Avast stopped working, virus?

Viruses and worms
1

Hello,
I have been using the lastest updates of Avast for a year now with no problems. Yesterday I was downloading some files and had several virus alerts which I moved to the chest. All of a sudden, the avast icoin in my taskbar dissapeared. I tried to turn it back on but it said the shortcut had been moved or changed. I tried to download Avast again and it did not work. I also tried several other free antivirus programs and they also would not work. I also had a message stating something about “Dr Watson postmortem debugger” I am 99% sure I have a virus. Can anyone tell me what to do? All of my word documents won’t work either.

Any info would help…

Here is the log…

Logfile of HijackThis v1.99.1
Scan saved at 10:45:39 PM, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\015DWVTF\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [ratmn] C:\WINDOWS\ratmn.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [BearShare] “C:\Program Files\BearShare\BearShare.exe” /pause
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

2

Welcome to the forums, BJS. :slight_smile:

Do you have or have you had McAfee anti-virus on this computer?

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

Having 2 active av services can cause the problem you are experiencing. The above entries indicate that some McAfee service has been on your computer at some time in the past or is present now. These could also be remnants of a past McAfee program which could be causing interference with avast or any other av service.

3

Thank you,

McAfee might have been installed at one point (it is my wifes PC) but to my knowledge, Avast was the only active antivirus program working. Whenever there was a virus alert in the last year, Avast was the only one to pick it up. What worried me the most is that it said some files had been moved. Moved where?

4

There are removal tools for mcafee available, if you can find out if and what version was installed.

Moved is either to the chest or the moved folder. Moved folder can be found in program files\alwil software\avast4\data.

5

I opened the “moved” folder under data but it was empty. I am just trying to get Avast active again. It is still under alwilsoftware but when I try to activate from startup, it says that the shortcut has been changed or moved.

Also, I did a search and there are no remnents of McAfee that I can see. No files anyway.

6

What happens when you open ashsimp.exe or ashsimp2.exe from the avast4 folder?

7

Those 2 entries I mentioned above should be fixed with HijackThis so that these will no longer be a problem.

You might also try a repair of avast through Add/Remove programs. You need to be on-line to do this.

MyComputer > Control Panel > Add/Remove programs > scroll down to avast! antivirus & click to select > Change/Remove button > Scroll down to Repair & click Repair > click Next button and follow instructions

8

a good way is to run ProcessExplorer and look for the two processes running under drwatson… i don’t like this “debugger”, but the informations about the two crashing processes are useful to decide what to do :slight_smile:

9

Hello,
I ran ProcessExplorer and this is the results… I also tried to repair Avast and I followed CharleyO directions but I could only get to “change and remove” it did not give me the “repair option”

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 292 Windows NT Session Manager Microsoft Corporation
csrss.exe 340 Client Server Runtime Process Microsoft Corporation
winlogon.exe 364 Windows NT Logon Application Microsoft Corporation
services.exe 408 Services and Controller app Microsoft Corporation
svchost.exe 572 Generic Host Process for Win32 Services Microsoft Corporation
iexplore.exe 180 Internet Explorer Microsoft Corporation
ctfmon.exe 3544 CTF Loader Microsoft Corporation
svchost.exe 620 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 656 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 704 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 724 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 792 Spooler SubSystem App Microsoft Corporation
svchost.exe 1052 Generic Host Process for Win32 Services Microsoft Corporation
iPodService.exe 152 iPodService Module Apple Computer, Inc.
svchost.exe 1500 Generic Host Process for Win32 Services Microsoft Corporation
HPZipm12.exe 920 PML Driver HP
lsass.exe 420 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3868 Windows Explorer Microsoft Corporation
jusched.exe 1236 Java™ Platform SE binary Sun Microsystems, Inc.
vsnpstd2.exe 3032 CameraMonitor MFC Application
khooker.exe 2320 SiS Compatible Super VGA Keyboard Daemon Silicon Integrated Systems Corporation
hpwuSchd2.exe 2656 Hewlett-Packard Product Assistant Hewlett-Packard Development Company, L.P.
rundll32.exe 2700 Run a DLL as an App Microsoft Corporation
iTunesHelper.exe 320 iTunesHelper Module Apple Computer, Inc.
GoogleToolbarNotifier.exe 3220 GoogleToolbarNotifier Google Inc.
msmsgs.exe 2844 Windows Messenger Microsoft Corporation
hpqtra08.exe 1444 HP Digital Imaging Monitor Hewlett-Packard Development Company, L.P.
hpqste08.exe 200 HP CUE Status Hewlett-Packard Development Company, L.P.
LastFMHelper.exe 1012
iexplore.exe 1296 Internet Explorer Microsoft Corporation
procexp.exe 2092 1.54 Sysinternals Process Explorer Sysinternals

10

BJS,

What OS is on this computer?

11

i can’t see the drwatson instances in your ProcessExplorer log… are you still getting some errors?

12

Those McAfee 016’s are ActiveX controls - more like an online scan that anything that would interfere with a resident scanner.

Under the circumstances described in the initial post I would run F-Secure Blacklight to check the possibility of a rootkit

http://www.f-secure.com/blacklight/try_blacklight.html

and also scan this file at Virus Total

C:\WINDOWS\ratmn.exe

EDIT: BTW, you are running HJT from a temporary file. This should be moved to its own folder as backups will be made of anything you fix with this program. Running from a temp folder risks losing the backups.

13

CharleyO,
I am running in Windows XP. I am going run the programs that mauserme suggested.

Thanks…

14

Mauserme,
I ran f-secure backlight. It showed about 250 hidden files.
I could not find the file you wanted me to check at virus total. It was not under c:windows. Could it be under a subfolder?

15

According to the hjt log it is in the c:\windows folder. It’s the 6th 04 entery. Do you have show all files turned on in folder options?

16

In addition to what Oldman suggested about showing hidden files and folders you could un-hide Protected Operating System Files as well. Both options are in Start>Control Panel>Folder Options>View.

Then see if you can post the Blacklight log.

17

No problem, BJS … mauserme certainly knows more about this than I do. :slight_smile:

I asked about the OS because with XP, you should have that repair option of avast available. :frowning:

18

Yes, I have show hidden files under folder options but I still can’t view c-windows-ratmn.exe the closest is the regisisty editor file.

I also checked to see if I could manually open the ashsimp.exe or ashsimp2.exe but they were not listed under the alwil folder.

The funny thing is when I tried to reinstall Avast, the ashsimp.exe and the ashsimp2.exe showed up for about 4 seconds but dissappered while I was looking at it. It loos as though they were renamed. I could see that at first they were exe files.

19

Please download OTMoveIt by OldTimer. Save it to your desktop but don’t use it yet.

Now download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished post the log it produces.
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Next, move HijackThis to it own folder (c:\hjt\ would be fine) scan and save a log, and post the new log after running the ComboFix scan.

Also attach (or post) the BlackLight log that should be saved in the same folder with the blacklight executable as fslb<date&time>.log.

When you ran BlackLight did you possibly use the expert parameter from the command line version or click “Show All Processes” in the Graphical Internface version? Or was it a standard scan?

20

Here is the combofix results. I need to split it because the post is too long. I will put the HIjackthis in a new folder now and run it and post the results.

ComboFix 07-08-14.4 - “Ben” 2007-08-14 12:04:49.1 - NTFS x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -6:00]
C:\WINDOWS\system32\chkdsk.exe not present

ADS removed - C:\WINDOWS\system32\ntoskrnl.exe: The system cannot find the file specified.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Ben\APPLIC~1.\hidires\rosa.sys
C:\DOCUME~1\Ben\Desktop.\internet explorer.lnk
C:\Program Files\ql
C:\Program Files\ql~ql_log.txt
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\wintems.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ROSA
-------\rosa

((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))

2007-08-14 12:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 20:13 54,452 --a------ C:\WINDOWS\system32\drivers\pci32.sys
2007-08-11 20:59 d–h----- C:\WINDOWS\PIF
2007-08-11 20:33 99,713 --a------ C:\WINDOWS\system32\trusted.exe
2007-08-11 20:33 d-------- C:\WINDOWS\exefnd
2007-08-11 20:12 d-------- C:\Program Files\SCRABBLE
2007-08-11 13:54 d-------- C:\Program Files\Kyodai
2007-08-11 13:02 d-------- C:\DOCUME~1\Ben\APPLIC~1\GameHouse
2007-08-11 13:02 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-08-10 22:15 d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-10 22:15 d-------- C:\DOCUME~1\Ben\APPLIC~1\SpinTop
2007-08-08 15:01 d-------- C:\DOCUME~1\Ben\APPLIC~1\OpenOffice.org2
2007-08-08 14:57 d-------- C:\Program Files\OpenOffice.org 2.2
2007-07-14 12:29 d-------- C:\hindsight
2007-07-14 12:26 d-------- C:\DOCUME~1\Ben.SunDownloadManager
2007-07-14 11:26 d-------- C:\dmbenc9
2007-07-14 11:25 450,560 --a------ C:\WINDOWS\system32\HHActiveX.dll
2007-07-14 11:25 32,768 --a------ C:\WINDOWS\system32\DZPROG32.exe
2007-07-14 11:25 131,072 --a------ C:\WINDOWS\system32\DZIP32.dll
2007-07-14 11:25 110,592 --a------ C:\WINDOWS\system32\DUNZIP32.dll
2007-07-14 11:25 d-------- C:\dmb9

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 21:32 --------- d-------- C:\Program Files\eMule
2007-08-10 11:03 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-07-27 16:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 16:02 94416 --a–c— C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 16:02 92848 --a–c— C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 16:00 23152 --a–c— C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 15:59 42912 --a–c— C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 15:58 26624 --a–c— C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 15:57 95608 --a–c— C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 19:51 --------- d-------- C:\DOCUME~1\Ben\APPLIC~1\Image Zone Express
2007-07-17 07:30 --------- d-------- C:\Program Files\Picasa2
2007-07-15 23:41 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-15 23:41 249856 --------- C:\WINDOWS\Setup1.exe
2007-07-14 08:53 --------- d-------- C:\Program Files\Last.fm
2007-06-24 16:35 --------- d-------- C:\Program Files\RL-Software
2007-05-16 09:12 86528 --a–c— C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12 85504 --a–c— C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12 683520 --a–c— C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12 683520 -----c— C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12 510976 --a–c— C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12 1314816 --a–c— C:\WINDOWS\system32\dllcache\msoe.dll
2006-12-02 12:05 774144 --a–c— C:\Program Files\RngInterstitial.dll
2001-11-23 06:08 712704 --a–c— C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-05-13 23:12:00 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 17:13:58 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-07-14 18:31:20 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06:54 163,328 -csh–r C:\WINDOWS\system32\flvDX.dll
2004-01-25 06:00:00 70,656 -csha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16 31,232 -csh–r C:\WINDOWS\system32\msfDX.dll
2005-02-28 19:16:22 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00 70,656 -csha-r C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))