When I run an deep scan on my system it shows three alarms:
pos id <adv>: Possible webDownloader in C:\documents and settings\all users\documents\ss.exe

pos id; Demo.Leaktest 1.1 (not a trojan): File: C:\documents and settings\monty\my documents\my received files\leaktest.exe

susicious filename: Dual extensions
File: C:\program files\kazaa\my shared folder\procreate knockout v.2.0.exe


What do I do to run the advanced analysis on the possible webdownloader?
Do i just delete the demo.leaktest? What about the dual extensions?

Most importantly though, the Memory Mutex scan shows no mutex trojans. However, when I use SysInternals Process Explorer it shows several svchost.exe processes that show Mutant entries. Also, when I pull up the properties a few of them show a Logon SID (S-1-5-5-0-616890 under the Group entry, not to mention the NT AUTHORITY\Authenticated users.

I have been working on this for weeks now because originally my system was acting funny and it showed a lot of processes running. However, no amount of scans could find anything. Nor could anyone at the pcpitstop forums.

Can you help me?
Thanks!

ooops! i forgot to add this....

in my svchost.exe 1540 Properties under Process Explorer

the TCP/IP tab shows these entries:

TCP / carrie:1025/ carrie:0/ LISTENING
TCP / carrie: 3002/ carrie:0/ LISTENING
TCP / carrie: 3003/ carrie:0/ LISTENING
UDP /carrie: radius/ *.*
UDP /carrie: radacct/ *.*
UDP /carrie: 1645/*.*
UDP /carrie: 1646/*.*
UDP /carrie: ntp/*.*
UDP/carrie: 3004/*.*
UDP/carrie: 3005/*.*
UDP/carrie: ntp/*.*

Are these ports supposed to be open? Should i be concerned?

Thank you

Hi redhawkeagle, Ther a couple things that you can do.
Firstly see if you can grabb a copy of those files, zip them up and send to: submit@diamondcs.com.au for analysis.

Secondly go here: http://www.diamondcs.com.au/index.php?page=products and Down Load Autostart Viewer :

From the menu options select all three items.
Save to a text file and copy and paste here, be careful to edit out any personal information before posting.

Thanks. Pilli

Okay, silly question here --- how do you grab a copy of the files that you requested?

:o Wow! Here is the information from the AutoStart that you asked for. Thanks for all your help!


DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Monty@CARRIE, 09-07-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmclean
C:\Cpqs\Scom\srmclean.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kaspersky Anti-Virus Lite
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TuneUp MemOptimizer
C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\Tasks\1-Click Maintenance.job
C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk.disabled
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
C:\Program Files\WinZip\WZQKPICK.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{9A5A76F5-042A-4336-B7C6-E3B729E324A2}\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Alerter\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\AppMgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
C:\WINDOWS\System32\Ati2evxx.exe
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\AvgCore\
\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
HKLM\System\CurrentControlSet\Services\AvgFsh\
\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Cnxtdiag\
C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys
HKLM\System\CurrentControlSet\Services\Compaq_RBA\
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
HKLM\System\CurrentControlSet\Services\COMSysApp\
C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\Fallback\
C:\WINDOWS\System32\DRIVERS\C4C_FALL.sys
HKLM\System\CurrentControlSet\Services\Fsks\
C:\WINDOWS\System32\DRIVERS\C4C_FSKS.sys
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ImapiService\
C:\WINDOWS\System32\Imapi.exe
HKLM\System\CurrentControlSet\Services\K56\
C:\WINDOWS\System32\DRIVERS\C4C_K56K.sys
HKLM\System\CurrentControlSet\Services\KAVMonitorService\
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\MDM\
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
HKLM\System\CurrentControlSet\Services\mdmxsdk\
C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
HKLM\System\CurrentControlSet\Services\NetDDE\
C:\WINDOWS\system32\netdde.exe
HKLM\System\CurrentControlSet\Services\NetDDEdsdm\
C:\WINDOWS\system32\netdde.exe
HKLM\System\CurrentControlSet\Services\NtLmSsp\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\pavdrv\
C:\WINDOWS\System32\DRIVERS\pavdrv51.sys
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RDSessMgr\
C:\WINDOWS\system32\sessmgr.exe
HKLM\System\CurrentControlSet\Services\RemoteAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\RpcLocator\
C:\WINDOWS\System32\locator.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\RSVP\
C:\WINDOWS\System32\rsvp.exe
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SoftFax\
C:\WINDOWS\System32\DRIVERS\C4C_FAXX.sys
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SSDPSRV\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Tones\
C:\WINDOWS\System32\DRIVERS\C4C_TONE.sys
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\upnphost\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\V124\
C:\WINDOWS\System32\DRIVERS\C4C_V124.sys
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmiApSrv\
C:\WINDOWS\System32\wbem\wmiapsrv.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

Hello Redhawkeagle :)

First, I will let Pilli deal with AS-Viewer log :)

I can help with couple other things. Shall post in couple posts with screenies to show you. :)

# Leaktest entry: IGNORE. You/someone downloaded that to test your Firewall.

Many people have that file, and even if you try to run it, TDS blocks it, as it does 'act in a trojan-like manner'. For you to get it to run, you would have to shut down TDS to test your firewall.

To be doubly sure of your entry, navigate to that file, just follow the path it gives and then simply put your cursor over it, or right click and select properties and you should have same info like my screenshot. Icon and size! OK :)

Cheers, TAS

This one: pos id <adv>: Possible webDownloader in C:\documents and settings\all users\documents\ss.exe

Go here: McAFEE BackDoor-CGT (http://vil.nai.com/vil/content/v_126681.htm)

Read thru that, you will note where ss.exe is mentioned, but also the file size.
Once again, navigate to the file, following the path outlined, then right click on it, Select Properties, and see if file size matches the description or any other information you can get from it via properties.

Now, to submit the files [ignore Leaktest], once again, navigate thru windows explorer to each of the files location following the paths given, and do the following.

Rightclick on the file.
Select Send to.....
Select Compressed [zipped] Folder
It will zip up the file and put the zipped version usually in the same location you are in.... or.. if it does ask for a location, select Desktop for ease of use.

In my screenshot, I did that first, and do you see the green highlighted zipped file it gave me before I took the screenshot .
[Ignore MY Icon, I have zipped files associated with my primary compression format of Aladdin's StuffIt program]. Your Icon should be like the selection I have chosen to zip with.

Now.. all you have to do is the same with the other file so you have 2 zipped files.

Open your email program...in To field: submit(at)diamondcs.com.au [ (at) replaced with @ ]....
subject something like: 'please check redhawkeagle Wilders'
Then simply use Attach button and attach the files and send with explanation and a pointer to this thread. :)

You do know of course that kazza is probably one of the most easiest ways to get crook/trojan/malware/files onto your system?

Cheers, TAS

PS: I forgot also.... Suspicious file name Dual Extensions reading..

It alerts like that, as it reads any extra period [.] like it would an extension, as some files can try to disguise themselves by adding extra spaces and/or extra extension at end so you don't realise it.

eg: mypic.jpg [lots spaces here] .exe

so..... seeing the v.1.0.exe it's alerting, etc. on the file name so you can check it out.

Of course, if you know absolutely for sure the file is a program you downloaded and use from a trustworthy place, then you simply ignore the findings.
I have 2 files like that, know them by heart. I always get the Leaktest alert and the 2 other Dual Extensions alerts. :)

TAS

PS: More info on ss.exe HERE (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=ss.exe&product=0)

Wow nothing for me to do :D thanks Taz !
Yes ss.exe looks suspicious, ADWARE downloaders are very often caught by the TDS trojan downloader heuristic detection. In cases like this a sample of the file is all we need and we can let you know ASAP

-{ Quote: "Most importantly though, the Memory Mutex scan shows no mutex trojans. However, when I use SysInternals Process Explorer it shows several svchost.exe processes that show Mutant entries. Also, when I pull up the properties a few of them show a Logon SID (S-1-5-5-0-616890 under the Group entry, not to mention the NT AUTHORITY\Authenticated users.
" }-

And to add on this:
Mutexes are objects that processes create to signal a certain useage or even "reservation" of ressources. It's a very common thing among all sorts of programs, and need not necessarily indicate malware. TDS now goes ahead and checks the mutexes that are right now in your system to see if any of them has characteristics (i.e. the "name" or the resource in question etc.) that is known from a trojan program (because they do use these, too). If TDS doesn't alert, that just means that all the "mutexes" on your system are "clean". And Sysinternals Procexp just shows you all of them.
So I suppose that there is no mutex issue here. But you should definitely have Gavin check the other mentioned thingies.

HTHH,
Andreas

I remember the ss.exe as one of the files involved with downloading stuff:
You might get those infected spam mails too, if you would look in the source they have a script, these days the new version is an encoded javascript, which leads unpatched systems to a download site which grabs trojan stuff from another place and installs it to the system turning it into a zombie proxy etc.
But if you were infected, i would expect a few more files like x.exe and the kind, as well as you noticing sudden connections and CPU usage to 100% etc. As Gavin did not react with alarms on your ASViewer log i guess you were indeed saved for possible disaster.
Maybe you got the ss.exe file but was it blocked from running (TDS exec protection?) and doing it's further stuff. Looks like it anyway.

I've emailed Tassie with the info. she wanted. Here is my latest Autostart log because I think I now have the Alexa search bar and Advanced Searchbar.
???
You guys are great! Thanks for helping me with this problem.

redhawkeagle
:-*


DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Monty@CARRIE, 10-10-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmclean
C:\Cpqs\Scom\srmclean.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kaspersky Anti-Virus Lite
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TuneUp MemOptimizer
C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\Tasks\1-Click Maintenance.job
C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk.disabled
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
C:\Program Files\WinZip\WZQKPICK.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{9A5A76F5-042A-4336-B7C6-E3B729E324A2}\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Alerter\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\AppMgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
C:\WINDOWS\System32\Ati2evxx.exe
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\AvgCore\
\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
HKLM\System\CurrentControlSet\Services\AvgFsh\
\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Cnxtdiag\
C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys
HKLM\System\CurrentControlSet\Services\Compaq_RBA\
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
HKLM\System\CurrentControlSet\Services\COMSysApp\
C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\Fallback\
C:\WINDOWS\System32\DRIVERS\C4C_FALL.sys
HKLM\System\CurrentControlSet\Services\Fsks\
C:\WINDOWS\System32\DRIVERS\C4C_FSKS.sys
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ImapiService\
C:\WINDOWS\System32\Imapi.exe
HKLM\System\CurrentControlSet\Services\K56\
C:\WINDOWS\System32\DRIVERS\C4C_K56K.sys
HKLM\System\CurrentControlSet\Services\KAVMonitorService\
C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\MDM\
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
HKLM\System\CurrentControlSet\Services\mdmxsdk\
C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
HKLM\System\CurrentControlSet\Services\NetDDE\
C:\WINDOWS\system32\netdde.exe
HKLM\System\CurrentControlSet\Services\NetDDEdsdm\
C:\WINDOWS\system32\netdde.exe
HKLM\System\CurrentControlSet\Services\NtLmSsp\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\pavdrv\
C:\WINDOWS\System32\DRIVERS\pavdrv51.sys
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RDSessMgr\
C:\WINDOWS\system32\sessmgr.exe
HKLM\System\CurrentControlSet\Services\RemoteAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\RpcLocator\
C:\WINDOWS\System32\locator.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\RSVP\
C:\WINDOWS\System32\rsvp.exe
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SoftFax\
C:\WINDOWS\System32\DRIVERS\C4C_FAXX.sys
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SSDPSRV\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Tones\
C:\WINDOWS\System32\DRIVERS\C4C_TONE.sys
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\upnphost\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\V124\
C:\WINDOWS\System32\DRIVERS\C4C_V124.sys
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmiApSrv\
C:\WINDOWS\System32\wbem\wmiapsrv.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

-{ Quote: "I've emailed Tassie with the info. she wanted. Here is my latest Autostart log because I think I now have the Alexa search bar and Advanced Searchbar." }-

Hi redhawkeagle...:)

Just to clarify, I belong to the "Grumpy Old Men" gender, not the lovely fair sex. :) LOL..

errrr.. email? How did you email, my addy is not enabled for general use?

Anyhow, the first point would be, did you submit the file outlined above to DCS, oh wait, did you mean by 'emailed Tassie' that was what you did for the submit [at] diamondcs.com.au link?

If that's what you did, fine, just wait until you hear back from DCS. :)

As to the log, I am afraid someone more knowledgeable than I shall have to interpret, though I understand a lot of it, I would not want to give wrong advice. ;)

Cheers, TAS [Grumpy Old Man] ;D

I'm still overwhelmed with the ASViewer logs, still trying to get a grip on them, i understand better the HiJackthis logs where i know in general terms what to look for, but far from an expert. Could you also post your HJT log please so we might see something more in places where it doesn't belong?

not to mention that it's a whole lot easier to fix things in a hijackthis log than in an asviewer log. in hjt you can fix every item at the same time, in asviewer you have to right click them one at a time..

-{ Quote: "I'm still overwhelmed with the ASViewer logs, still trying to get a grip on them, i understand better the HiJackthis logs where i know in general terms what to look for, but far from an expert. Could you also post your HJT log please so we might see something more in places where it doesn't belong?" }-

Redhawkeagle, seeing as Jooske asked, you can post a HJT log in THIS thread here.

Go to
HERE (http://www.wilderssecurity.com/showthread.php?t=15913) Scroll to Step 2 and follow instructions in Step 2 only. Once you have your log file, cut and paste in this thread here.
[Make sure the HJT.exe is not run from desktop, it does not need to be installed, make a folder say in C:/, call it HiJackThis and put the downloaded file into it, then proceed from there as per instructions]

[Note: Wilders no longer does HiJackThis logs unless asked for, as you have been :)]

Cheers, TAS