For the past four days I have been grappling with a trojan.agent /virtumonde virtumonde.prx that started as follows:
I visited a website when search and destroy started popping up a lot of changes in my registry with a list of names such as SSOD, liyuwuviho, nesilifo.dll, nahuhiju.dll,zavubeve.dll and a host of other names I did not catch, and each time I clicked do not allow change in the registry. Then I ran spybot s&d, and malwarebytes and my norton anti-virus, and found nesilifo.dll nahuhiju.dll and zazuvebe.dll in Windows/system32 and deleted them, but did not find SSOD in Windows\System32 nor in the registry. I did find liyuwuviho in the registry and deleted it. Next time I booted up, I found liyuwuviho still in the registry. Nothing appeared to be happening to my machine. Then about 3 hours later, I started getting unsolicited pop-up windows in both IE7 and Firefox for a variety of websites, some of them anti-virus software web pages which I quickly terminated. I ran malwarebytes and Spybot S&D and Norton Symantec Endpoint Protection anti-virus and the programs allegedly either quarantined or deleted the dlls but could not get rid of liyuwuviho. I also noted liyuwuviho was still in the registry.
I then noticed no activity for several hours and then it started all over again, and when I scanned with mbam, s&d, and norton I noticed that the dlls and files had different names and in addition to this, I could not locate any of the file names in the Windows\system 32 directory but they were attached to the Registry key entries. This cycle of no activity for several hours then popup windows has happened at least 5 times now.
Here is the DDS log:
DDS (Version 1.0) - NTFSx86
Run by unpingco at 16:57:15.50 on Mon 12/01/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1150.328 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Sun\SDK\lib\appservService.exe
C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Sun\SDK\jdk\bin\java.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\CMMON32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Gmer\gmer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\unpingco\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Hewlett-Packard
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7c65880c-643b-4724-890f-4d191275a79e} - c:\windows\system32\vupowose.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HP Virtual Rooms] c:\progra~1\hewlet~1\hpvirt~1.0\\HPVIRT~1.EXE
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [COEMsgDisplay] c:\program files\hewlett-packard\pc coe\COEMsgDisplay.exe
mRun: [QuickPassword] c:\program files\activcard\activcard gold\agquickp.exe
mRun: [IDA] c:\program files\hewlett-packard\pc coe\IDA.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [T-Mobile Connection Manager] "c:\program files\t-mobile\connection manager\TMobileCM.exe" -a
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [GetIT] "c:\program files\hewlett-packard\getit\GetIT.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [liyuwuviho] Rundll32.exe "c:\windows\system32\nesilifo.dll",s
mRun: [8483d14e] rundll32.exe "c:\windows\system32\napuruya.dll",b
mRun: [CPM87b0e2d2] Rundll32.exe "c:\windows\system32\kalerazo.dll",a
StartupFolder: c:\docume~1\unpingco\startm~1\programs\startup\sdktra~1.lnk - c:\sun\sdk\jdk\bin\javaw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\WINZIP~1.LNK -
uPolicies-explorer: Btn_Back = 0 (0x0)
uPolicies-explorer: Btn_Forward = 0 (0x0)
uPolicies-explorer: Btn_Stop = 0 (0x0)
uPolicies-explorer: Btn_Refresh = 0 (0x0)
uPolicies-explorer: Btn_Home = 0 (0x0)
uPolicies-explorer: Btn_Search = 0 (0x0)
uPolicies-explorer: Btn_History = 0 (0x0)
uPolicies-explorer: Btn_Favorites = 0 (0x0)
uPolicies-explorer: Btn_Media = 0 (0x0)
uPolicies-explorer: Btn_Folders = 0 (0x0)
uPolicies-explorer: Btn_Fullscreen = 0 (0x0)
uPolicies-explorer: Btn_Tools = 0 (0x0)
uPolicies-explorer: Btn_MailNews = 0 (0x0)
uPolicies-explorer: Btn_Size = 0 (0x0)
uPolicies-explorer: Btn_Print = 0 (0x0)
uPolicies-explorer: Btn_Edit = 0 (0x0)
uPolicies-explorer: Btn_Discussions = 0 (0x0)
uPolicies-explorer: Btn_Cut = 0 (0x0)
uPolicies-explorer: Btn_Copy = 0 (0x0)
uPolicies-explorer: Btn_Paste = 0 (0x0)
uPolicies-explorer: Btn_Encoding = 0 (0x0)
uPolicies-explorer: Btn_PrintPreview = 0 (0x0)
uPolicies-explorer: NoDesktop = 0 (0x0)
uPolicies-explorer: NoFavoritesMenu = 0 (0x0)
uPolicies-explorer: NoTrayContextMenu = 0 (0x0)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-explorer: NoToolbarCustomize = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
mPolicies-system: DisableNT4Policy = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\hewlett-packard\ietoolbar\HP IE Fix.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\hewlett-packard\ietoolbar\HP IE Fix.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: *.cpqcorp.net
Trusted Zone: *.hp.com
Trusted Zone: *.hpqcorp.net
Trusted Zone: *.hpshopping.com
Trusted Zone: *.real.com
TCP: {AA947764-93F7-46CC-A062-30F0503850C9} = 16.110.135.51 16.110.135.52
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\yifiroso.dll c:\windows\system32\kalerazo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kalerazo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kalerazo.dll
SEH: {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\yifiroso.dll
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-29 28544]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\common files\activcard\acautoreg.exe [2007-6-26 53248]
R2 Accoca;ActivCard Gold service;c:\program files\common files\activcard\accoca.exe [2004-5-12 143360]
R2 AppServer9PE;SunJavaSystemAppserver9PE;c:\sun\sdk\lib\appservservice.exe "\"c:\sun\sdk\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\sun\sdk\bin\asadmin.bat\" stop-domain domain1\" []
R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\hpavad~1\avChgSvc.exe [2008-10-7 238080]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-7-8 108392]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\McSACore.exe" [2008-7-31 203280]
R2 msralinkmonitor;MSRA Link Monitor;"c:\program files\remote tools\msraLinkMonitor.exe" [2007-8-28 147456]
R2 radexecd;HP OVCM Notify Daemon;"c:\program files\hewlett-packard\pc coe 3\ov cms\radexecd.exe" [2007-2-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;"c:\program files\hewlett-packard\pc coe 3\ov cms\radsched.exe" [2007-3-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;"c:\program files\hewlett-packard\pc coe 3\ov cms\Radstgms.exe" [2008-7-3 315570]
R2 Symantec AntiVirus;Symantec Endpoint Protection;"c:\program files\symantec antivirus\Rtvscan.exe" [2008-7-8 2240944]
R2 WGX;Extend WG Protocol Driver;c:\windows\system32\drivers\WGX.SYS [2008-7-8 38632]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-1-26 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2007-1-26 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]
R3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2007-6-28 27008]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2007-6-28 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-20 99376]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-23 231424]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081201.006\NAVENG.SYS [2008-12-1 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081201.006\NAVEX15.SYS [2008-12-1 876112]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2007-8-3 23424]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-1-3 114016]
S2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-7-8 23888]
S3 IPSECSHM;Nortel IPSECSHM Adapter;c:\windows\system32\drivers\ipsecw2k.sys [2008-1-3 114016]
S3 magaService;Lan Discover Agent;c:\program files\sygate\ssa\maga\maga.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-2 2805000]
=============== Created Last 30 ================
2008-12-01 14:47 <DIR> --d----- c:\windows\pss
2008-12-01 14:44 120 ---sh--- c:\windows\system32\ayurupan.ini
2008-12-01 11:50 <DIR> --d----- c:\documents and settings\unpingco\.SunDownloadManager
2008-12-01 11:22 <DIR> --d----- c:\program files\Gmer
2008-12-01 11:17 250 a------- c:\windows\gmer.ini
2008-11-30 16:50 1,281,506 a------- C:\Sym_LoadPointDiag.zip
2008-11-30 16:43 <DIR> --d----- C:\Sym_LoadPointDiag
2008-11-30 15:11 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2008-11-30 15:04 <DIR> --d----- c:\windows\ERUNT
2008-11-30 14:53 <DIR> --d----- C:\SDFix
2008-11-30 01:26 0 a------- C:\AVScript26.js
2008-11-29 12:06 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2008-11-29 12:06 <DIR> --d----- c:\program files\Panda Security
2008-11-13 17:19 1,138,869 a------- C:\ESUGLPDU_2.01.exe
2008-11-11 20:16 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 20:12 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-08 17:52 <DIR> --d----- c:\docume~1\unpingco\applic~1\LimeWire
2008-11-08 17:51 <DIR> --d----- c:\program files\LimeWire
2008-11-01 20:08 <DIR> --d----- c:\program files\Bonjour
==================== Find3M ====================
2008-12-01 16:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 16:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-01 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-01 14:44 93,748 a--sh--- c:\windows\system32\kalerazo.dll
2008-12-01 14:44 86,580 a--sh--- c:\windows\system32\napuruya.dll
2008-12-01 11:42 <DIR> --d----- c:\program files\symantec antivirus
2008-10-30 06:27 <DIR> --d----- c:\program files\McAfee
2008-10-16 06:36 <DIR> --d----- c:\program files\HPAVAdminScan
2008-10-14 07:51 349,880 a------- c:\windows\adminScanInstall.EXE
2008-10-08 12:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-20 10:53 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-04 09:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-04 07:33 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-31 10:35 <DIR> --d----- c:\docume~1\unpingco\applic~1\Malwarebytes
2008-08-31 10:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-08-12 08:44 <DIR> --d----- c:\docume~1\unpingco\applic~1\messages
2008-06-06 07:39 <DIR> --d----- c:\docume~1\unpingco\applic~1\T-Mobile
2008-06-06 07:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\T-Mobile
2008-01-23 08:23 <DIR> --d----- c:\docume~1\unpingco\applic~1\Windows Desktop Search
2008-01-05 11:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg7
2008-01-05 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2008-01-05 10:00 <DIR> --d----- c:\docume~1\unpingco\applic~1\AVG7
2008-01-03 22:39 <DIR> --d----- c:\docume~1\unpingco\applic~1\Jabber Messenger
2008-01-03 18:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2008-02-01 11:05 88 ---shr-- c:\windows\system32\9999CCE4CD.sys
2008-02-01 11:05 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-28 12:10 61,952 a--sh--- c:\windows\system32\vupowose.dll
2008-08-28 12:10 61,952 a--sh--- c:\windows\system32\yifiroso.dll
============= FINISH: 16:58:07.89 ===============
By the way the last 3 files KGyGaAvL.sys, vupowose.dll, and yifiroso.dll I cannot locate in windows\system32\ even with viewing system and hidden files
Thanks in advance for your help. I greatly appreciate it.