policy value 'DisableMsi' is 0
MSI (s) (B4:80) [19:07:35:865]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (B4:80) [19:07:35:865]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (B4:80) [19:07:35:865]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (B4:80) [19:07:35:865]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
MSI (s) (B4:80) [19:07:35:875]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (B4:80) [19:07:35:875]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'c:\8a2e36c880be055aa52833'.
MSI (s) (B4:80) [19:07:35:875]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (B4:80) [19:07:35:875]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '4080'.
MSI (s) (B4:80) [19:07:35:875]: TRANSFORMS property is now:
MSI (s) (B4:80) [19:07:35:875]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (B4:80) [19:07:35:875]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Application Data
MSI (s) (B4:80) [19:07:35:885]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Favorites
MSI (s) (B4:80) [19:07:35:885]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\NetHood
MSI (s) (B4:80) [19:07:35:895]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\My Documents
MSI (s) (B4:80) [19:07:35:905]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\PrintHood
MSI (s) (B4:80) [19:07:35:905]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Recent
MSI (s) (B4:80) [19:07:35:915]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\SendTo
MSI (s) (B4:80) [19:07:35:915]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Templates
MSI (s) (B4:80) [19:07:35:925]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (B4:80) [19:07:35:925]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (B4:80) [19:07:35:935]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (B4:80) [19:07:35:955]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (B4:80) [19:07:36:055]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (B4:80) [19:07:36:055]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (B4:80) [19:07:36:065]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (B4:80) [19:07:36:076]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (B4:80) [19:07:36:166]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
MSI (s) (B4:80) [19:07:36:246]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (B4:80) [19:07:36:246]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Start Menu\Programs
MSI (s) (B4:80) [19:07:36:256]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Start Menu
MSI (s) (B4:80) [19:07:36:256]: SHELL32::SHGetFolderPath returned: C:\WINXP\system32\config\systemprofile\Desktop
MSI (s) (B4:80) [19:07:36:286]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Templates
MSI (s) (B4:80) [19:07:36:286]: SHELL32::SHGetFolderPath returned: C:\WINXP\Fonts
MSI (s) (B4:80) [19:07:36:306]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (B4:80) [19:07:36:316]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (B4:80) [19:07:36:316]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (B4:80) [19:07:36:316]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Rushour'.
MSI (s) (B4:80) [19:07:36:316]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (B4:80) [19:07:36:316]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'c:\WINXP\Installer\61709.msi'.
MSI (s) (B4:80) [19:07:36:316]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'c:\8a2e36c880be055aa52833\msxml.msi'.
MSI (s) (B4:80) [19:07:36:316]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (B4:80) [19:07:36:316]: Machine policy value 'DisableRollback' is 0
MSI (s) (B4:80) [19:07:36:316]: User policy value 'DisableRollback' is 0
MSI (s) (B4:80) [19:07:36:316]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
=== Logging started: 17/11/2006 19:07:36 ===
MSI (s) (B4:80) [19:07:36:326]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (B4:80) [19:07:36:326]: Doing action: INSTALL
MSI (s) (B4:80) [19:07:36:346]: Running ExecuteSequence
MSI (s) (B4:80) [19:07:36:346]: Doing action: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action start 19:07:36: INSTALL.
MSI (s) (B4:80) [19:07:36:346]: PROPERTY CHANGE: Adding DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'C:\Documents and Settings\All Users\Desktop\'.
Action start 19:07:36: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (B4:80) [19:07:36:356]: Doing action: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action ended 19:07:36: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901. Return value 1.
MSI (s) (B4:80) [19:07:36:356]: PROPERTY CHANGE: Adding ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'C:\Documents and Settings\All Users\Start Menu\Programs\'.
Action start 19:07:36: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (B4:80) [19:07:36:356]: Doing action: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 19:07:36: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901. Return value 1.
MSI (s) (B4:80) [19:07:36:366]: PROPERTY CHANGE: Adding WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'C:\WINXP\'.
Action start 19:07:36: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (B4:80) [19:07:36:366]: Doing action: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 19:07:36: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (B4:80) [19:07:36:376]: PROPERTY CHANGE: Adding SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'C:\WINXP\system32\'.
Action start 19:07:36: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (B4:80) [19:07:36:376]: Doing action: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 19:07:36: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (B4:80) [19:07:36:376]: PROPERTY CHANGE: Adding WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'C:\WINXP\'.
Action start 19:07:36: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
MSI (s) (B4:80) [19:07:36:386]: Doing action: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 19:07:36: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (B4:80) [19:07:36:386]: PROPERTY CHANGE: Adding SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'C:\WINXP\system32\'.
Action start 19:07:36: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
MSI (s) (B4:80) [19:07:36:396]: Doing action: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
Action ended 19:07:36: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (B4:80) [19:07:36:396]: PROPERTY CHANGE: Adding WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'C:\WINXP\'.
Action start 19:07:36: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537.
MSI (s) (B4:80) [19:07:36:396]: Doing action: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
Action ended 19:07:36: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (B4:80) [19:07:36:406]: PROPERTY CHANGE: Adding SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'C:\WINXP\system32\'.
Action start 19:07:36: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537.
MSI (s) (B4:80) [19:07:36:406]: Doing action: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB
Action ended 19:07:36: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (B4:80) [19:07:36:406]: PROPERTY CHANGE: Adding SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB property. Its value is 'C:\WINXP\system32\'.
Action start 19:07:36: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB.
MSI (s) (B4:80) [19:07:36:416]: Doing action: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1
Action ended 19:07:36: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB. Return value 1.
MSI (s) (B4:80) [19:07:36:416]: PROPERTY CHANGE: Adding SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 property. Its value is 'C:\WINXP\system32\'.
Action start 19:07:36: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1.
MSI (s) (B4:80) [19:07:36:416]: Doing action: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7
Action ended 19:07:36: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1. Return value 1.
MSI (s) (B4:80) [19:07:36:426]: PROPERTY CHANGE: Adding SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 property. Its value is 'C:\WINXP\system32\'.
Action start 19:07:36: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7.
MSI (s) (B4:80) [19:07:36:426]: Doing action: LaunchConditions
Action ended 19:07:36: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7. Return value 1.
Action start 19:07:36: LaunchConditions.
MSI (s) (B4:80) [19:07:36:426]: Doing action: FindRelatedProducts
Action ended 19:07:36: LaunchConditions. Return value 1.
Action start 19:07:36: FindRelatedProducts.
MSI (s) (B4:80) [19:07:36:436]: Doing action: AppSearch
Action ended 19:07:36: FindRelatedProducts. Return value 1.
Action start 19:07:36: AppSearch.
MSI (s) (B4:80) [19:07:36:446]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (s) (B4:80) [19:07:36:446]: PROPERTY CHANGE: Adding WINHTTP_51 property. Its value is 'WinHttpRequest Component version 5.1'.
MSI (s) (B4:80) [19:07:36:446]: Skipping action: CCPSearch (condition is false)
MSI (s) (B4:80) [19:07:36:446]: Skipping action: RMCCPSearch (condition is false)
MSI (s) (B4:80) [19:07:36:446]: Doing action: ValidateProductID
Action ended 19:07:36: AppSearch. Return value 1.
Action start 19:07:36: ValidateProductID.
MSI (s) (B4:80) [19:07:36:456]: Doing action: CostInitialize
Action ended 19:07:36: ValidateProductID. Return value 1.
MSI (s) (B4:80) [19:07:36:456]: Machine policy value 'MaxPatchCacheSize' is 10
Action start 19:07:36: CostInitialize.
MSI (s) (B4:80) [19:07:36:546]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'c:\'.
MSI (s) (B4:80) [19:07:36:546]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
MSI (s) (B4:80) [19:07:36:546]: Note: 1: 2205 2: 3: Patch
MSI (s) (B4:80) [19:07:36:546]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (B4:80) [19:07:36:546]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (B4:80) [19:07:36:546]: Note: 1: 2205 2: 3: __MsiPatchFileList
MSI (s) (B4:80) [19:07:36:546]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (B4:80) [19:07:36:546]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`
MSI (s) (B4:80) [19:07:36:556]: Doing action: FileCost
Action ended 19:07:36: CostInitialize. Return value 1.
MSI (s) (B4:80) [19:07:36:576]: Note: 1: 2262 2: Extension 3: -2147287038
Action start 19:07:36: FileCost.
MSI (s) (B4:80) [19:07:36:586]: Doing action: CostFinalize
Action ended 19:07:36: FileCost. Return value 1.
MSI (s) (B4:80) [19:07:36:606]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (s) (B4:80) [19:07:36:606]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (s) (B4:80) [19:07:36:606]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (s) (B4:80) [19:07:36:606]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (s) (B4:80) [19:07:36:606]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (s) (B4:80) [19:07:36:606]: Note: 1: 2205 2: 3: Patch
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'c:\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying WindowsFolder property. Its current value is 'C:\WINXP\'. Its new value: 'c:\WINXP\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying CommonFilesFolder property. Its current value is 'C:\Program Files\Common Files\'. Its new value: 'c:\Program Files\Common Files\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding MicrosoftShared.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 property. Its value is 'c:\Program Files\Common Files\Microsoft Shared\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding MSDN.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 property. Its value is 'c:\Program Files\Common Files\Microsoft Shared\MSDN\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINXP\'. Its new value: 'c:\WINXP\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINXP\system32\'. Its new value: 'c:\WINXP\system32\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsDirectory.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding policydir_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding payload.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsManifests.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Manifests\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsPolicies.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Policies\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding policydir.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding payload_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINXP\'. Its new value: 'c:\WINXP\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINXP\system32\'. Its new value: 'c:\WINXP\system32\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsDirectory.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding policydir_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsPolicies.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Policies\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding policydir.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Policies\x86_Microsoft.MSXML2R_6bd6b9abf345378f_x-ww_f529d679\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsManifests.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Manifests\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding payload_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINXP\'. Its new value: 'c:\WINXP\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINXP\system32\'. Its new value: 'c:\WINXP\system32\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsDirectory.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding policydir_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsPolicies.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Policies\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding policydir.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Policies\x86_Microsoft.MSXML2_6bd6b9abf345378f_x-ww_b261cf09\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding WinSxsManifests.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\Manifests\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Adding payload_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINXP\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB property. Its current value is 'C:\WINXP\system32\'. Its new value: 'c:\WINXP\system32\'.
MSI (s) (B4:80) [19:07:36:616]: PROPERTY CHANGE: Modifying SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 property. Its current value is 'C:\WINXP\system32\'. Its new value: 'c:\WINXP\system32\'.
MSI (s) (B4:80) [19:07:36:626]: PROPERTY CHANGE: Modifying SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 property. Its current value is 'C:\WINXP\system32\'. Its new value: 'c:\WINXP\system32\'.
MSI (s) (B4:80) [19:07:36:626]: PROPERTY CHANGE: Modifying DesktopFolder property. Its current value is 'C:\Documents and Settings\All Users\Desktop\'. Its new value: 'c:\Documents and Settings\All Users\Desktop\'.
MSI (s) (B4:80) [19:07:36:626]: PROPERTY CHANGE: Modifying ProgramFilesFolder property. Its current value is 'C:\Program Files\'. Its new value: 'c:\Program Files\'.
MSI (s) (B4:80) [19:07:36:626]: PROPERTY CHANGE: Adding MSXML property. Its value is 'c:\Program Files\MSXML 4.0\'.
MSI (s) (B4:80) [19:07:36:626]: PROPERTY CHANGE: Adding INC.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\inc\'.
MSI (s) (B4:80) [19:07:36:626]: PROPERTY CHANGE: Adding LIB.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\lib\'.
MSI (s) (B4:80) [19:07:36:626]: PROPERTY CHANGE: Adding DOC.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\doc\'.
MSI (s) (B4:80) [19:07:36:636]: PROPERTY CHANGE: Modifying ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its current value is 'C:\Documents and Settings\All Users\Start Menu\Programs\'. Its new value: 'c:\Documents and Settings\All Users\Start Menu\Programs\'.
MSI (s) (B4:80) [19:07:36:636]: PROPERTY CHANGE: Adding MenuMSXML.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Documents and Settings\All Users\Start Menu\Programs\MSXML 4.0\'.
MSI (s) (B4:80) [19:07:36:636]: PROPERTY CHANGE: Modifying DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its current value is 'C:\Documents and Settings\All Users\Desktop\'. Its new value: 'c:\Documents and Settings\All Users\Desktop\'.
MSI (s) (B4:80) [19:07:36:656]: Target path resolution complete. Dumping Directory table...
MSI (s) (B4:80) [19:07:36:656]: Note: target paths subject to change (via custom actions or browsing)
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: TARGETDIR , Object: c:\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WindowsFolder , Object: c:\WINXP\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: CommonFilesFolder , Object: c:\Program Files\Common Files\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: MicrosoftShared.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 , Object: c:\Program Files\Common Files\Microsoft Shared\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: MSDN.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 , Object: c:\Program Files\Common Files\Microsoft Shared\MSDN\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\system32\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsDirectory.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: policydir_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: payload.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsManifests.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Manifests\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsPolicies.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Policies\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: policydir.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: payload_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\system32\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsDirectory.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: policydir_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsPolicies.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Policies\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: policydir.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Policies\x86_Microsoft.MSXML2R_6bd6b9abf345378f_x-ww_f529d679\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsManifests.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Manifests\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: payload_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\system32\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsDirectory.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: policydir_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsPolicies.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Policies\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: policydir.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Policies\x86_Microsoft.MSXML2_6bd6b9abf345378f_x-ww_b261cf09\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: WinSxsManifests.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\Manifests\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: payload_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 , Object: c:\WINXP\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB , Object: c:\WINXP\system32\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 , Object: c:\WINXP\system32\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 , Object: c:\WINXP\system32\
MSI (s) (B4:80) [19:07:36:656]: Dir (target): Key: DesktopFolder , Object: c:\Documents and Settings\All Users\Desktop\
Perhaps you can see some of what went on now?
The log files are too big to add in full and attaccheemnt fails.
thanks,
Richard.
HKEY_CLASSES_ROOT full of shortcuts, plugins, SQLserver (I didn't think I'd installed and engines.. Please do not tell me again that this has not been hacked.
Save HJTsetup.exe to your desktop.
- Double click on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
- Name the log "HJTLog" (or something similar
) and save it on your desktop & post that log here
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.Many thanks, this now runs but I couldn't even get it downloaded before... I tried. Note that the date has been wound back and is today.
Logfile of HijackThis v1.99.1
Scan saved at 08:28:38, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINXP\System32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINXP\system32\taskmgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINXP\System32\tcpsvcs.exe
C:\WINXP\System32\snmp.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Cisco\PIX Firewall Syslog Server\syslogdm.exe
C:\WINXP\system32\wdfmgr.exe
C:\WINXP\System32\MsPMSPSv.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\alg.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\WINXP\system32\cmd.exe
C:\Program Files\Opera\Opera.exe
C:\WINXP\explorer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\NoAdware4\NoAdware4.exe
C:\WINXP\system32\wpabaln.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINXP\system32\msiexec.exe
C:\WINXP\system32\verclsid.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\saIE.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\saIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINXP\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAgentExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {066040F0-5018-4E15-8AA0-81D36136D989} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120732936726
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://www.anonymizer.com/anti-spyware/2.6/freescanner/WebAAS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2881969-C95A-4C7E-AE5C-984BC53D5A4B}: NameServer = 212.67.120.148,212.67.96.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{A2881969-C95A-4C7E-AE5C-984BC53D5A4B}: NameServer = 212.67.120.148,212.67.96.129
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINXP\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: PIX Firewall Syslog Server (syslogd) - Unknown owner - C:\Program Files\Cisco\PIX Firewall Syslog Server\syslogdm.exe
thanks aagain,
Richard.
http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.
Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu then
You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Once in Safe Mode:Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode please post back the AVG log and new HJT logIMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum
If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead