Virtumonde

D3DAiM · 07-12-2006, 03:11 PM

I recently finished formatting my computer. My aims at this was to fix all the various problems I had before. Ironically, I let my guard down while redownloading all my various apps and installed a trick root package. Since yesteray, I have been expending my main efforts in riding of all these different variants of Smitfraud / Yazzle / OIN. Now it seems there is but one .dll that is causing me trouble. This opnommj.dll is recognized as Adware.Virtumonde by AVG, Spybot, and Ewido. This opnommj.dll recovers immediately after being deleted or quarantined, whether it be in normal ORF safemode. It has a few commands in HijackThis! that cannot be removed as well. If I try to unlock it with Unlocker in safe mode, my computer crashes. It also seems as though this is a randomly generated name, as a google of opnommj.dll turns up nothing.

The log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:08:14 PM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Razer\razerhid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\{C891986A-07D0-1033-0406-060715050001}\Update.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\AOL\Triton\ee\aolsoftware.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
c:\program files\common files\aol\triton\ee\aim6.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnommj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O20 - Winlogon Notify: opnommj - C:\WINDOWS\SYSTEM32\opnommj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-------------------------------------------------------------------------

I'd also like to remove of IDriverT.exe, as I donnot need this :D

D3DAiM · 07-12-2006, 03:27 PM

This is a http://virusscan.jotti.org/ scan on the opnommj.dll:

=========================================================

AntiVir
Found Adware-Spyware/Virtumonde.B adware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Generic.OWI
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Trojan.Virtumod
F-Prot Antivirus
Found nothing
Fortinet
Found Adware/Virtumonde
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.cd
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found AdWare.Win32.Virtumonde.cd

tetonbob · 07-12-2006, 04:08 PM

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

D3DAiM · 07-12-2006, 04:20 PM

Quote:

Originally Posted by tetonbob

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Man, and I was really becoming hopeful.. Vundofix did not detect anything.. Looks like I have to get my hands dirty :P

tetonbob · 07-12-2006, 04:32 PM

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens,Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\opnommj.dll
- C:\WINDOWS\system32\jmmompo*
Click Add Files and Click Close Window
Click Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt log.

tetonbob · 07-12-2006, 04:42 PM

Just so you know...I have several more tools up the sleeve yet....so fear not.

D3DAiM · 07-12-2006, 05:01 PM

Well, I'm cured! Somehow...lol

I was doing just as you said. I pasted those two entries in the add more files boxes and then hit "add". Nothing seemed to happen. I tried it again. Still nothing. I figured it added anyway so I hit "close", and I scanned and it didn't find anything (of course). Then I hit "remove" and it said that it removed nothing.

Bummed, I tried this again, hoping I did something wrong. In the middle of adding the files again, I got an AVG Real-Time Protection Scan warning thingy, and it had said that it found a Yazzle11220inAdmin.exe in my common files. At this point I wondered, "Why the f*** wasn't this picked up in the 20 scans I did before?!" Notheless I sent it to my quarantined objects. I didn't think much of it, as I was focused on getting Vundofix to work. This time I thought I might try going to my system32 folder to drag the opnommj.dll onto the add box.

In the system32 folder I scrolled down to the o's. I couldn't find it. I sorted by names and I STILL couldn't find it. Excited, I did an AVG test! YES! A pass!

I guess the .dll was being controlled by that weird executable.. If I find any more bugging remnants I will be sure to reply to this thread.

=========================================================

And my VundoFix.txt, to support my claims

:

VundoFix V5.1.2

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:39:19 PM 7/12/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V5.1.2

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:41:03 PM 7/12/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

tetonbob · 07-12-2006, 07:30 PM

Those yazzle downloaders usually come in groups.

Let's have a look with another tool, please:

Download combofix from one of these locations:
- http://www.techsupportforum.com/sectools/combofix.exe
- http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Also post a new HJT log.

D3DAiM · 07-12-2006, 09:42 PM

I'm good :D

=========================================================

Combofix.txt:

Start Time= Wed 07/12/2006 20:39:03.68
Running from: C:\Documents and Settings\Joseph\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-12 16:48:24 ( .D... ) "C:\Program Files\SiSoftware"
2006-07-12 15:13:22 ( .D... ) "C:\Program Files\Real Alternative"
2006-07-12 15:13:22 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Real"
2006-07-12 15:12:22 ( .D... ) "C:\Program Files\QuickTime Alternative"
2006-07-12 14:11:56 573492 ( ..SH. ) "C:\WINDOWS\system32\sstqo.dll"
2006-07-12 12:34:34 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-12 12:16:30 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Help"
2006-07-12 03:12:02 ( .D... ) "C:\Program Files\Common Files\{C891986A-07D0-1033-0406-060715050001}"
2006-07-12 03:12:02 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\?ssembly"
2006-07-12 02:37:24 ( .D... ) "C:\Program Files\AC3Filter"
2006-07-12 02:24:42 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\AVG7"
2006-07-12 02:24:22 ( .D... ) "C:\Program Files\Grisoft"
2006-07-12 02:09:54 2 ( A.... ) "C:\WINDOWS\system32\wnststr.exe"
2006-07-12 02:09:44 ( .D... ) "C:\Program Files\Common Files\??mbols"
2006-07-12 01:53:06 ( .D... ) "C:\Program Files\Microsoft Works"
2006-07-12 01:53:06 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-07-12 01

00 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\JAMS"
2006-07-12 01:05:56 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\acccore"
2006-07-12 01:05:32 ( .D... ) "C:\Program Files\Jams"
2006-07-12 01:02:54 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-07-12 01:02:54 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-07-12 01:02:54 ( .D... ) "C:\Program Files\AOL"
2006-07-12 00:27:16 ( .D... ) "C:\Program Files\Winamp"
2006-07-11 21:57:34 ( .D... ) "C:\Program Files\ffdshow"
2006-07-11 21:55:06 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Media Player Classic"
2006-07-11 16:40:50 1082880 ( A.... ) "C:\WINDOWS\system32\AutoPartNt.exe"
2006-07-11 16:25:12 ( .D... ) "C:\Program Files\xerox"
2006-07-11 16:25:12 ( .D... ) "C:\Program Files\netmeeting"
2006-07-11 16:25:12 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-07-11 16:10:38 ( .D... ) "C:\Program Files\Unlocker"
2006-07-11 13:59:28 ( .D... ) "C:\Program Files\Smart Projects"
2006-07-11 13:22:24 ( .D... ) "C:\Program Files\Diskeeper Corporation"
2006-07-11 13:13:50 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-07-11 13:10:54 ( .D... ) "C:\Program Files\Driver Cleaner Pro"
2006-07-11 13

20 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Lavasoft"
2006-07-11 13

14 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-11 13:01:22 ( .D... ) "C:\Program Files\Common Files\Acronis"
2006-07-11 13:01:20 ( .D... ) "C:\Program Files\Acronis"
2006-07-11 12:54:30 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Webroot"
2006-07-11 12:54:28 ( .D... ) "C:\Program Files\Webroot"
2006-07-11 12:54:28 ( .D... ) "C:\Program Files\Common Files\Webroot Shared"
2006-07-11 12:49:08 ( .D... ) "C:\Program Files\mIRC"
2006-07-11 12:46:18 ( .D... ) "C:\Program Files\CCleaner"
2006-07-11 12:32:38 ( .D... ) "C:\Program Files\OfficeUpdate11"
2006-07-11 12:07:26 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Azureus"
2006-07-11 11:54:26 ( .D... ) "C:\Program Files\Azureus"
2006-07-11 11:51:54 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\AdobeUM"
2006-07-11 11:51:34 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Adobe"
2006-07-11 11:47:46 ( .D... ) "C:\Program Files\Common Files\Adobe Systems Shared"
2006-07-11 11:47:28 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-07-11 11:47:20 ( .D... ) "C:\Program Files\Adobe"
2006-07-11 11:42:52 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2006-07-11 09:59:52 34308 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-07-11 09:55:10 ( .D... ) "C:\Program Files\DAMN NFO Viewer"
2006-07-11 09:44:44 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Macromedia"
2006-07-11 02:28:04 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2006-07-11 02:28:02 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-07-11 02:27:04 ( .D... ) "C:\Program Files\Microsoft Office"
2006-07-11 02:14:42 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-11 02:13:42 ( .D... ) "C:\Program Files\RivaTuner v2.0 RC 16"
2006-07-11 02:11:44 ( .D... ) "C:\Program Files\PeerGuardian2"
2006-07-11 02:10:58 ( .D... ) "C:\Program Files\SpywareBlaster"
2006-07-11 02:10:34 ( .D... ) "C:\Program Files\Creative"
2006-07-11 02:10:02 409600 ( A.... ) "C:\WINDOWS\system32\wrap_oal.dll"
2006-07-11 02:10:02 86016 ( A.... ) "C:\WINDOWS\system32\OpenAL32.dll"
2006-07-11 02:10:00 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Creative"
2006-07-11 02:09:04 ( .DS.. ) "C:\Program Files\Xfire"
2006-07-11 02:09:04 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Xfire"
2006-07-11 02:08:20 ( .D... ) "C:\Program Files\WinRAR"
2006-07-11 02:01:06 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-07-11 02:00:26 ( .D... ) "C:\Program Files\Java"
2006-07-11 02:00:26 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-11 01:57:24 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Mozilla"
2006-07-11 01:57:10 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-11 01:53:24 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-07-11 01:35:40 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Identities"
2006-07-11 01:35:36 ( .DS.. ) "C:\Documents and Settings\Joseph\Application Data\Microsoft"
2006-07-11 01:32:08 0 ( A.... ) "C:\WINDOWS\AUTOEXEC.BAT"
2006-07-11 01:31:18 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-07-11 01:30:34 ( .D... ) "C:\Program Files\Common Files\Services"
2006-07-11 01:30:30 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-07-11 01:30:18 ( .D... ) "C:\Program Files\Movie Maker"
2006-07-11 01:30:04 ( .D... ) "C:\Program Files\Outlook Express"
2006-07-11 01:29:58 ( .D... ) "C:\Program Files\Common Files\System"
2006-07-11 01:29:56 ( .D... ) "C:\Program Files\Internet Explorer"
2006-07-11 01:29:40 ( .D... ) "C:\Program Files\Windows Media Player"
2006-07-11 01:29:34 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-07-11 01:28:58 ( .D... ) "C:\Program Files\Windows NT"
2006-07-10 17:57:02 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-07-10 17:57:00 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-07-10 17:57:00 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-07-10 17:57:00 ( .D... ) "C:\Program Files\Common Files"
2006-07-10 17:56:38 62 ( A.SH. ) "C:\Documents and Settings\Joseph\Application Data\desktop.ini"
2006-06-23 07:49:00 7626752 ( A.... ) "C:\WINDOWS\system32\nvcpl.dll"
2006-06-23 07:49:00 5652480 ( A.... ) "C:\WINDOWS\system32\nvdisps.dll"
2006-06-23 07:49:00 5632000 ( A.... ) "C:\WINDOWS\system32\nvoglnt.dll"
2006-06-23 07:49:00 4492160 ( A.... ) "C:\WINDOWS\system32\nv4_disp.dll"
2006-06-23 07:49:00 3026944 ( A.... ) "C:\WINDOWS\system32\nvgames.dll"
2006-06-23 07:49:00 2924544 ( A.... ) "C:\WINDOWS\system32\nvvitvs.dll"
2006-06-23 07:49:00 1662976 ( A.... ) "C:\WINDOWS\system32\nvwdmcpl.dll"
2006-06-23 07:49:00 1519616 ( A.... ) "C:\WINDOWS\system32\nwiz.exe"
2006-06-23 07:49:00 1466368 ( A.... ) "C:\WINDOWS\system32\nview.dll"
2006-06-23 07:49:00 1339392 ( A.... ) "C:\WINDOWS\system32\nvdspsch.exe"
2006-06-23 07:49:00 1257472 ( A.... ) "C:\WINDOWS\system32\nvwss.dll"
2006-06-23 07:49:00 1019904 ( A.... ) "C:\WINDOWS\system32\nvwimg.dll"
2006-06-23 07:49:00 888832 ( A.... ) "C:\WINDOWS\system32\nvmobls.dll"
2006-06-23 07:49:00 794624 ( A.... ) "C:\WINDOWS\system32\nvcplui.exe"
2006-06-23 07:49:00 581632 ( A.... ) "C:\WINDOWS\system32\nvhwvid.dll"
2006-06-23 07:49:00 466944 ( A.... ) "C:\WINDOWS\system32\nvshell.dll"
2006-06-23 07:49:00 442368 ( A.... ) "C:\WINDOWS\system32\nvappbar.exe"
2006-06-23 07:49:00 425984 ( A.... ) "C:\WINDOWS\system32\keystone.exe"
2006-06-23 07:49:00 311296 ( A.... ) "C:\WINDOWS\system32\nvexpbar.dll"
2006-06-23 07:49:00 286720 ( A.... ) "C:\WINDOWS\system32\nvnt4cpl.dll"
2006-06-23 07:49:00 229376 ( A.... ) "C:\WINDOWS\system32\nvmccs.dll"
2006-06-23 07:49:00 208896 ( A.... ) "C:\WINDOWS\system32\nvudisp.exe"
2006-06-23 07:49:00 196608 ( A.... ) "C:\WINDOWS\system32\nvapi.dll"
2006-06-23 07:49:00 188416 ( A.... ) "C:\WINDOWS\system32\nvmccss.dll"
2006-06-23 07:49:00 155715 ( A.... ) "C:\WINDOWS\system32\nvsvc32.exe"
2006-06-23 07:49:00 147456 ( A.... ) "C:\WINDOWS\system32\nvcolor.exe"
2006-06-23 07:49:00 86016 ( A.... ) "C:\WINDOWS\system32\nvmctray.dll"
2006-06-23 07:49:00 81920 ( A.... ) "C:\WINDOWS\system32\nvwddi.dll"
2006-06-23 07:49:00 45056 ( A.... ) "C:\WINDOWS\system32\nvmccsrs.dll"
2006-06-23 07:49:00 35840 ( A.... ) "C:\WINDOWS\system32\nvcodins.dll"
2006-06-23 07:49:00 35840 ( A.... ) "C:\WINDOWS\system32\nvcod.dll"
2006-06-01 15:39:12 442368 ( A.... ) "C:\WINDOWS\system32\CapabilityTable.exe"
2006-06-01 15:36:28 208896 ( A.... ) "C:\WINDOWS\system32\nvunrm.exe"
2006-06-01 15:36:28 208896 ( A.... ) "C:\WINDOWS\system32\NVUNINST.EXE"
2006-06-01 11:43:48 37888 ( A.... ) "C:\WINDOWS\system32\CTBURST.DLL"
2006-06-01 11:42:34 11776 ( A.... ) "C:\WINDOWS\INRES.DLL"
2006-06-01 11:42:32 146432 ( A.... ) "C:\WINDOWS\system32\ctdvinst.dll"
2006-06-01 11:42:30 81920 ( A.... ) "C:\WINDOWS\system32\ctcoinst.dll"
2006-06-01 11:38:44 33792 ( A.... ) "C:\WINDOWS\system32\a3d.dll"
2006-06-01 11:36:58 26624 ( A.... ) "C:\WINDOWS\system32\AC3API.DLL"
2006-06-01 11:35:00 35840 ( A.... ) "C:\WINDOWS\READREG.EXE"
2006-06-01 11:35:00 3072 ( A.... ) "C:\WINDOWS\CTXFIRES.DLL"
2006-06-01 11:34:58 26112 ( A.... ) "C:\WINDOWS\system32\CTXFIBTN.DLL"
2006-06-01 11:34:58 25088 ( A.... ) "C:\WINDOWS\system32\CTXFISPK.DLL"
2006-06-01 11:34:58 18944 ( A.... ) "C:\WINDOWS\system32\CTXFIHLP.EXE"
2006-06-01 11:34:56 34304 ( A.... ) "C:\WINDOWS\PSCONV.EXE"
2006-06-01 11:34:56 17920 ( A.... ) "C:\WINDOWS\CTHELPER.EXE"
2006-06-01 11:34:56 7168 ( A.... ) "C:\WINDOWS\system32\CTAGENT.DLL"
2006-06-01 11:34:54 30208 ( A.... ) "C:\WINDOWS\system32\CTPCMCIA.DLL"
2006-06-01 11:34:54 23040 ( A.... ) "C:\WINDOWS\system32\CTSPKHLP.DLL"
2006-06-01 11:34:54 11776 ( A.... ) "C:\WINDOWS\system32\CTMMEP.DLL"
2006-06-01 11:34:50 75264 ( A.... ) "C:\WINDOWS\system32\CTSCAL.DLL"
2006-06-01 11:34:50 64000 ( A.... ) "C:\WINDOWS\system32\CTTHXCAL.DLL"
2006-06-01 11:34:50 9216 ( A.... ) "C:\WINDOWS\system32\CTPRES.DLL"
2006-06-01 11:34:48 286208 ( A.... ) "C:\WINDOWS\system32\CTDC0001.DLL"
2006-06-01 11:34:48 129536 ( A.... ) "C:\WINDOWS\system32\CTDCIFCE.DLL"
2006-06-01 11:34:46 190976 ( A.... ) "C:\WINDOWS\system32\CTDC0000.DLL"
2006-06-01 11:34:46 10240 ( A.... ) "C:\WINDOWS\CTDCRES.DLL"
2006-06-01 11:29:40 52224 ( A.... ) "C:\WINDOWS\system32\CTXFISPI.DLL"
2006-06-01 11:29:40 41984 ( A.... ) "C:\WINDOWS\system32\CTXFIREG.EXE"
2006-06-01 11:29:38 729600 ( A.... ) "C:\WINDOWS\system32\CTXFISPI.EXE"
2006-06-01 11:22:34 108032 ( A.... ) "C:\WINDOWS\system32\ctemupia.dll"
2006-06-01 11:22:32 158720 ( A.... ) "C:\WINDOWS\system32\CT20XUT.DLL"
2006-06-01 11:22:32 61952 ( A.... ) "C:\WINDOWS\system32\CTHWIUT.DLL"
2006-06-01 11:22:22 1170432 ( A.... ) "C:\WINDOWS\system32\CTEXFIFX.dll"
2006-06-01 11:22:08 548352 ( A.... ) "C:\WINDOWS\system32\ctsblfx.dll"
2006-06-01 11:22:00 160768 ( A.... ) "C:\WINDOWS\system32\cteapsfx.dll"
2006-06-01 11:21:44 536576 ( A.... ) "C:\WINDOWS\system32\ctaudfx.dll"
2006-06-01 11:21:38 87552 ( A.... ) "C:\WINDOWS\system32\commonfx.dll"
2006-06-01 11:21:36 317952 ( A.... ) "C:\WINDOWS\system32\CTEDSPSY.DLL"
2006-06-01 11:19:12 115200 ( A.... ) "C:\WINDOWS\system32\CTEDSPIO.DLL"
2006-06-01 11:19:02 269824 ( A.... ) "C:\WINDOWS\system32\CTEDSPFX.DLL"
2006-06-01 11:18:54 47616 ( A.... ) "C:\WINDOWS\system32\CTEDASIO.DLL"
2006-06-01 11:18:52 200192 ( A.... ) "C:\WINDOWS\system32\CT_OAL.DLL"
2006-06-01 11:18:50 74752 ( A.... ) "C:\WINDOWS\system32\CTASIO.DLL"
2006-06-01 11:18:48 71680 ( A.... ) "C:\WINDOWS\system32\ctdproxy.dll"
2006-06-01 11:18:18 132096 ( A.... ) "C:\WINDOWS\system32\CTOSUSER.DLL"
2006-06-01 11:18:16 120832 ( A.... ) "C:\WINDOWS\system32\SFMS32.DLL"
2006-06-01 11:18:16 21504 ( A.... ) "C:\WINDOWS\system32\sfman32.dll"
2006-06-01 11:18:10 73728 ( A.... ) "C:\WINDOWS\system32\piaproxy.dll"
2006-06-01 11:18:10 33792 ( A.... ) "C:\WINDOWS\system32\REGPLIB.EXE"
2006-06-01 11:15:54 4096 ( A.... ) "C:\WINDOWS\system32\ENLOCSTR.EXE"
2006-06-01 11:15:52 9216 ( A.... ) "C:\WINDOWS\system32\KILLAPPS.EXE"
2006-06-01 11:15:40 47104 ( A.... ) "C:\WINDOWS\system32\DEVREG.DLL"
2006-06-01 11:15:40 25600 ( A.... ) "C:\WINDOWS\MIDIDEF.EXE"
2006-05-26 06:29:14 5120 ( A.... ) "C:\WINDOWS\system32\ff_vfw.dll"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-16 19:23:20 159232 ( A.... ) "C:\WINDOWS\system32\fdco_l1034.dll"
2006-05-16 19:23:18 158720 ( A.... ) "C:\WINDOWS\system32\fdco_l1046.dll"
2006-05-16 19:23:18 156672 ( A.... ) "C:\WINDOWS\system32\fdco_l1042.dll"
2006-05-16 19:23:16 156672 ( A.... ) "C:\WINDOWS\system32\fdco_l1041.dll"
2006-05-16 19:23:14 158720 ( A.... ) "C:\WINDOWS\system32\fdco_l1040.dll"
2006-05-16 19:23:12 159232 ( A.... ) "C:\WINDOWS\system32\fdco_l1031.dll"
2006-05-16 19:23:10 159232 ( A.... ) "C:\WINDOWS\system32\fdco_l1036.dll"
2006-05-16 19:23:08 155648 ( A.... ) "C:\WINDOWS\system32\fdco_l1028.dll"
2006-05-16 19:23:08 155136 ( A.... ) "C:\WINDOWS\system32\fdco_l2052.dll"
2006-05-16 19:23:02 205312 ( A.... ) "C:\WINDOWS\system32\fdco1.dll"
2006-05-16 19:22:46 10240 ( A.... ) "C:\WINDOWS\system32\bdco1ins.dll"
2006-05-16 19:22:46 10240 ( A.... ) "C:\WINDOWS\system32\bdco1.dll"
2006-05-12 15:26:52 208896 ( A.... ) "C:\WINDOWS\system32\nvusmb.exe"
2006-05-09 22:36:46 6656 ( ..... ) "C:\WINDOWS\system32\WdfMgr.exe"
2006-05-09 22:36:46 6656 ( ..... ) "C:\WINDOWS\system32\uWDF.exe"
2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll"
2006-05-09 22:26:34 1641472 ( ..... ) "C:\WINDOWS\system32\wmpencen.dll"
2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll"
2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll"
2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll"
2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll"
2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll"
2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll"
2006-05-09 22:26:34 417280 ( ..... ) "C:\WINDOWS\system32\wmdrmdev.dll"
2006-05-09 22:26:34 337408 ( ..... ) "C:\WINDOWS\system32\wmdrmnet.dll"
2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll"
2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll"
2006-05-09 22:26:34 267776 ( ..... ) "C:\WINDOWS\system32\Audiodev.dll"
2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll"
2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll"
2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll"
2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll"
2006-05-09 22:26:34 203776 ( ..... ) "C:\WINDOWS\system32\wmpsrcwp.dll"
2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll"
2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll"
2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll"
2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll"
2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll"
2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll"
2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll"
2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MP4SDMOD.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MP43DMOD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\WMVADVE.DLL"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\WMVADVD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\wdfApi.dll"
2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll"
2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll"
2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll"
2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"
2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe"
2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll"
2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll"
2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll"
2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll"
2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll"
2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll"
2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll"
2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll"
2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll"
2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll"
2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll"
2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll"
2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll"
2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe"
2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll"
2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll"
2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll"
2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe"
2006-05-09 20:58:50 670208 ( ..... ) "C:\WINDOWS\system32\wpd_ci.dll"
2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll"
2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll"
2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll"
2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll"
2006-05-09 20:58:46 343552 ( ..... ) "C:\WINDOWS\system32\WPDSp.dll"
2006-05-09 20:58:40 144896 ( ..... ) "C:\WINDOWS\system32\wpdmtp.dll"
2006-05-09 20:58:40 55808 ( ..... ) "C:\WINDOWS\system32\wpdmtpus.dll"
2006-05-09 20:58:40 35840 ( ..... ) "C:\WINDOWS\system32\wpdconns.dll"
2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll"
2006-05-09 20:58:38 13312 ( ..... ) "C:\WINDOWS\system32\wpdtrace.dll"
2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll"
2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-05-01 17:27:02 289792 ( A.... ) "C:\WINDOWS\system32\idecoiins.dll"
2006-05-01 17:27:02 289792 ( A.... ) "C:\WINDOWS\system32\idecoi.dll"
2006-04-27 17:49:30 288417 ( A.... ) "C:\WINDOWS\system32\SrchSTS.exe"
2006-04-14 14:01:20 35840 ( A.... ) "C:\WINDOWS\system32\NVCOI.DLL"
2006-04-14 14:00:54 208896 ( ..... ) "C:\WINDOWS\system32\nvuide.exe"
2006-04-12 14:36:54 200704 ( A.... ) "C:\WINDOWS\system32\snapapi.dll"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-12 16:20 266,360 C:\WINDOWS\system32\TweakUI.exe
2006-07-12 15:13 6,656 C:\WINDOWS\system32\pndx5016.dll
2006-07-12 15:13 5,632 C:\WINDOWS\system32\pndx5032.dll
2006-07-12 15:13 278,528 C:\WINDOWS\system32\pncrt.dll
2006-07-12 15:13 176,167 C:\WINDOWS\system32\rmoc3260.dll
2006-07-12 14:11 573,492 C:\WINDOWS\system32\sstqo.dll
2006-07-12 11:45 53,248 C:\WINDOWS\system32\Process.exe
2006-07-12 11:45 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-12 11:45 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-12 11:45 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-12 02:18 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-12 02:18 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-12 02:09 2 C:\WINDOWS\system32\wnststr.exe
2006-07-12 01:42 888,832 C:\WINDOWS\system32\nvmobls.dll
2006-07-12 01:42 86,016 C:\WINDOWS\system32\nvmctray.dll
2006-07-12 01:42 81,920 C:\WINDOWS\system32\nvwddi.dll
2006-07-12 01:42 794,624 C:\WINDOWS\system32\nvcplui.exe
2006-07-12 01:42 7,626,752 C:\WINDOWS\system32\nvcpl.dll
2006-07-12 01:42 581,632 C:\WINDOWS\system32\nvhwvid.dll
2006-07-12 01:42 5,652,480 C:\WINDOWS\system32\nvdisps.dll
2006-07-12 01:42 5,632,000 C:\WINDOWS\system32\nvoglnt.dll
2006-07-12 01:42 466,944 C:\WINDOWS\system32\nvshell.dll
2006-07-12 01:42 45,056 C:\WINDOWS\system32\nvmccsrs.dll
2006-07-12 01:42 442,368 C:\WINDOWS\system32\nvappbar.exe
2006-07-12 01:42 425,984 C:\WINDOWS\system32\keystone.exe
2006-07-12 01:42 35,840 C:\WINDOWS\system32\nvcodins.dll
2006-07-12 01:42 35,840 C:\WINDOWS\system32\nvcod.dll
2006-07-12 01:42 311,296 C:\WINDOWS\system32\nvexpbar.dll
2006-07-12 01:42 3,026,944 C:\WINDOWS\system32\nvgames.dll
2006-07-12 01:42 286,720 C:\WINDOWS\system32\nvnt4cpl.dll
2006-07-12 01:42 229,376 C:\WINDOWS\system32\nvmccs.dll
2006-07-12 01:42 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-07-12 01:42 2,924,544 C:\WINDOWS\system32\nvvitvs.dll
2006-07-12 01:42 196,608 C:\WINDOWS\system32\nvapi.dll
2006-07-12 01:42 188,416 C:\WINDOWS\system32\nvmccss.dll
2006-07-12 01:42 155,715 C:\WINDOWS\system32\nvsvc32.exe
2006-07-12 01:42 147,456 C:\WINDOWS\system32\nvcolor.exe
2006-07-12 01:42 1,662,976 C:\WINDOWS\system32\nvwdmcpl.dll
2006-07-12 01:42 1,519,616 C:\WINDOWS\system32\nwiz.exe
2006-07-12 01:42 1,466,368 C:\WINDOWS\system32\nview.dll
2006-07-12 01:42 1,339,392 C:\WINDOWS\system32\nvdspsch.exe
2006-07-12 01:42 1,257,472 C:\WINDOWS\system32\nvwss.dll
2006-07-12 01:42 1,019,904 C:\WINDOWS\system32\nvwimg.dll
2006-07-12 01:17 306,688 C:\WINDOWS\IsUninst.exe
2006-07-11 14:24 1,082,880 C:\WINDOWS\system32\AutoPartNt.exe
2006-07-11 13:13 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-07-11 12:54 57,344 C:\WINDOWS\Unwash6.exe
2006-07-11 12:54 487,936 C:\WINDOWS\system32\wwSecure.exe
2006-07-11 10:28 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-11 09:59 34,308 C:\WINDOWS\system32\BASSMOD.dll
2006-07-11 09:59 113,118 C:\WINDOWS\system32\twk-winupdatepatch.exe
2006-07-11 02:28 24,816 C:\WINDOWS\system32\mdimon.dll
2006-07-11 02:27 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-11 02:24 18,200 C:\WINDOWS\system32\wups2.dll
2006-07-11 02:10 86,016 C:\WINDOWS\system32\OpenAL32.dll
2006-07-11 02:10 409,600 C:\WINDOWS\system32\wrap_oal.dll
2006-07-11 02:10 4,096 C:\WINDOWS\system32\ksuser.dll
2006-07-11 02:10 118,784 C:\WINDOWS\system32\MSSTDFMT.DLL
2006-07-11 02:09 3,072 C:\WINDOWS\CTXFIRES.DLL
2006-07-11 02:09 11,776 C:\WINDOWS\INRES.DLL
2006-07-11 02:09 10,240 C:\WINDOWS\CTDCRES.DLL
2006-07-11 02:00 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-11 02:00 49,248 C:\WINDOWS\system32\java.exe
2006-07-11 02:00 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-11 01:54 442,368 C:\WINDOWS\system32\CapabilityTable.exe
2006-07-11 01:53 35,840 C:\WINDOWS\system32\nvconrm.dll
2006-07-11 01:53 35,840 C:\WINDOWS\system32\NVCOI.DLL
2006-07-11 01:53 289,792 C:\WINDOWS\system32\idecoiins.dll
2006-07-11 01:53 208,896 C:\WINDOWS\system32\nvusmb.exe
2006-07-11 01:53 208,896 C:\WINDOWS\system32\nvunrm.exe
2006-07-11 01:53 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-07-11 01:53 208,896 C:\WINDOWS\system32\nvuide.exe
2006-07-11 01:53 205,312 C:\WINDOWS\system32\fdco1.dll
2006-07-11 01:53 159,232 C:\WINDOWS\system32\fdco_l1036.dll
2006-07-11 01:53 159,232 C:\WINDOWS\system32\fdco_l1034.dll
2006-07-11 01:53 159,232 C:\WINDOWS\system32\fdco_l1031.dll
2006-07-11 01:53 158,720 C:\WINDOWS\system32\fdco_l1046.dll
2006-07-11 01:53 158,720 C:\WINDOWS\system32\fdco_l1040.dll
2006-07-11 01:53 156,672 C:\WINDOWS\system32\fdco_l1042.dll
2006-07-11 01:53 156,672 C:\WINDOWS\system32\fdco_l1041.dll
2006-07-11 01:53 155,648 C:\WINDOWS\system32\fdco_l1028.dll
2006-07-11 01:53 155,136 C:\WINDOWS\system32\fdco_l2052.dll
2006-07-11 01:53 10,240 C:\WINDOWS\system32\bdco1ins.dll
2006-07-11 01:53 10,240 C:\WINDOWS\system32\bdco1.dll
2006-07-11 01:40 35,328 C:\WINDOWS\system32\iprip.dll
2006-07-11 01:40 18,944 C:\WINDOWS\system32\simptcp.dll
2006-07-11 01:32 0 C:\WINDOWS\AUTOEXEC.BAT
2006-07-11 01:32 0 C:\MSDOS.SYS
2006-07-11 01:32 0 C:\IO.SYS
2006-07-11 01:32 0 C:\CONFIG.SYS
2006-07-11 01:31 112,128 C:\WINDOWS\system32\mapi32.dll
2006-07-11 01:30 81,920 C:\WINDOWS\system32\isign32.dll
2006-07-11 01:30 81,920 C:\WINDOWS\system32\ils.dll
2006-07-11 01:30 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-07-11 01:30 73,728 C:\WINDOWS\system32\icwdial.dll
2006-07-11 01:30 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-07-11 01:30 69,632 C:\WINDOWS\system32\msconf.dll
2006-07-11 01:30 679,424 C:\WINDOWS\system32\inetcomm.dll
2006-07-11 01:30 67,584 C:\WINDOWS\system32\srclient.dll
2006-07-11 01:30 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-07-11 01:30 64,512 C:\WINDOWS\system32\acctres.dll
2006-07-11 01:30 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-07-11 01:30 48,128 C:\WINDOWS\system32\inetres.dll
2006-07-11 01:30 465,176 C:\WINDOWS\system32\wuapi.dll
2006-07-11 01:30 45,568 C:\WINDOWS\system32\safrslv.dll
2006-07-11 01:30 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-07-11 01:30 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-07-11 01:30 41,240 C:\WINDOWS\system32\wups.dll
2006-07-11 01:30 382,464 C:\WINDOWS\system32\qmgr.dll
2006-07-11 01:30 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-07-11 01:30 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-07-11 01:30 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-07-11 01:30 29,696 C:\WINDOWS\system32\safrdm.dll
2006-07-11 01:30 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-07-11 01:30 274,944 C:\WINDOWS\system32\mstask.dll
2006-07-11 01:30 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-07-11 01:30 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-07-11 01:30 239,104 C:\WINDOWS\system32\srrstr.dll
2006-07-11 01:30 22,528 C:\WINDOWS\system32\fltMc.exe
2006-07-11 01:30 194,328 C:\WINDOWS\system32\wuaueng1.dll
2006-07-11 01:30 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-07-11 01:30 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-07-11 01:30 173,536 C:\WINDOWS\system32\wuweb.dll
2006-07-11 01:30 172,312 C:\WINDOWS\system32\wuauclt1.exe
2006-07-11 01:30 170,496 C:\WINDOWS\system32\srsvc.dll
2006-07-11 01:30 16,896 C:\WINDOWS\system32\fltlib.dll
2006-07-11 01:30 16,384 C:\WINDOWS\system32\icfgnt5.dll
2006-07-11 01:30 127,256 C:\WINDOWS\system32\wucltui.dll
2006-07-11 01:30 124,184 C:\WINDOWS\system32\wuauclt.exe
2006-07-11 01:30 12,288 C:\WINDOWS\system32\nmevtmsg.dll
2006-07-11 01:30 12,288 C:\WINDOWS\system32\mstinit.exe
2006-07-11 01:30 11,264 C:\WINDOWS\system32\atrace.dll
2006-07-11 01:30 105,984 C:\WINDOWS\system32\msoert2.dll
2006-07-11 01:30 1,343,768 C:\WINDOWS\system32\wuaueng.dll
2006-07-11 01:29 97,792 C:\WINDOWS\system32\comrepl.dll
2006-07-11 01:29 9,728 C:\WINDOWS\system32\reset.exe
2006-07-11 01:29 80,384 C:\WINDOWS\system32\charmap.exe
2006-07-11 01:29 73,216 C:\WINDOWS\system32\avwav.dll
2006-07-11 01:29 605,696 C:\WINDOWS\system32\getuname.dll
2006-07-11 01:29 56,832 C:\WINDOWS\system32\sol.exe
2006-07-11 01:29 55,296 C:\WINDOWS\system32\freecell.exe
2006-07-11 01:29 54,272 C:\WINDOWS\system32\stclient.dll
2006-07-11 01:29 5,632 C:\WINDOWS\system32\write.exe
2006-07-11 01:29 5,120 C:\WINDOWS\system32\dcomcnfg.exe
2006-07-11 01:29 44,544 C:\WINDOWS\system32\hticons.dll
2006-07-11 01:29 4,096 C:\WINDOWS\system32\rdpcfgex.dll
2006-07-11 01:29 4,096 C:\WINDOWS\system32\mtxex.dll
2006-07-11 01:29 35,328 C:\WINDOWS\system32\winchat.exe
2006-07-11 01:29 33,792 C:\WINDOWS\system32\regini.exe
2006-07-11 01:29 25,600 C:\WINDOWS\system32\comaddin.dll
2006-07-11 01:29 25,088 C:\WINDOWS\system32\mtxlegih.dll
2006-07-11 01:29 227,840 C:\WINDOWS\system32\avtapi.dll
2006-07-11 01:29 22,016 C:\WINDOWS\system32\qwinsta.exe
2006-07-11 01:29 20,992 C:\WINDOWS\system32\msg.exe
2006-07-11 01:29 20,480 C:\WINDOWS\system32\mtxdm.dll
2006-07-11 01:29 16,896 C:\WINDOWS\system32\tsshutdn.exe
2006-07-11 01:29 16,896 C:\WINDOWS\system32\qappsrv.exe
2006-07-11 01:29 16,384 C:\WINDOWS\system32\tskill.exe
2006-07-11 01:29 16,384 C:\WINDOWS\system32\avmeter.dll
2006-07-11 01:29 15,872 C:\WINDOWS\system32\rwinsta.exe
2006-07-11 01:29 15,872 C:\WINDOWS\system32\cdmodem.dll
2006-07-11 01:29 15,360 C:\WINDOWS\system32\logoff.exe
2006-07-11 01:29 147,456 C:\WINDOWS\system32\comsnap.dll
2006-07-11 01:29 14,848 C:\WINDOWS\system32\tsdiscon.exe
2006-07-11 01:29 14,848 C:\WINDOWS\system32\tscon.exe
2006-07-11 01:29 14,848 C:\WINDOWS\system32\shadow.exe
2006-07-11 01:29 138,752 C:\WINDOWS\system32\sndvol32.exe
2006-07-11 01:29 126,976 C:\WINDOWS\system32\mshearts.exe
2006-07-11 01:29 119,808 C:\WINDOWS\system32\winmine.exe
2006-07-11 01:29 114,688 C:\WINDOWS\system32\calc.exe
2006-07-11 01:29 1,161 C:\WINDOWS\system32\usrlogon.cmd
2006-07-11 01:28 956,416 C:\WINDOWS\system32\msdtctm.dll
2006-07-11 01:28 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-07-11 01:28 91,136 C:\WINDOWS\system32\mtxoci.dll
2006-07-11 01:28 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-07-11 01:28 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-07-11 01:28 67,072 C:\WINDOWS\system32\rdshost.exe
2006-07-11 01:28 655,360 C:\WINDOWS\system32\mstscax.dll
2006-07-11 01:28 625,152 C:\WINDOWS\system32\catsrvut.dll
2006-07-11 01:28 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-07-11 01:28 60,416 C:\WINDOWS\system32\remotepg.dll
2006-07-11 01:28 60,416 C:\WINDOWS\system32\colbact.dll
2006-07-11 01:28 6,144 C:\WINDOWS\system32\msdtc.exe
2006-07-11 01:28 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-07-11 01:28 58,880 C:\WINDOWS\system32\licwmi.dll
2006-07-11 01:28 56,320 C:\WINDOWS\system32\servdeps.dll
2006-07-11 01:28 540,160 C:\WINDOWS\system32\comuid.dll
2006-07-11 01:28 538,624 C:\WINDOWS\system32\spider.exe
2006-07-11 01:28 498,688 C:\WINDOWS\system32\clbcatq.dll
2006-07-11 01:28 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-07-11 01:28 426,496 C:\WINDOWS\system32\msdtcprx.dll
2006-07-11 01:28 407,552 C:\WINDOWS\system32\mstsc.exe
2006-07-11 01:28 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-07-11 01:28 347,136 C:\WINDOWS\system32\hypertrm.dll
2006-07-11 01:28 343,040 C:\WINDOWS\system32\mspaint.exe
2006-07-11 01:28 295,424 C:\WINDOWS\system32\termsrv.dll
2006-07-11 01:28 225,792 C:\WINDOWS\system32\catsrv.dll
2006-07-11 01:28 20,480 C:\WINDOWS\system32\qprocess.exe
2006-07-11 01:28 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-07-11 01:28 185,344 C:\WINDOWS\system32\cmprops.dll
2006-07-11 01:28 183,808 C:\WINDOWS\system32\accwiz.exe
2006-07-11 01:28 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-07-11 01:28 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-07-11 01:28 147,968 C:\WINDOWS\system32\rdchost.dll
2006-07-11 01:28 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-07-11 01:28 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-07-11 01:28 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-07-11 01:28 123,392 C:\WINDOWS\system32\mplay32.exe
2006-07-11 01:28 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-07-11 01:28 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-07-11 01:28 11,264 C:\WINDOWS\system32\icaapi.dll
2006-07-11 01:28 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-07-11 01:28 1,267,200 C:\WINDOWS\system32\comsvcs.dll
2006-07-10 17:58 21,504 C:\WINDOWS\system32\hidserv.dll
2006-07-10 17:57 8,192 C:\WINDOWS\system32\wshirda.dll
2006-07-10 17:57 74,240 C:\WINDOWS\system32\usbui.dll
2006-07-10 17:57 27,136 C:\WINDOWS\system32\irmon.dll
2006-07-10 17:57 152,576 C:\WINDOWS\system32\irftp.exe
2006-07-10 17:56 85,020 C:\WINDOWS\system32\dgsetup.dll
2006-07-10 17:56 8,704 C:\WINDOWS\system32\batt.dll
2006-07-10 17:56 8,192 C:\WINDOWS\system32\kbdhept.dll
2006-07-10 17:56 74,752 C:\WINDOWS\system32\storprop.dll
2006-07-10 17:56 7,168 C:\WINDOWS\system32\kbdcz.dll
2006-07-10 17:56 69,120 C:\WINDOWS\NOTEPAD.EXE
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdycl.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdsl1.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdsl.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdpl.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdhu.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdhela3.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdcz2.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdcz1.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdcr.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\KBDAL.DLL
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdtuq.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdtuf.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdlv1.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdlv.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdhela2.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdgkl.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdest.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdycc.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbduzb.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdur.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdtat.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdru1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdru.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdro.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdpl1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdmon.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdlt1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdlt.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdkyr.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdkaz.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhu1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhe319.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhe220.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhe.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdbu.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdblr.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdazel.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdaze.dll
2006-07-10 17:56 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-07-10 17:56 176,157 C:\WINDOWS\system32\dgrpsetu.dll
2006-07-10 17:56 15,360 C:\WINDOWS\TASKMAN.EXE
2006-07-10 17:56 13,312 C:\WINDOWS\system32\irclass.dll
2006-07-10 17:56 103,424 C:\WINDOWS\system32\EqnClass.Dll
2006-07-10 17:51 2,145,386,496 C:\pagefile.sys
2006-06-01 11:43 37,888 C:\WINDOWS\system32\CTBURST.DLL
2006-06-01 11:42 81,920 C:\WINDOWS\system32\ctcoinst.dll
2006-06-01 11:42 146,432 C:\WINDOWS\system32\ctdvinst.dll
2006-06-01 11:38 33,792 C:\WINDOWS\system32\a3d.dll
2006-06-01 11:36 26,624 C:\WINDOWS\system32\AC3API.DLL
2006-06-01 11:35 35,840 C:\WINDOWS\READREG.EXE
2006-06-01 11:34 9,216 C:\WINDOWS\system32\CTPRES.DLL
2006-06-01 11:34 75,264 C:\WINDOWS\system32\CTSCAL.DLL
2006-06-01 11:34 7,168 C:\WINDOWS\system32\CTAGENT.DLL
2006-06-01 11:34 64,000 C:\WINDOWS\system32\CTTHXCAL.DLL
2006-06-01 11:34 34,304 C:\WINDOWS\PSCONV.EXE
2006-06-01 11:34 30,208 C:\WINDOWS\system32\CTPCMCIA.DLL
2006-06-01 11:34 286,208 C:\WINDOWS\system32\CTDC0001.DLL
2006-06-01 11:34 26,112 C:\WINDOWS\system32\CTXFIBTN.DLL
2006-06-01 11:34 25,088 C:\WINDOWS\system32\CTXFISPK.DLL
2006-06-01 11:34 23,040 C:\WINDOWS\system32\CTSPKHLP.DLL
2006-06-01 11:34 190,976 C:\WINDOWS\system32\CTDC0000.DLL
2006-06-01 11:34 18,944 C:\WINDOWS\system32\CTXFIHLP.EXE
2006-06-01 11:34 17,920 C:\WINDOWS\CTHELPER.EXE
2006-06-01 11:34 129,536 C:\WINDOWS\system32\CTDCIFCE.DLL
2006-06-01 11:34 11,776 C:\WINDOWS\system32\CTMMEP.DLL
2006-06-01 11:29 729,600 C:\WINDOWS\system32\CTXFISPI.EXE
2006-06-01 11:29 52,224 C:\WINDOWS\system32\CTXFISPI.DLL
2006-06-01 11:29 41,984 C:\WINDOWS\system32\CTXFIREG.EXE
2006-06-01 11:22 61,952 C:\WINDOWS\system32\CTHWIUT.DLL
2006-06-01 11:22 548,352 C:\WINDOWS\system32\ctsblfx.dll
2006-06-01 11:22 160,768 C:\WINDOWS\system32\cteapsfx.dll
2006-06-01 11:22 158,720 C:\WINDOWS\system32\CT20XUT.DLL
2006-06-01 11:22 108,032 C:\WINDOWS\system32\ctemupia.dll
2006-06-01 11:22 1,170,432 C:\WINDOWS\system32\CTEXFIFX.dll
2006-06-01 11:21 87,552 C:\WINDOWS\system32\commonfx.dll
2006-06-01 11:21 536,576 C:\WINDOWS\system32\ctaudfx.dll
2006-06-01 11:21 317,952 C:\WINDOWS\system32\CTEDSPSY.DLL
2006-06-01 11:19 269,824 C:\WINDOWS\system32\CTEDSPFX.DLL
2006-06-01 11:19 115,200 C:\WINDOWS\system32\CTEDSPIO.DLL
2006-06-01 11:18 74,752 C:\WINDOWS\system32\CTASIO.DLL
2006-06-01 11:18 73,728 C:\WINDOWS\system32\piaproxy.dll
2006-06-01 11:18 71,680 C:\WINDOWS\system32\ctdproxy.dll
2006-06-01 11:18 47,616 C:\WINDOWS\system32\CTEDASIO.DLL
2006-06-01 11:18 33,792 C:\WINDOWS\system32\REGPLIB.EXE
2006-06-01 11:18 21,504 C:\WINDOWS\system32\sfman32.dll
2006-06-01 11:18 200,192 C:\WINDOWS\system32\CT_OAL.DLL
2006-06-01 11:18 132,096 C:\WINDOWS\system32\CTOSUSER.DLL
2006-06-01 11:18 120,832 C:\WINDOWS\system32\SFMS32.DLL
2006-06-01 11:15 9,216 C:\WINDOWS\system32\KILLAPPS.EXE
2006-06-01 11:15 47,104 C:\WINDOWS\system32\DEVREG.DLL
2006-06-01 11:15 4,096 C:\WINDOWS\system32\ENLOCSTR.EXE
2006-06-01 11:15 25,600 C:\WINDOWS\MIDIDEF.EXE

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{C891986A-07D0-1033-0406-060715050001}"="\"C:\\Program Files\\Common Files\\{C891986A-07D0-1033-0406-060715050001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

Contents of the 'Scheduled Tasks' folder

Completion time: Wed 07/12/2006 20:39:11.37
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

========================================================

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:48 PM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\{C891986A-07D0-1033-0406-060715050001}\Update.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\AOL\Triton\ee\aolsoftware.exe
C:\Program Files\Xfire\Xfire.exe
c:\program files\common files\aol\triton\ee\aim6.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe

D3DAiM · 07-12-2006, 09:45 PM

I want rid of the Sandra items and the IDriverT.exe. I cannot remove this through HJT. These programs don't startup, but I'd rather not have the clutter. Possible?

tetonbob · 07-12-2006, 10:32 PM

Well, you may think you are, but there are still signs of infection. Let's go after them. I only want to deal with yoru malware issues for now. Remind me of the others later.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"{C891986A-07D0-1033-0406-060715050001}"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Next, click Start > Control Panel > Add/Remove Programs
In the list of installed software, look for PuritySCAN By OIN, OuterInfo, OIN Snowballwars By OIN Cowabanga By OIN or similar
If you find it:
Click on it and click Remove.
Reboot and delete the folder C:\Program Files\PurityScan (if it's still there)
if not:
Download and run the Oiuninstaller
There is a tutorial for the uninstaller available
When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there)

---------------------------------------------------------------------------------------------

Download Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\WINDOWS\system32\sstqo.dll
C:\Program Files\Common Files\{C891986A-07D0-1033-0406-060715050001}
C:\Documents and Settings\Joseph\Application Data\?ssembly<<<May appear as Assembly, created on 2006-07-12 03:12:02. Right click on the folder and select properties to check.
C:\Program Files\Common Files\??mbols<<<May appear as Symbols, created on 2006-07-12 02:09:44 Right click on the folder and select properties to check.

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

Ewido
Panda
HJT

D3DAiM · 07-13-2006, 02:05 AM

Weird. I got rid of opnommj.dll and it seems sstqo.dll has taken its place.

I ran the .reg. Worked. Ran oin uninstaller. Seemed to have worked if there was still traces of OIN. Ewido, ad-aware, spybot didn't pick anything up in a scan.

Rebooted in safe mode and rand CCleaner instead. I then manually deleted the preftech.

There wasn't anymore malware uninstaller on the list of add/remove. I deleted a {C891986A-07D0-1033-0406-060715050001} and assembly folder. There wasn't a ??mbols or anything.

I couldn't delete sstqo.dll in the System32. Unlocker couldn't handle it either. It was hidden, so I unticked that.

The panda scan detected two (possibly irrelevant) files. One was a plain cookie, ironically placed in the Firefox folder. Another was a hacktool (process.exe) located in my system32 folder! I then immediately went ahead and deleted both.

==========================================================

Activescan.txt

Incident Status Location

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Joseph\Application Data\Mozilla\Firefox\Profiles\i7vmww89.default\cookies.txt[.apmebf.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

================================================================

Hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 12:59:16 AM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\AOL\Triton\ee\aolsoftware.exe
C:\Program Files\Xfire\Xfire.exe
c:\program files\common files\aol\triton\ee\aim6.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe

===========================================================

While running HJT in safe mode I noticed that, somehow, sstqo.dll managed to sneak past me and did the same thing as opnommj.dll and placed its self in a BHO and Winlogon Notify. I was able to remove these with ease and they do not appear again.

I also can verify that I do have some remnants of ACTIVE adware left on my machine as I very infrequently, but occasionaly, get a "Fix Spyware!" ad clone while on my desktop.

D3DAiM · 07-13-2006, 03:55 AM

Back in normal windows, I decided to give it another shot at deleting sstqo.dll

Sure enough, as all the magical occururances that have been happening, it deleted. Yippee.

Now I let you pros be the judge if I am really clean. :D

D3DAiM · 07-13-2006, 04:03 AM

Quote:

Originally Posted by D3DAiM

Back in normal windows, I decided to give it another shot at deleting sstqo.dll

Sure enough, as all the magical occururances that have been happening, it deleted. Yippee. Weird though, http://virusscan.jotti.org/ doesn't detect anything on sstqo.dll

Now I let you pros be the judge if I am really clean. :D

tetonbob · 07-13-2006, 09:54 AM

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Also run combofix again and post it's log.

D3DAiM · 07-13-2006, 12:35 PM

I remeber running these fixes before. The smitfraud fix was important in my smitfraud recovery.

=============================================================\

DrWeb.csv

backup-20060713-003201-946.dll;C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\backups;Trojan.Virtumod;Deleted.;
A0004163.exe;C:\System Volume Information\_restore{102708DF-3400-4CB5-B983-C4D31F5703FC}\RP11;Trojan.Starter.65;Deleted.;
A0004572.dll;C:\System Volume Information\_restore{102708DF-3400-4CB5-B983-C4D31F5703FC}\RP22;Trojan.Virtumod;Deleted.;

================================================================

SmitFraudFix v2.70

Scan done at 11:11:42.25, Thu 07/13/2006
Run from C:\Documents and Settings\Joseph\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Joseph\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Joseph\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

==========================================================

Combofix.txt

Start Time= Thu 07/13/2006 11:14:15.75
Running from: C:\Documents and Settings\Joseph\Desktop

QuickScan did not find any signs of infected files

==========================================================

Looks like all that was picked up was a few backups of prior malware. I'll flush my system restore right now.

tetonbob · 07-13-2006, 12:52 PM

Not sure what it is that's given you those infection warnings.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Double click on 'Silent Runners' to run it. Choose 'No' at the prompt. It will create a file called 'Startup Programs' (followed by your computer name and current date) on your desktop. Do NOT open it yet. Wait until you get the prompt 'All Done'. Then open up that file and post all the contents here in your next post. If you receive a warning message about scripts, choose to allow it to run.

Quote:

Combofix.txt

Start Time= Thu 07/13/2006 11:14:15.75
Running from: C:\Documents and Settings\Joseph\Desktop

QuickScan did not find any signs of infected files

================================================== ========

This log appears incomplete...if combofix was allowed to run it's course, it would produce at least a Find3M and Last 30 days files section. Run it again.

Ewido found nothing? Did you save the log? There should be a report at C:\Program Files\ewido anti-spyware 4.0\Reports.

Also post a new HJT log.

D3DAiM · 07-13-2006, 01:02 PM

Quote:

Originally Posted by tetonbob

Not sure what it is that's given you those infection warnings.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Double click on 'Silent Runners' to run it. Choose 'No' at the prompt. It will create a file called 'Startup Programs' (followed by your computer name and current date) on your desktop. Do NOT open it yet. Wait until you get the prompt 'All Done'. Then open up that file and post all the contents here in your next post. If you receive a warning message about scripts, choose to allow it to run.

This log appears incomplete...if combofix was allowed to run it's course, it would produce at least a Find3M and Last 30 days files section. Run it again.

Ewido found nothing? Did you save the log? There should be a report at C:\Program Files\ewido anti-spyware 4.0\Reports.

Also post a new HJT log.

I shortened the combofix.txt in order to save space..I suppose I'll post it again if you really want it.

=================================================================

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PeerGuardian" = "C:\Program Files\PeerGuardian2\pg2.exe" ["Phoenix Labs"]
"Aim6" = ""C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."]
"DiskeeperSystray" = ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"razer" = "C:\Program Files\Razer\razerhid.exe" [empty string]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Joseph\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\sspipes.scr" [MS]

Startup items in "Joseph" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Joseph\Start Menu\Programs\Startup
"Xfire" -> shortcut to: "C:\Program Files\Xfire\Xfire.exe" ["Xfire Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]
IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 20 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 6 seconds.
---------- (total run time: 37 seconds)

=================================================================

Combofix.txt

Start Time= Thu 07/13/2006 11:14:15.75
Running from: C:\Documents and Settings\Joseph\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-13 00:07:20 ( .D... ) "C:\Program Files\Agent"
2006-07-12 22:52:02 ( .D... ) "C:\Program Files\Common Files\Hewlett-Packard"
2006-07-12 22:51:14 ( .D... ) "C:\Program Files\HP"
2006-07-12 21:00:38 98324 ( A.... ) "C:\WINDOWS\system32\pgwjywnn.dll"
2006-07-12 20:47:46 ( .D... ) "C:\Program Files\Razer"
2006-07-12 16:48:24 ( .D... ) "C:\Program Files\SiSoftware"
2006-07-12 15:13:22 ( .D... ) "C:\Program Files\Real Alternative"
2006-07-12 15:13:22 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Real"
2006-07-12 15:12:22 ( .D... ) "C:\Program Files\QuickTime Alternative"
2006-07-12 12:34:34 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-12 12:16:30 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Help"
2006-07-12 02:37:24 ( .D... ) "C:\Program Files\AC3Filter"
2006-07-12 02:24:42 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\AVG7"
2006-07-12 02:24:22 ( .D... ) "C:\Program Files\Grisoft"
2006-07-12 01:53:06 ( .D... ) "C:\Program Files\Microsoft Works"
2006-07-12 01:53:06 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-07-12 01

00 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\JAMS"
2006-07-12 01:05:56 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\acccore"
2006-07-12 01:05:32 ( .D... ) "C:\Program Files\Jams"
2006-07-12 01:02:54 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-07-12 01:02:54 ( .D... ) "C:\Program Files\AOL"
2006-07-12 00:27:16 ( .D... ) "C:\Program Files\Winamp"
2006-07-11 21:57:34 ( .D... ) "C:\Program Files\ffdshow"
2006-07-11 21:55:06 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Media Player Classic"
2006-07-11 16:40:50 1082880 ( A.... ) "C:\WINDOWS\system32\AutoPartNt.exe"
2006-07-11 16:25:12 ( .D... ) "C:\Program Files\xerox"
2006-07-11 16:25:12 ( .D... ) "C:\Program Files\netmeeting"
2006-07-11 16:25:12 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-07-11 16:10:38 ( .D... ) "C:\Program Files\Unlocker"
2006-07-11 13:59:28 ( .D... ) "C:\Program Files\Smart Projects"
2006-07-11 13:22:24 ( .D... ) "C:\Program Files\Diskeeper Corporation"
2006-07-11 13:13:50 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-07-11 13:10:54 ( .D... ) "C:\Program Files\Driver Cleaner Pro"
2006-07-11 13

20 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Lavasoft"
2006-07-11 13

14 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-11 13:01:22 ( .D... ) "C:\Program Files\Common Files\Acronis"
2006-07-11 13:01:20 ( .D... ) "C:\Program Files\Acronis"
2006-07-11 12:54:30 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Webroot"
2006-07-11 12:54:28 ( .D... ) "C:\Program Files\Webroot"
2006-07-11 12:54:28 ( .D... ) "C:\Program Files\Common Files\Webroot Shared"
2006-07-11 12:49:08 ( .D... ) "C:\Program Files\mIRC"
2006-07-11 12:46:18 ( .D... ) "C:\Program Files\CCleaner"
2006-07-11 12:32:38 ( .D... ) "C:\Program Files\OfficeUpdate11"
2006-07-11 12:07:26 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Azureus"
2006-07-11 11:54:26 ( .D... ) "C:\Program Files\Azureus"
2006-07-11 11:51:54 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\AdobeUM"
2006-07-11 11:51:34 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Adobe"
2006-07-11 11:47:46 ( .D... ) "C:\Program Files\Common Files\Adobe Systems Shared"
2006-07-11 11:47:28 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-07-11 11:47:20 ( .D... ) "C:\Program Files\Adobe"
2006-07-11 11:42:52 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2006-07-11 09:59:52 34308 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-07-11 09:55:10 ( .D... ) "C:\Program Files\DAMN NFO Viewer"
2006-07-11 09:44:44 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Macromedia"
2006-07-11 02:28:04 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2006-07-11 02:28:02 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-07-11 02:27:04 ( .D... ) "C:\Program Files\Microsoft Office"
2006-07-11 02:14:42 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-11 02:13:42 ( .D... ) "C:\Program Files\RivaTuner v2.0 RC 16"
2006-07-11 02:11:44 ( .D... ) "C:\Program Files\PeerGuardian2"
2006-07-11 02:10:58 ( .D... ) "C:\Program Files\SpywareBlaster"
2006-07-11 02:10:34 ( .D... ) "C:\Program Files\Creative"
2006-07-11 02:10:02 409600 ( A.... ) "C:\WINDOWS\system32\wrap_oal.dll"
2006-07-11 02:10:02 86016 ( A.... ) "C:\WINDOWS\system32\OpenAL32.dll"
2006-07-11 02:10:00 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Creative"
2006-07-11 02:09:04 ( .DS.. ) "C:\Program Files\Xfire"
2006-07-11 02:09:04 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Xfire"
2006-07-11 02:08:20 ( .D... ) "C:\Program Files\WinRAR"
2006-07-11 02:01:06 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-07-11 02:00:26 ( .D... ) "C:\Program Files\Java"
2006-07-11 02:00:26 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-11 01:57:24 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Mozilla"
2006-07-11 01:57:10 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-11 01:53:24 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-07-11 01:35:40 ( .D... ) "C:\Documents and Settings\Joseph\Application Data\Identities"
2006-07-11 01:35:36 ( .DS.. ) "C:\Documents and Settings\Joseph\Application Data\Microsoft"
2006-07-11 01:32:08 0 ( A.... ) "C:\WINDOWS\AUTOEXEC.BAT"
2006-07-11 01:31:18 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-07-11 01:30:30 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-07-11 01:30:18 ( .D... ) "C:\Program Files\Movie Maker"
2006-07-11 01:30:04 ( .D... ) "C:\Program Files\Outlook Express"
2006-07-11 01:29:58 ( .D... ) "C:\Program Files\Common Files\System"
2006-07-11 01:29:56 ( .D... ) "C:\Program Files\Internet Explorer"
2006-07-11 01:29:40 ( .D... ) "C:\Program Files\Windows Media Player"
2006-07-11 01:29:34 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-07-11 01:28:58 ( .D... ) "C:\Program Files\Windows NT"
2006-07-10 17:57:00 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-07-10 17:57:00 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-07-10 17:57:00 ( .D... ) "C:\Program Files\Common Files"
2006-07-10 17:56:38 62 ( A.SH. ) "C:\Documents and Settings\Joseph\Application Data\desktop.ini"
2006-06-23 07:49:00 7626752 ( A.... ) "C:\WINDOWS\system32\nvcpl.dll"
2006-06-23 07:49:00 5652480 ( A.... ) "C:\WINDOWS\system32\nvdisps.dll"
2006-06-23 07:49:00 5632000 ( A.... ) "C:\WINDOWS\system32\nvoglnt.dll"
2006-06-23 07:49:00 4492160 ( A.... ) "C:\WINDOWS\system32\nv4_disp.dll"
2006-06-23 07:49:00 3026944 ( A.... ) "C:\WINDOWS\system32\nvgames.dll"
2006-06-23 07:49:00 2924544 ( A.... ) "C:\WINDOWS\system32\nvvitvs.dll"
2006-06-23 07:49:00 1662976 ( A.... ) "C:\WINDOWS\system32\nvwdmcpl.dll"
2006-06-23 07:49:00 1519616 ( A.... ) "C:\WINDOWS\system32\nwiz.exe"
2006-06-23 07:49:00 1466368 ( A.... ) "C:\WINDOWS\system32\nview.dll"
2006-06-23 07:49:00 1339392 ( A.... ) "C:\WINDOWS\system32\nvdspsch.exe"
2006-06-23 07:49:00 1257472 ( A.... ) "C:\WINDOWS\system32\nvwss.dll"
2006-06-23 07:49:00 1019904 ( A.... ) "C:\WINDOWS\system32\nvwimg.dll"
2006-06-23 07:49:00 888832 ( A.... ) "C:\WINDOWS\system32\nvmobls.dll"
2006-06-23 07:49:00 794624 ( A.... ) "C:\WINDOWS\system32\nvcplui.exe"
2006-06-23 07:49:00 581632 ( A.... ) "C:\WINDOWS\system32\nvhwvid.dll"
2006-06-23 07:49:00 466944 ( A.... ) "C:\WINDOWS\system32\nvshell.dll"
2006-06-23 07:49:00 442368 ( A.... ) "C:\WINDOWS\system32\nvappbar.exe"
2006-06-23 07:49:00 425984 ( A.... ) "C:\WINDOWS\system32\keystone.exe"
2006-06-23 07:49:00 311296 ( A.... ) "C:\WINDOWS\system32\nvexpbar.dll"
2006-06-23 07:49:00 286720 ( A.... ) "C:\WINDOWS\system32\nvnt4cpl.dll"
2006-06-23 07:49:00 229376 ( A.... ) "C:\WINDOWS\system32\nvmccs.dll"
2006-06-23 07:49:00 208896 ( A.... ) "C:\WINDOWS\system32\nvudisp.exe"
2006-06-23 07:49:00 196608 ( A.... ) "C:\WINDOWS\system32\nvapi.dll"
2006-06-23 07:49:00 188416 ( A.... ) "C:\WINDOWS\system32\nvmccss.dll"
2006-06-23 07:49:00 155715 ( A.... ) "C:\WINDOWS\system32\nvsvc32.exe"
2006-06-23 07:49:00 147456 ( A.... ) "C:\WINDOWS\system32\nvcolor.exe"
2006-06-23 07:49:00 86016 ( A.... ) "C:\WINDOWS\system32\nvmctray.dll"
2006-06-23 07:49:00 81920 ( A.... ) "C:\WINDOWS\system32\nvwddi.dll"
2006-06-23 07:49:00 45056 ( A.... ) "C:\WINDOWS\system32\nvmccsrs.dll"
2006-06-23 07:49:00 35840 ( A.... ) "C:\WINDOWS\system32\nvcodins.dll"
2006-06-23 07:49:00 35840 ( A.... ) "C:\WINDOWS\system32\nvcod.dll"
2006-06-01 15:39:12 442368 ( A.... ) "C:\WINDOWS\system32\CapabilityTable.exe"
2006-06-01 15:36:28 208896 ( A.... ) "C:\WINDOWS\system32\nvunrm.exe"
2006-06-01 15:36:28 208896 ( A.... ) "C:\WINDOWS\system32\NVUNINST.EXE"
2006-06-01 11:43:48 37888 ( A.... ) "C:\WINDOWS\system32\CTBURST.DLL"
2006-06-01 11:42:34 11776 ( A.... ) "C:\WINDOWS\INRES.DLL"
2006-06-01 11:42:32 146432 ( A.... ) "C:\WINDOWS\system32\ctdvinst.dll"
2006-06-01 11:42:30 81920 ( A.... ) "C:\WINDOWS\system32\ctcoinst.dll"
2006-06-01 11:38:44 33792 ( A.... ) "C:\WINDOWS\system32\a3d.dll"
2006-06-01 11:36:58 26624 ( A.... ) "C:\WINDOWS\system32\AC3API.DLL"
2006-06-01 11:35:00 35840 ( A.... ) "C:\WINDOWS\READREG.EXE"
2006-06-01 11:35:00 3072 ( A.... ) "C:\WINDOWS\CTXFIRES.DLL"
2006-06-01 11:34:58 26112 ( A.... ) "C:\WINDOWS\system32\CTXFIBTN.DLL"
2006-06-01 11:34:58 25088 ( A.... ) "C:\WINDOWS\system32\CTXFISPK.DLL"
2006-06-01 11:34:58 18944 ( A.... ) "C:\WINDOWS\system32\CTXFIHLP.EXE"
2006-06-01 11:34:56 34304 ( A.... ) "C:\WINDOWS\PSCONV.EXE"
2006-06-01 11:34:56 17920 ( A.... ) "C:\WINDOWS\CTHELPER.EXE"
2006-06-01 11:34:56 7168 ( A.... ) "C:\WINDOWS\system32\CTAGENT.DLL"
2006-06-01 11:34:54 30208 ( A.... ) "C:\WINDOWS\system32\CTPCMCIA.DLL"
2006-06-01 11:34:54 23040 ( A.... ) "C:\WINDOWS\system32\CTSPKHLP.DLL"
2006-06-01 11:34:54 11776 ( A.... ) "C:\WINDOWS\system32\CTMMEP.DLL"
2006-06-01 11:34:50 75264 ( A.... ) "C:\WINDOWS\system32\CTSCAL.DLL"
2006-06-01 11:34:50 64000 ( A.... ) "C:\WINDOWS\system32\CTTHXCAL.DLL"
2006-06-01 11:34:50 9216 ( A.... ) "C:\WINDOWS\system32\CTPRES.DLL"
2006-06-01 11:34:48 286208 ( A.... ) "C:\WINDOWS\system32\CTDC0001.DLL"
2006-06-01 11:34:48 129536 ( A.... ) "C:\WINDOWS\system32\CTDCIFCE.DLL"
2006-06-01 11:34:46 190976 ( A.... ) "C:\WINDOWS\system32\CTDC0000.DLL"
2006-06-01 11:34:46 10240 ( A.... ) "C:\WINDOWS\CTDCRES.DLL"
2006-06-01 11:29:40 52224 ( A.... ) "C:\WINDOWS\system32\CTXFISPI.DLL"
2006-06-01 11:29:40 41984 ( A.... ) "C:\WINDOWS\system32\CTXFIREG.EXE"
2006-06-01 11:29:38 729600 ( A.... ) "C:\WINDOWS\system32\CTXFISPI.EXE"
2006-06-01 11:22:34 108032 ( A.... ) "C:\WINDOWS\system32\ctemupia.dll"
2006-06-01 11:22:32 158720 ( A.... ) "C:\WINDOWS\system32\CT20XUT.DLL"
2006-06-01 11:22:32 61952 ( A.... ) "C:\WINDOWS\system32\CTHWIUT.DLL"
2006-06-01 11:22:22 1170432 ( A.... ) "C:\WINDOWS\system32\CTEXFIFX.dll"
2006-06-01 11:22:08 548352 ( A.... ) "C:\WINDOWS\system32\ctsblfx.dll"
2006-06-01 11:22:00 160768 ( A.... ) "C:\WINDOWS\system32\cteapsfx.dll"
2006-06-01 11:21:44 536576 ( A.... ) "C:\WINDOWS\system32\ctaudfx.dll"
2006-06-01 11:21:38 87552 ( A.... ) "C:\WINDOWS\system32\commonfx.dll"
2006-06-01 11:21:36 317952 ( A.... ) "C:\WINDOWS\system32\CTEDSPSY.DLL"
2006-06-01 11:19:12 115200 ( A.... ) "C:\WINDOWS\system32\CTEDSPIO.DLL"
2006-06-01 11:19:02 269824 ( A.... ) "C:\WINDOWS\system32\CTEDSPFX.DLL"
2006-06-01 11:18:54 47616 ( A.... ) "C:\WINDOWS\system32\CTEDASIO.DLL"
2006-06-01 11:18:52 200192 ( A.... ) "C:\WINDOWS\system32\CT_OAL.DLL"
2006-06-01 11:18:50 74752 ( A.... ) "C:\WINDOWS\system32\CTASIO.DLL"
2006-06-01 11:18:48 71680 ( A.... ) "C:\WINDOWS\system32\ctdproxy.dll"
2006-06-01 11:18:18 132096 ( A.... ) "C:\WINDOWS\system32\CTOSUSER.DLL"
2006-06-01 11:18:16 120832 ( A.... ) "C:\WINDOWS\system32\SFMS32.DLL"
2006-06-01 11:18:16 21504 ( A.... ) "C:\WINDOWS\system32\sfman32.dll"
2006-06-01 11:18:10 73728 ( A.... ) "C:\WINDOWS\system32\piaproxy.dll"
2006-06-01 11:18:10 33792 ( A.... ) "C:\WINDOWS\system32\REGPLIB.EXE"
2006-06-01 11:15:54 4096 ( A.... ) "C:\WINDOWS\system32\ENLOCSTR.EXE"
2006-06-01 11:15:52 9216 ( A.... ) "C:\WINDOWS\system32\KILLAPPS.EXE"
2006-06-01 11:15:40 47104 ( A.... ) "C:\WINDOWS\system32\DEVREG.DLL"
2006-06-01 11:15:40 25600 ( A.... ) "C:\WINDOWS\MIDIDEF.EXE"
2006-05-26 06:29:14 5120 ( A.... ) "C:\WINDOWS\system32\ff_vfw.dll"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-16 19:23:20 159232 ( A.... ) "C:\WINDOWS\system32\fdco_l1034.dll"
2006-05-16 19:23:18 158720 ( A.... ) "C:\WINDOWS\system32\fdco_l1046.dll"
2006-05-16 19:23:18 156672 ( A.... ) "C:\WINDOWS\system32\fdco_l1042.dll"
2006-05-16 19:23:16 156672 ( A.... ) "C:\WINDOWS\system32\fdco_l1041.dll"
2006-05-16 19:23:14 158720 ( A.... ) "C:\WINDOWS\system32\fdco_l1040.dll"
2006-05-16 19:23:12 159232 ( A.... ) "C:\WINDOWS\system32\fdco_l1031.dll"
2006-05-16 19:23:10 159232 ( A.... ) "C:\WINDOWS\system32\fdco_l1036.dll"
2006-05-16 19:23:08 155648 ( A.... ) "C:\WINDOWS\system32\fdco_l1028.dll"
2006-05-16 19:23:08 155136 ( A.... ) "C:\WINDOWS\system32\fdco_l2052.dll"
2006-05-16 19:23:02 205312 ( A.... ) "C:\WINDOWS\system32\fdco1.dll"
2006-05-16 19:22:46 10240 ( A.... ) "C:\WINDOWS\system32\bdco1ins.dll"
2006-05-16 19:22:46 10240 ( A.... ) "C:\WINDOWS\system32\bdco1.dll"
2006-05-12 15:26:52 208896 ( A.... ) "C:\WINDOWS\system32\nvusmb.exe"
2006-05-09 22:36:46 6656 ( ..... ) "C:\WINDOWS\system32\WdfMgr.exe"
2006-05-09 22:36:46 6656 ( ..... ) "C:\WINDOWS\system32\uWDF.exe"
2006-05-09 22:26:34 7706112 ( A.... ) "C:\WINDOWS\system32\wmploc.dll"
2006-05-09 22:26:34 1641472 ( ..... ) "C:\WINDOWS\system32\wmpencen.dll"
2006-05-09 22:26:34 1280000 ( A.... ) "C:\WINDOWS\system32\WMSPDMOE.dll"
2006-05-09 22:26:34 1063424 ( A.... ) "C:\WINDOWS\system32\WMADMOE.dll"
2006-05-09 22:26:34 992256 ( A.... ) "C:\WINDOWS\system32\WMNetMgr.dll"
2006-05-09 22:26:34 705024 ( A.... ) "C:\WINDOWS\system32\WMADMOD.dll"
2006-05-09 22:26:34 564736 ( A.... ) "C:\WINDOWS\system32\WMSPDMOD.dll"
2006-05-09 22:26:34 433152 ( ..... ) "C:\WINDOWS\system32\wmpeffects.dll"
2006-05-09 22:26:34 417280 ( ..... ) "C:\WINDOWS\system32\wmdrmdev.dll"
2006-05-09 22:26:34 337408 ( ..... ) "C:\WINDOWS\system32\wmdrmnet.dll"
2006-05-09 22:26:34 306688 ( A.... ) "C:\WINDOWS\system32\MSWMDM.dll"
2006-05-09 22:26:34 301056 ( A.... ) "C:\WINDOWS\system32\wmpdxm.dll"
2006-05-09 22:26:34 267776 ( ..... ) "C:\WINDOWS\system32\Audiodev.dll"
2006-05-09 22:26:34 237056 ( A.... ) "C:\WINDOWS\system32\wmpasf.dll"
2006-05-09 22:26:34 221696 ( A.... ) "C:\WINDOWS\system32\WMASF.dll"
2006-05-09 22:26:34 219648 ( A.... ) "C:\WINDOWS\system32\CEWMDM.dll"
2006-05-09 22:26:34 212480 ( A.... ) "C:\WINDOWS\system32\msnetobj.dll"
2006-05-09 22:26:34 203776 ( ..... ) "C:\WINDOWS\system32\wmpsrcwp.dll"
2006-05-09 22:26:34 201728 ( A.... ) "C:\WINDOWS\system32\qasf.dll"
2006-05-09 22:26:34 165376 ( A.... ) "C:\WINDOWS\system32\MsPMSP.dll"
2006-05-09 22:26:34 155136 ( A.... ) "C:\WINDOWS\system32\wmidx.dll"
2006-05-09 22:26:34 135680 ( ..... ) "C:\WINDOWS\system32\wmpps.dll"
2006-05-09 22:26:34 97792 ( A.... ) "C:\WINDOWS\system32\wmpshell.dll"
2006-05-09 22:26:34 36864 ( A.... ) "C:\WINDOWS\system32\WMDMPS.dll"
2006-05-09 22:26:34 31744 ( A.... ) "C:\WINDOWS\system32\WMDMLOG.dll"
2006-05-09 22:26:34 26112 ( A.... ) "C:\WINDOWS\system32\MsPMSNSv.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmoe2.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmvdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmoe2.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\wmsdmod.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MPG4DMOD.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MP4SDMOD.dll"
2006-05-09 22:26:34 4096 ( A.... ) "C:\WINDOWS\system32\MP43DMOD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\WMVADVE.DLL"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\WMVADVD.dll"
2006-05-09 22:26:34 4096 ( ..... ) "C:\WINDOWS\system32\wdfApi.dll"
2006-05-09 22:26:32 218112 ( A.... ) "C:\WINDOWS\system32\wmerror.dll"
2006-05-09 22:26:32 9728 ( A.... ) "C:\WINDOWS\system32\LAPRXY.dll"
2006-05-09 22:26:32 7168 ( A.... ) "C:\WINDOWS\system32\asferror.dll"
2006-05-09 22:22:32 2463744 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"
2006-05-09 21:02:02 84480 ( A.... ) "C:\WINDOWS\system32\logagent.exe"
2006-05-09 21:01:06 1463808 ( ..... ) "C:\WINDOWS\system32\WMVDECOD.dll"
2006-05-09 21:01:06 1359360 ( ..... ) "C:\WINDOWS\system32\WMVSDECD.dll"
2006-05-09 21:00:58 1455616 ( ..... ) "C:\WINDOWS\system32\WMVENCOD.dll"
2006-05-09 21:00:58 770560 ( ..... ) "C:\WINDOWS\system32\WMVSENCD.dll"
2006-05-09 21:00:58 299520 ( ..... ) "C:\WINDOWS\system32\MP4SDECD.dll"
2006-05-09 21:00:58 241152 ( ..... ) "C:\WINDOWS\system32\MPG4DECD.dll"
2006-05-09 21:00:56 636928 ( ..... ) "C:\WINDOWS\system32\WMVXENCD.dll"
2006-05-09 21:00:56 241152 ( ..... ) "C:\WINDOWS\system32\MP43DECD.dll"
2006-05-09 21:00:22 546816 ( ..... ) "C:\WINDOWS\system32\wmpmde.dll"
2006-05-09 21:00:08 382976 ( ..... ) "C:\WINDOWS\system32\MFPLAT.dll"
2006-05-09 21:00:02 1350656 ( A.... ) "C:\WINDOWS\system32\drmv2clt.dll"
2006-05-09 20:59:34 513536 ( ..... ) "C:\WINDOWS\system32\wmdrmsdk.dll"
2006-05-09 20:59:20 417280 ( A.... ) "C:\WINDOWS\system32\MSSCP.dll"
2006-05-09 20:59:18 229376 ( ..... ) "C:\WINDOWS\system32\drmupgds.exe"
2006-05-09 20:59:14 585216 ( A.... ) "C:\WINDOWS\system32\blackbox.dll"
2006-05-09 20:58:54 3745280 ( ..... ) "C:\WINDOWS\system32\WpdShext.dll"
2006-05-09 20:58:54 52224 ( ..... ) "C:\WINDOWS\system32\WPDShServiceObj.dll"
2006-05-09 20:58:54 13824 ( ..... ) "C:\WINDOWS\system32\wpdshextautoplay.exe"
2006-05-09 20:58:50 670208 ( ..... ) "C:\WINDOWS\system32\wpd_ci.dll"
2006-05-09 20:58:50 103424 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWiaCompat.dll"
2006-05-09 20:58:48 345600 ( ..... ) "C:\WINDOWS\system32\PortableDeviceApi.dll"
2006-05-09 20:58:48 188928 ( ..... ) "C:\WINDOWS\system32\PortableDeviceWMDRM.dll"
2006-05-09 20:58:48 101376 ( ..... ) "C:\WINDOWS\system32\PortableDeviceClassExtension.dll"
2006-05-09 20:58:46 343552 ( ..... ) "C:\WINDOWS\system32\WPDSp.dll"
2006-05-09 20:58:40 144896 ( ..... ) "C:\WINDOWS\system32\wpdmtp.dll"
2006-05-09 20:58:40 55808 ( ..... ) "C:\WINDOWS\system32\wpdmtpus.dll"
2006-05-09 20:58:40 35840 ( ..... ) "C:\WINDOWS\system32\wpdconns.dll"
2006-05-09 20:58:38 168960 ( ..... ) "C:\WINDOWS\system32\PortableDeviceTypes.dll"
2006-05-09 20:58:38 13312 ( ..... ) "C:\WINDOWS\system32\wpdtrace.dll"
2006-05-09 20:57:06 11264 ( ..... ) "C:\WINDOWS\system32\ehETW.dll"
2006-05-09 20:45:20 304640 ( ..... ) "C:\WINDOWS\system32\MSDelta.dll"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-05-01 17:27:02 289792 ( A.... ) "C:\WINDOWS\system32\idecoiins.dll"
2006-05-01 17:27:02 289792 ( A.... ) "C:\WINDOWS\system32\idecoi.dll"
2006-04-27 17:49:30 288417 ( A.... ) "C:\WINDOWS\system32\SrchSTS.exe"
2006-04-14 14:01:20 35840 ( A.... ) "C:\WINDOWS\system32\NVCOI.DLL"
2006-04-14 14:00:54 208896 ( ..... ) "C:\WINDOWS\system32\nvuide.exe"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-13 11:11 53,248 C:\WINDOWS\system32\Process.exe
2006-07-13 02:18 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-13 00:39 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-13 00:39 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-12 21:00 98,324 C:\WINDOWS\system32\pgwjywnn.dll
2006-07-12 16:20 266,360 C:\WINDOWS\system32\TweakUI.exe
2006-07-12 15:13 6,656 C:\WINDOWS\system32\pndx5016.dll
2006-07-12 15:13 5,632 C:\WINDOWS\system32\pndx5032.dll
2006-07-12 15:13 278,528 C:\WINDOWS\system32\pncrt.dll
2006-07-12 15:13 176,167 C:\WINDOWS\system32\rmoc3260.dll
2006-07-12 11:45 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-12 11:45 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-12 11:45 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-12 02:18 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-12 02:18 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-12 01:42 888,832 C:\WINDOWS\system32\nvmobls.dll
2006-07-12 01:42 86,016 C:\WINDOWS\system32\nvmctray.dll
2006-07-12 01:42 81,920 C:\WINDOWS\system32\nvwddi.dll
2006-07-12 01:42 794,624 C:\WINDOWS\system32\nvcplui.exe
2006-07-12 01:42 7,626,752 C:\WINDOWS\system32\nvcpl.dll
2006-07-12 01:42 581,632 C:\WINDOWS\system32\nvhwvid.dll
2006-07-12 01:42 5,652,480 C:\WINDOWS\system32\nvdisps.dll
2006-07-12 01:42 5,632,000 C:\WINDOWS\system32\nvoglnt.dll
2006-07-12 01:42 466,944 C:\WINDOWS\system32\nvshell.dll
2006-07-12 01:42 45,056 C:\WINDOWS\system32\nvmccsrs.dll
2006-07-12 01:42 442,368 C:\WINDOWS\system32\nvappbar.exe
2006-07-12 01:42 425,984 C:\WINDOWS\system32\keystone.exe
2006-07-12 01:42 35,840 C:\WINDOWS\system32\nvcodins.dll
2006-07-12 01:42 35,840 C:\WINDOWS\system32\nvcod.dll
2006-07-12 01:42 311,296 C:\WINDOWS\system32\nvexpbar.dll
2006-07-12 01:42 3,026,944 C:\WINDOWS\system32\nvgames.dll
2006-07-12 01:42 286,720 C:\WINDOWS\system32\nvnt4cpl.dll
2006-07-12 01:42 229,376 C:\WINDOWS\system32\nvmccs.dll
2006-07-12 01:42 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-07-12 01:42 2,924,544 C:\WINDOWS\system32\nvvitvs.dll
2006-07-12 01:42 196,608 C:\WINDOWS\system32\nvapi.dll
2006-07-12 01:42 188,416 C:\WINDOWS\system32\nvmccss.dll
2006-07-12 01:42 155,715 C:\WINDOWS\system32\nvsvc32.exe
2006-07-12 01:42 147,456 C:\WINDOWS\system32\nvcolor.exe
2006-07-12 01:42 1,662,976 C:\WINDOWS\system32\nvwdmcpl.dll
2006-07-12 01:42 1,519,616 C:\WINDOWS\system32\nwiz.exe
2006-07-12 01:42 1,466,368 C:\WINDOWS\system32\nview.dll
2006-07-12 01:42 1,339,392 C:\WINDOWS\system32\nvdspsch.exe
2006-07-12 01:42 1,257,472 C:\WINDOWS\system32\nvwss.dll
2006-07-12 01:42 1,019,904 C:\WINDOWS\system32\nvwimg.dll
2006-07-12 01:17 306,688 C:\WINDOWS\IsUninst.exe
2006-07-11 14:24 1,082,880 C:\WINDOWS\system32\AutoPartNt.exe
2006-07-11 13:13 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-07-11 12:54 57,344 C:\WINDOWS\Unwash6.exe
2006-07-11 12:54 487,936 C:\WINDOWS\system32\wwSecure.exe
2006-07-11 10:28 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-11 09:59 34,308 C:\WINDOWS\system32\BASSMOD.dll
2006-07-11 09:59 113,118 C:\WINDOWS\system32\twk-winupdatepatch.exe
2006-07-11 02:28 24,816 C:\WINDOWS\system32\mdimon.dll
2006-07-11 02:27 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-11 02:24 18,200 C:\WINDOWS\system32\wups2.dll
2006-07-11 02:10 86,016 C:\WINDOWS\system32\OpenAL32.dll
2006-07-11 02:10 409,600 C:\WINDOWS\system32\wrap_oal.dll
2006-07-11 02:10 4,096 C:\WINDOWS\system32\ksuser.dll
2006-07-11 02:10 118,784 C:\WINDOWS\system32\MSSTDFMT.DLL
2006-07-11 02:09 3,072 C:\WINDOWS\CTXFIRES.DLL
2006-07-11 02:09 11,776 C:\WINDOWS\INRES.DLL
2006-07-11 02:09 10,240 C:\WINDOWS\CTDCRES.DLL
2006-07-11 02:00 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-11 02:00 49,248 C:\WINDOWS\system32\java.exe
2006-07-11 02:00 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-11 01:54 442,368 C:\WINDOWS\system32\CapabilityTable.exe
2006-07-11 01:53 35,840 C:\WINDOWS\system32\nvconrm.dll
2006-07-11 01:53 35,840 C:\WINDOWS\system32\NVCOI.DLL
2006-07-11 01:53 289,792 C:\WINDOWS\system32\idecoiins.dll
2006-07-11 01:53 208,896 C:\WINDOWS\system32\nvusmb.exe
2006-07-11 01:53 208,896 C:\WINDOWS\system32\nvunrm.exe
2006-07-11 01:53 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-07-11 01:53 208,896 C:\WINDOWS\system32\nvuide.exe
2006-07-11 01:53 205,312 C:\WINDOWS\system32\fdco1.dll
2006-07-11 01:53 159,232 C:\WINDOWS\system32\fdco_l1036.dll
2006-07-11 01:53 159,232 C:\WINDOWS\system32\fdco_l1034.dll
2006-07-11 01:53 159,232 C:\WINDOWS\system32\fdco_l1031.dll
2006-07-11 01:53 158,720 C:\WINDOWS\system32\fdco_l1046.dll
2006-07-11 01:53 158,720 C:\WINDOWS\system32\fdco_l1040.dll
2006-07-11 01:53 156,672 C:\WINDOWS\system32\fdco_l1042.dll
2006-07-11 01:53 156,672 C:\WINDOWS\system32\fdco_l1041.dll
2006-07-11 01:53 155,648 C:\WINDOWS\system32\fdco_l1028.dll
2006-07-11 01:53 155,136 C:\WINDOWS\system32\fdco_l2052.dll
2006-07-11 01:53 10,240 C:\WINDOWS\system32\bdco1ins.dll
2006-07-11 01:53 10,240 C:\WINDOWS\system32\bdco1.dll
2006-07-11 01:40 35,328 C:\WINDOWS\system32\iprip.dll
2006-07-11 01:40 18,944 C:\WINDOWS\system32\simptcp.dll
2006-07-11 01:32 0 C:\WINDOWS\AUTOEXEC.BAT
2006-07-11 01:32 0 C:\MSDOS.SYS
2006-07-11 01:32 0 C:\IO.SYS
2006-07-11 01:32 0 C:\CONFIG.SYS
2006-07-11 01:31 112,128 C:\WINDOWS\system32\mapi32.dll
2006-07-11 01:30 81,920 C:\WINDOWS\system32\isign32.dll
2006-07-11 01:30 81,920 C:\WINDOWS\system32\ils.dll
2006-07-11 01:30 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-07-11 01:30 73,728 C:\WINDOWS\system32\icwdial.dll
2006-07-11 01:30 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-07-11 01:30 69,632 C:\WINDOWS\system32\msconf.dll
2006-07-11 01:30 679,424 C:\WINDOWS\system32\inetcomm.dll
2006-07-11 01:30 67,584 C:\WINDOWS\system32\srclient.dll
2006-07-11 01:30 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-07-11 01:30 64,512 C:\WINDOWS\system32\acctres.dll
2006-07-11 01:30 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-07-11 01:30 48,128 C:\WINDOWS\system32\inetres.dll
2006-07-11 01:30 465,176 C:\WINDOWS\system32\wuapi.dll
2006-07-11 01:30 45,568 C:\WINDOWS\system32\safrslv.dll
2006-07-11 01:30 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-07-11 01:30 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-07-11 01:30 41,240 C:\WINDOWS\system32\wups.dll
2006-07-11 01:30 382,464 C:\WINDOWS\system32\qmgr.dll
2006-07-11 01:30 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-07-11 01:30 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-07-11 01:30 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-07-11 01:30 29,696 C:\WINDOWS\system32\safrdm.dll
2006-07-11 01:30 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-07-11 01:30 274,944 C:\WINDOWS\system32\mstask.dll
2006-07-11 01:30 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-07-11 01:30 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-07-11 01:30 239,104 C:\WINDOWS\system32\srrstr.dll
2006-07-11 01:30 22,528 C:\WINDOWS\system32\fltMc.exe
2006-07-11 01:30 194,328 C:\WINDOWS\system32\wuaueng1.dll
2006-07-11 01:30 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-07-11 01:30 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-07-11 01:30 173,536 C:\WINDOWS\system32\wuweb.dll
2006-07-11 01:30 172,312 C:\WINDOWS\system32\wuauclt1.exe
2006-07-11 01:30 170,496 C:\WINDOWS\system32\srsvc.dll
2006-07-11 01:30 16,896 C:\WINDOWS\system32\fltlib.dll
2006-07-11 01:30 16,384 C:\WINDOWS\system32\icfgnt5.dll
2006-07-11 01:30 127,256 C:\WINDOWS\system32\wucltui.dll
2006-07-11 01:30 124,184 C:\WINDOWS\system32\wuauclt.exe
2006-07-11 01:30 12,288 C:\WINDOWS\system32\nmevtmsg.dll
2006-07-11 01:30 12,288 C:\WINDOWS\system32\mstinit.exe
2006-07-11 01:30 11,264 C:\WINDOWS\system32\atrace.dll
2006-07-11 01:30 105,984 C:\WINDOWS\system32\msoert2.dll
2006-07-11 01:30 1,343,768 C:\WINDOWS\system32\wuaueng.dll
2006-07-11 01:29 97,792 C:\WINDOWS\system32\comrepl.dll
2006-07-11 01:29 9,728 C:\WINDOWS\system32\reset.exe
2006-07-11 01:29 80,384 C:\WINDOWS\system32\charmap.exe
2006-07-11 01:29 73,216 C:\WINDOWS\system32\avwav.dll
2006-07-11 01:29 605,696 C:\WINDOWS\system32\getuname.dll
2006-07-11 01:29 56,832 C:\WINDOWS\system32\sol.exe
2006-07-11 01:29 55,296 C:\WINDOWS\system32\freecell.exe
2006-07-11 01:29 54,272 C:\WINDOWS\system32\stclient.dll
2006-07-11 01:29 5,632 C:\WINDOWS\system32\write.exe
2006-07-11 01:29 5,120 C:\WINDOWS\system32\dcomcnfg.exe
2006-07-11 01:29 44,544 C:\WINDOWS\system32\hticons.dll
2006-07-11 01:29 4,096 C:\WINDOWS\system32\rdpcfgex.dll
2006-07-11 01:29 4,096 C:\WINDOWS\system32\mtxex.dll
2006-07-11 01:29 35,328 C:\WINDOWS\system32\winchat.exe
2006-07-11 01:29 33,792 C:\WINDOWS\system32\regini.exe
2006-07-11 01:29 25,600 C:\WINDOWS\system32\comaddin.dll
2006-07-11 01:29 25,088 C:\WINDOWS\system32\mtxlegih.dll
2006-07-11 01:29 227,840 C:\WINDOWS\system32\avtapi.dll
2006-07-11 01:29 22,016 C:\WINDOWS\system32\qwinsta.exe
2006-07-11 01:29 20,992 C:\WINDOWS\system32\msg.exe
2006-07-11 01:29 20,480 C:\WINDOWS\system32\mtxdm.dll
2006-07-11 01:29 16,896 C:\WINDOWS\system32\tsshutdn.exe
2006-07-11 01:29 16,896 C:\WINDOWS\system32\qappsrv.exe
2006-07-11 01:29 16,384 C:\WINDOWS\system32\tskill.exe
2006-07-11 01:29 16,384 C:\WINDOWS\system32\avmeter.dll
2006-07-11 01:29 15,872 C:\WINDOWS\system32\rwinsta.exe
2006-07-11 01:29 15,872 C:\WINDOWS\system32\cdmodem.dll
2006-07-11 01:29 15,360 C:\WINDOWS\system32\logoff.exe
2006-07-11 01:29 147,456 C:\WINDOWS\system32\comsnap.dll
2006-07-11 01:29 14,848 C:\WINDOWS\system32\tsdiscon.exe
2006-07-11 01:29 14,848 C:\WINDOWS\system32\tscon.exe
2006-07-11 01:29 14,848 C:\WINDOWS\system32\shadow.exe
2006-07-11 01:29 138,752 C:\WINDOWS\system32\sndvol32.exe
2006-07-11 01:29 126,976 C:\WINDOWS\system32\mshearts.exe
2006-07-11 01:29 119,808 C:\WINDOWS\system32\winmine.exe
2006-07-11 01:29 114,688 C:\WINDOWS\system32\calc.exe
2006-07-11 01:29 1,161 C:\WINDOWS\system32\usrlogon.cmd
2006-07-11 01:28 956,416 C:\WINDOWS\system32\msdtctm.dll
2006-07-11 01:28 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-07-11 01:28 91,136 C:\WINDOWS\system32\mtxoci.dll
2006-07-11 01:28 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-07-11 01:28 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-07-11 01:28 67,072 C:\WINDOWS\system32\rdshost.exe
2006-07-11 01:28 655,360 C:\WINDOWS\system32\mstscax.dll
2006-07-11 01:28 625,152 C:\WINDOWS\system32\catsrvut.dll
2006-07-11 01:28 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-07-11 01:28 60,416 C:\WINDOWS\system32\remotepg.dll
2006-07-11 01:28 60,416 C:\WINDOWS\system32\colbact.dll
2006-07-11 01:28 6,144 C:\WINDOWS\system32\msdtc.exe
2006-07-11 01:28 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-07-11 01:28 58,880 C:\WINDOWS\system32\licwmi.dll
2006-07-11 01:28 56,320 C:\WINDOWS\system32\servdeps.dll
2006-07-11 01:28 540,160 C:\WINDOWS\system32\comuid.dll
2006-07-11 01:28 538,624 C:\WINDOWS\system32\spider.exe
2006-07-11 01:28 498,688 C:\WINDOWS\system32\clbcatq.dll
2006-07-11 01:28 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-07-11 01:28 426,496 C:\WINDOWS\system32\msdtcprx.dll
2006-07-11 01:28 407,552 C:\WINDOWS\system32\mstsc.exe
2006-07-11 01:28 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-07-11 01:28 347,136 C:\WINDOWS\system32\hypertrm.dll
2006-07-11 01:28 343,040 C:\WINDOWS\system32\mspaint.exe
2006-07-11 01:28 295,424 C:\WINDOWS\system32\termsrv.dll
2006-07-11 01:28 225,792 C:\WINDOWS\system32\catsrv.dll
2006-07-11 01:28 20,480 C:\WINDOWS\system32\qprocess.exe
2006-07-11 01:28 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-07-11 01:28 185,344 C:\WINDOWS\system32\cmprops.dll
2006-07-11 01:28 183,808 C:\WINDOWS\system32\accwiz.exe
2006-07-11 01:28 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-07-11 01:28 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-07-11 01:28 147,968 C:\WINDOWS\system32\rdchost.dll
2006-07-11 01:28 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-07-11 01:28 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-07-11 01:28 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-07-11 01:28 123,392 C:\WINDOWS\system32\mplay32.exe
2006-07-11 01:28 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-07-11 01:28 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-07-11 01:28 11,264 C:\WINDOWS\system32\icaapi.dll
2006-07-11 01:28 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-07-11 01:28 1,267,200 C:\WINDOWS\system32\comsvcs.dll
2006-07-10 17:58 21,504 C:\WINDOWS\system32\hidserv.dll
2006-07-10 17:57 8,192 C:\WINDOWS\system32\wshirda.dll
2006-07-10 17:57 74,240 C:\WINDOWS\system32\usbui.dll
2006-07-10 17:57 27,136 C:\WINDOWS\system32\irmon.dll
2006-07-10 17:57 152,576 C:\WINDOWS\system32\irftp.exe
2006-07-10 17:56 85,020 C:\WINDOWS\system32\dgsetup.dll
2006-07-10 17:56 8,704 C:\WINDOWS\system32\batt.dll
2006-07-10 17:56 8,192 C:\WINDOWS\system32\kbdhept.dll
2006-07-10 17:56 74,752 C:\WINDOWS\system32\storprop.dll
2006-07-10 17:56 7,168 C:\WINDOWS\system32\kbdcz.dll
2006-07-10 17:56 69,120 C:\WINDOWS\NOTEPAD.EXE
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdycl.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdsl1.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdsl.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdpl.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdhu.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdhela3.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdcz2.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdcz1.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\kbdcr.dll
2006-07-10 17:56 6,656 C:\WINDOWS\system32\KBDAL.DLL
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdtuq.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdtuf.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdlv1.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdlv.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdhela2.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdgkl.dll
2006-07-10 17:56 6,144 C:\WINDOWS\system32\kbdest.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdycc.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbduzb.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdur.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdtat.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdru1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdru.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdro.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdpl1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdmon.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdlt1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdlt.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdkyr.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdkaz.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhu1.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhe319.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhe220.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdhe.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdbu.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdblr.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdazel.dll
2006-07-10 17:56 5,632 C:\WINDOWS\system32\kbdaze.dll
2006-07-10 17:56 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-07-10 17:56 176,157 C:\WINDOWS\system32\dgrpsetu.dll
2006-07-10 17:56 15,360 C:\WINDOWS\TASKMAN.EXE
2006-07-10 17:56 13,312 C:\WINDOWS\system32\irclass.dll
2006-07-10 17:56 103,424 C:\WINDOWS\system32\EqnClass.Dll
2006-07-10 17:51 2,145,386,496 C:\pagefile.sys
2006-06-01 11:43 37,888 C:\WINDOWS\system32\CTBURST.DLL
2006-06-01 11:42 81,920 C:\WINDOWS\system32\ctcoinst.dll
2006-06-01 11:42 146,432 C:\WINDOWS\system32\ctdvinst.dll
2006-06-01 11:38 33,792 C:\WINDOWS\system32\a3d.dll
2006-06-01 11:36 26,624 C:\WINDOWS\system32\AC3API.DLL
2006-06-01 11:35 35,840 C:\WINDOWS\READREG.EXE
2006-06-01 11:34 9,216 C:\WINDOWS\system32\CTPRES.DLL
2006-06-01 11:34 75,264 C:\WINDOWS\system32\CTSCAL.DLL
2006-06-01 11:34 7,168 C:\WINDOWS\system32\CTAGENT.DLL
2006-06-01 11:34 64,000 C:\WINDOWS\system32\CTTHXCAL.DLL
2006-06-01 11:34 34,304 C:\WINDOWS\PSCONV.EXE
2006-06-01 11:34 30,208 C:\WINDOWS\system32\CTPCMCIA.DLL
2006-06-01 11:34 286,208 C:\WINDOWS\system32\CTDC0001.DLL
2006-06-01 11:34 26,112 C:\WINDOWS\system32\CTXFIBTN.DLL
2006-06-01 11:34 25,088 C:\WINDOWS\system32\CTXFISPK.DLL
2006-06-01 11:34 23,040 C:\WINDOWS\system32\CTSPKHLP.DLL
2006-06-01 11:34 190,976 C:\WINDOWS\system32\CTDC0000.DLL
2006-06-01 11:34 18,944 C:\WINDOWS\system32\CTXFIHLP.EXE
2006-06-01 11:34 17,920 C:\WINDOWS\CTHELPER.EXE
2006-06-01 11:34 129,536 C:\WINDOWS\system32\CTDCIFCE.DLL
2006-06-01 11:34 11,776 C:\WINDOWS\system32\CTMMEP.DLL
2006-06-01 11:29 729,600 C:\WINDOWS\system32\CTXFISPI.EXE
2006-06-01 11:29 52,224 C:\WINDOWS\system32\CTXFISPI.DLL
2006-06-01 11:29 41,984 C:\WINDOWS\system32\CTXFIREG.EXE
2006-06-01 11:22 61,952 C:\WINDOWS\system32\CTHWIUT.DLL
2006-06-01 11:22 548,352 C:\WINDOWS\system32\ctsblfx.dll
2006-06-01 11:22 160,768 C:\WINDOWS\system32\cteapsfx.dll
2006-06-01 11:22 158,720 C:\WINDOWS\system32\CT20XUT.DLL
2006-06-01 11:22 108,032 C:\WINDOWS\system32\ctemupia.dll
2006-06-01 11:22 1,170,432 C:\WINDOWS\system32\CTEXFIFX.dll
2006-06-01 11:21 87,552 C:\WINDOWS\system32\commonfx.dll
2006-06-01 11:21 536,576 C:\WINDOWS\system32\ctaudfx.dll
2006-06-01 11:21 317,952 C:\WINDOWS\system32\CTEDSPSY.DLL
2006-06-01 11:19 269,824 C:\WINDOWS\system32\CTEDSPFX.DLL
2006-06-01 11:19 115,200 C:\WINDOWS\system32\CTEDSPIO.DLL
2006-06-01 11:18 74,752 C:\WINDOWS\system32\CTASIO.DLL
2006-06-01 11:18 73,728 C:\WINDOWS\system32\piaproxy.dll
2006-06-01 11:18 71,680 C:\WINDOWS\system32\ctdproxy.dll
2006-06-01 11:18 47,616 C:\WINDOWS\system32\CTEDASIO.DLL
2006-06-01 11:18 33,792 C:\WINDOWS\system32\REGPLIB.EXE
2006-06-01 11:18 21,504 C:\WINDOWS\system32\sfman32.dll
2006-06-01 11:18 200,192 C:\WINDOWS\system32\CT_OAL.DLL
2006-06-01 11:18 132,096 C:\WINDOWS\system32\CTOSUSER.DLL
2006-06-01 11:18 120,832 C:\WINDOWS\system32\SFMS32.DLL
2006-06-01 11:15 9,216 C:\WINDOWS\system32\KILLAPPS.EXE
2006-06-01 11:15 47,104 C:\WINDOWS\system32\DEVREG.DLL
2006-06-01 11:15 4,096 C:\WINDOWS\system32\ENLOCSTR.EXE
2006-06-01 11:15 25,600 C:\WINDOWS\MIDIDEF.EXE

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"razer"="C:\\Program Files\\Razer\\razerhid.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

Contents of the 'Scheduled Tasks' folder

Completion time: Thu 07/13/2006 11:14:29.81
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-13.111415.txt

===============================================================

hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 12:00:57 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\AOL\Triton\ee\aolsoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe

================================================================

Yes, Ewido found nothing. I have since uninstalled it. I don't see it working any better than the combinations of the other anti malware/virii programs I have. I'd rather not have it's processes running.

D3DAiM · 07-13-2006, 01:59 PM

Quote:

Originally Posted by tetonbob

I can only help you if you'll cooperate with me. If you want to hack about at this on your own, that's fine.

By not giving me the complete logs I request, you're denying me access to information I need to help you...if you really want it at this point.

You seem to be generating different infectious files on each new log.

Upload this to jotti:

C:\WINDOWS\system32\pgwjywnn.dll

For some reason my email notification of this thread shows that you posted this, but I do not see it in the thread. Is there a next page button? Sorry if I'm acting noob :P

Well, alright, I understand, I figured if I was all clear on that log I have nothing to report and may as well save thread space. I understand that there is more to it than this, it's background information.

I can't believe how there's more and more things popping up like this. I popped pgwjywnn.dll into Jotti and the only warning I got was from Avast saying it may be Win32:Trojano-1165 . I checked its Properties; it was last modified yesterday and last accessed today. It doesn't know what program is accessing it. I also got this notice, hinting it's probably a false warning:

POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

Also, I hope you didn't pass over the "INFECTION" on the Silent Runners.vbs

Quote:

Originally Posted by D3DAiM

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

D3DAiM · 07-13-2006, 09:31 PM

Bump..

07-12-2006, 03:11 PM	#1 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	Virtumonde I recently finished formatting my computer. My aims at this was to fix all the various problems I had before. Ironically, I let my guard down while redownloading all my various apps and installed a trick root package. Since yesteray, I have been expending my main efforts in riding of all these different variants of Smitfraud / Yazzle / OIN. Now it seems there is but one .dll that is causing me trouble. This opnommj.dll is recognized as Adware.Virtumonde by AVG, Spybot, and Ewido. This opnommj.dll recovers immediately after being deleted or quarantined, whether it be in normal ORF safemode. It has a few commands in HijackThis! that cannot be removed as well. If I try to unlock it with Unlocker in safe mode, my computer crashes. It also seems as though this is a randomly generated name, as a google of opnommj.dll turns up nothing. The log as follows: Logfile of HijackThis v1.99.1 Scan saved at 2:08:14 PM, on 7/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe C:\Program Files\Razer\razerhid.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Common Files\{C891986A-07D0-1033-0406-060715050001}\Update.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Common Files\AOL\Triton\ee\aolsoftware.exe C:\Program Files\Xfire\Xfire.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe c:\program files\common files\aol\triton\ee\aim6.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Razer\razertra.exe C:\Program Files\Razer\razerofa.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\HijackThis.exe O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnommj.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O20 - Winlogon Notify: opnommj - C:\WINDOWS\SYSTEM32\opnommj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe ------------------------------------------------------------------------- I'd also like to remove of IDriverT.exe, as I donnot need this :D

07-12-2006, 04:08 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2006, 04:32 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens,Right Click inside the listbox (white box) and click add more files Copy&Paste the 2 entries below into the top 2 boxes C:\WINDOWS\system32\opnommj.dll C:\WINDOWS\system32\jmmompo* Click Add Files and Click Close Window Click Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2006, 04:42 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Just so you know...I have several more tools up the sleeve yet....so fear not. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2006, 05:01 PM	#7 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	Well, I'm cured! Somehow...lol I was doing just as you said. I pasted those two entries in the add more files boxes and then hit "add". Nothing seemed to happen. I tried it again. Still nothing. I figured it added anyway so I hit "close", and I scanned and it didn't find anything (of course). Then I hit "remove" and it said that it removed nothing. Bummed, I tried this again, hoping I did something wrong. In the middle of adding the files again, I got an AVG Real-Time Protection Scan warning thingy, and it had said that it found a Yazzle11220inAdmin.exe in my common files. At this point I wondered, "Why the f*** wasn't this picked up in the 20 scans I did before?!" Notheless I sent it to my quarantined objects. I didn't think much of it, as I was focused on getting Vundofix to work. This time I thought I might try going to my system32 folder to drag the opnommj.dll onto the add box. In the system32 folder I scrolled down to the o's. I couldn't find it. I sorted by names and I STILL couldn't find it. Excited, I did an AVG test! YES! A pass! I guess the .dll was being controlled by that weird executable.. If I find any more bugging remnants I will be sure to reply to this thread. ========================================================= And my VundoFix.txt, to support my claims : VundoFix V5.1.2 Running as SYSTEM from c:\windows\system32\VundoFix.exe Checking Java version... Java version is 1.5.0.7 Scan started at 3:39:19 PM 7/12/2006 Listing files found while scanning.... No infected files were found. Beginning removal... VundoFix V5.1.2 Running as SYSTEM from c:\windows\system32\VundoFix.exe Checking Java version... Java version is 1.5.0.7 Scan started at 3:41:03 PM 7/12/2006 Listing files found while scanning.... No infected files were found. Beginning removal... Last edited by D3DAiM; 07-12-2006 at 05:03 PM.

07-12-2006, 03:27 PM	#2 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	This is a http://virusscan.jotti.org/ scan on the opnommj.dll: ========================================================= AntiVir Found Adware-Spyware/Virtumonde.B adware ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Generic.OWI BitDefender Found nothing ClamAV Found nothing Dr.Web Found Trojan.Virtumod F-Prot Antivirus Found nothing Fortinet Found Adware/Virtumonde Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.cd NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found AdWare.Win32.Virtumonde.cd

07-12-2006, 07:30 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Those yazzle downloaders usually come in groups. Let's have a look with another tool, please: Download combofix from one of these locations: http://www.techsupportforum.com/sectools/combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Also post a new HJT log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-12-2006, 09:45 PM	#10 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	I want rid of the Sandra items and the IDriverT.exe. I cannot remove this through HJT. These programs don't startup, but I'd rather not have the clutter. Possible?

07-12-2006, 10:32 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Well, you may think you are, but there are still signs of infection. Let's go after them. I only want to deal with yoru malware issues for now. Remind me of the others later. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad: Code: REGEDIT4 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] "{C891986A-07D0-1033-0406-060715050001}"=- Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. --------------------------------------------------------------------------------------------- Next, click Start > Control Panel > Add/Remove Programs In the list of installed software, look for PuritySCAN By OIN, OuterInfo, OIN Snowballwars By OIN Cowabanga By OIN or similar If you find it: Click on it and click Remove. Reboot and delete the folder C:\Program Files\PurityScan (if it's still there) if not: Download and run the Oiuninstaller There is a tutorial for the uninstaller available When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there) --------------------------------------------------------------------------------------------- Download Ewido Anti-Malware Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly. Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Run Cleanup! using the following configuration: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\WINDOWS\system32\sstqo.dll C:\Program Files\Common Files\{C891986A-07D0-1033-0406-060715050001} C:\Documents and Settings\Joseph\Application Data\?ssembly<<<May appear as Assembly, created on 2006-07-12 03:12:02. Right click on the folder and select properties to check. C:\Program Files\Common Files\??mbols<<<May appear as Symbols, created on 2006-07-12 02:09:44 Right click on the folder and select properties to check. --------------------------------------------------------------------------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with results from: Ewido Panda HJT __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 07-12-2006 at 10:34 PM.

07-13-2006, 02:05 AM	#12 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	Weird. I got rid of opnommj.dll and it seems sstqo.dll has taken its place. I ran the .reg. Worked. Ran oin uninstaller. Seemed to have worked if there was still traces of OIN. Ewido, ad-aware, spybot didn't pick anything up in a scan. Rebooted in safe mode and rand CCleaner instead. I then manually deleted the preftech. There wasn't anymore malware uninstaller on the list of add/remove. I deleted a {C891986A-07D0-1033-0406-060715050001} and assembly folder. There wasn't a ??mbols or anything. I couldn't delete sstqo.dll in the System32. Unlocker couldn't handle it either. It was hidden, so I unticked that. The panda scan detected two (possibly irrelevant) files. One was a plain cookie, ironically placed in the Firefox folder. Another was a hacktool (process.exe) located in my system32 folder! I then immediately went ahead and deleted both. ========================================================== Activescan.txt Incident Status Location Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Joseph\Application Data\Mozilla\Firefox\Profiles\i7vmww89.default\cookies.txt[.apmebf.com/] Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe ================================================================ Hijackthis.log Logfile of HijackThis v1.99.1 Scan saved at 12:59:16 AM, on 7/13/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Razer\razerhid.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Common Files\AOL\Triton\ee\aolsoftware.exe C:\Program Files\Xfire\Xfire.exe c:\program files\common files\aol\triton\ee\aim6.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Razer\razertra.exe C:\Program Files\Razer\razerofa.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe =========================================================== While running HJT in safe mode I noticed that, somehow, sstqo.dll managed to sneak past me and did the same thing as opnommj.dll and placed its self in a BHO and Winlogon Notify. I was able to remove these with ease and they do not appear again. I also can verify that I do have some remnants of ACTIVE adware left on my machine as I very infrequently, but occasionaly, get a "Fix Spyware!" ad clone while on my desktop.

07-13-2006, 03:55 AM	#13 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	Back in normal windows, I decided to give it another shot at deleting sstqo.dll Sure enough, as all the magical occururances that have been happening, it deleted. Yippee. Now I let you pros be the judge if I am really clean. :D

07-13-2006, 09:54 AM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	* Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! Also run combofix again and post it's log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-13-2006, 12:35 PM	#16 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	I remeber running these fixes before. The smitfraud fix was important in my smitfraud recovery. =============================================================\ DrWeb.csv backup-20060713-003201-946.dll;C:\Documents and Settings\Joseph\Desktop\Joey's Files\Cleaning\hijackthis\backups;Trojan.Virtumod;Deleted.; A0004163.exe;C:\System Volume Information\_restore{102708DF-3400-4CB5-B983-C4D31F5703FC}\RP11;Trojan.Starter.65;Deleted.; A0004572.dll;C:\System Volume Information\_restore{102708DF-3400-4CB5-B983-C4D31F5703FC}\RP22;Trojan.Virtumod;Deleted.; ================================================================ SmitFraudFix v2.70 Scan done at 11:11:42.25, Thu 07/13/2006 Run from C:\Documents and Settings\Joseph\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Joseph\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Joseph\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ========================================================== Combofix.txt Start Time= Thu 07/13/2006 11:14:15.75 Running from: C:\Documents and Settings\Joseph\Desktop QuickScan did not find any signs of infected files ========================================================== Looks like all that was picked up was a few backups of prior malware. I'll flush my system restore right now.

07-13-2006, 09:31 PM	#20 (permalink)
D3DAiM Registered User Join Date: Jul 2006 Posts: 20 OS: Windows XP Professional SP2	Bump..