Virus:Trj/Jupillites.G

quaa · 10-06-2006, 11:21 PM

hello, i have a computer that i am working on that has random popups, excessivly.

i ran panda active scan and the log is for the second scan:

Incident Status Location

Adware:Adware/DigInk Not disinfected c:\windows\win3208089-1130464.exe
Adware:Adware/DigInk Not disinfected c:\windows\sys011130464089-.exe
Adware:Adware/DigInk Not disinfected c:\windows\ms0664089-11304.exe
Adware:Adware/DigInk Not disinfected c:\windows\ms05464089-1130.exe
Adware:Adware/DigInk Not disinfected c:\windows\duce6.exe
Virus:Trj/Jupillites.G Disinfected Operating system

i also have the scan results for hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 11:17:14 PM, on 10/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\Program Files\mcafee.com\Agent\mcupdate.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\ms0664089-11304.exe
C:\WINDOWS\sys011130464089-.exe
C:\WINDOWS\win3208089-1130464.exe
C:\Program Files\Common Files\{BC9E7CA7-0701-1033-1122-010928000001}\Update.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\win32ssr.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\XPFIX\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsw4F.dll
O2 - BHO: IE HTTP Checker - {7A22BB1D-4B19-45CF-9A10-20534D997ED2} - C:\WINDOWS\system32\iehttpcheck.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [loaddr] C:\qeoa.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms0664089-11304] C:\WINDOWS\ms0664089-11304.exe
O4 - HKLM\..\Run: [sys011130464089-] C:\WINDOWS\sys011130464089-.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [win3208089-1130464] C:\WINDOWS\win3208089-1130464.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [orfm] C:\PROGRA~1\COMMON~1\orfm\orfmm.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/in...altpmtscab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160200901498
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

**Deckard** · 10-07-2006, 08:33 PM

Hello quaa, and welcome to TSF. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Unhide Files
Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.

Firewall Required
You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

Please pick one and install it.

Unpatched Operating System
IMPORTANT! Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least Service Pack 1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Download CleanUp!
Download and install CleanUp! but do not run it yet.

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.

Download AVG Anti-Spyware
Please download, install, and update AVG Anti-Spyware Anti-Spyware.

Load AVG Anti-Spyware and then click the Shield tab at the top
- Click on the word active to change it to inactive.
Click the Update tab at the top:
- Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
- Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
Click the Scanner tab at the top and then the Settings sub-tab:
- Under How to act?, click Recommended actions and select Quarantine.
- Under Reports, select Automatically generate report after every scan
Close AVG Anti-Spyware. Do not run a scan with it yet.

Download Brute Force Uninstaller
Please download Brute Force Uninstaller to your desktop.

Right click bfu.zip on your desktop, and choose Extract All. Click "Next".
In the box to choose where to extract the files to, click "Browse".
Click on the + sign next to "My Computer".
Click on "Local Disk (C:) (or whatever your primary drive is).
Click "Make New Folder" and type in BFU. Click "Next".
Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU).

Download ComboFix
Download ComboFix from one of the following links:

Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply.

Disable Service
You need to disable two services. Click Start>Run - type SERVICES.MSC and then click on the OK button.

Locate the service - MS Software Shadow Download Provider
Stop the service by using the Stop button.
Change the Startup Type to Disabled and click the OK button.
Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service.
In the popup box that appears, type in dnlsvc.
Click the OK button and answer No if prompted to reboot.

Locate the service - Win32Sr
Double-click on it to open the Properties dialog.
Under the General tab, write down the name of "Service name". We will need it momentarily.
Stop the service by using the Stop button.
Change the Startup Type to Disabled and click the OK button.
Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service.
In the popup box that appears, copy/paste the value you obtained in step 3.
Click the OK button and answer No if prompted to reboot.

Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

License_Manager
PSDream
webHancer

Please let me know if any of these were unable to uninstall.

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.

HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IE HTTP Checker - {7A22BB1D-4B19-45CF-9A10-20534D997ED2} - C:\WINDOWS\system32\iehttpcheck.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsw4F.dll
O4 - HKLM\..\Run: [loaddr] C:\qeoa.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms0664089-11304] C:\WINDOWS\ms0664089-11304.exe
O4 - HKLM\..\Run: [sys011130464089-] C:\WINDOWS\sys011130464089-.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [win3208089-1130464] C:\WINDOWS\win3208089-1130464.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [orfm] C:\PROGRA~1\COMMON~1\orfm\orfmm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.elitemediagroup.net
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Documents and Settings\Owner\Local Settings\Temp\dnlsvc.exe
C:\Program Files\Common Files\orfm
C:\Program Files\License_Manager
C:\Program Files\PSDream
C:\Program Files\webHancer
C:\WINDOWS\system32\crunner
C:\WINDOWS\system32\iehttpcheck.dll
C:\WINDOWS\system32\nsw4F.dll
C:\WINDOWS\Duce6.exe
C:\WINDOWS\ms0664089-11304.exe
C:\WINDOWS\sys011130464089-.exe
C:\WINDOWS\win3208089-1130464.exe
C:\WINDOWS\win32ssr.exe
C:\qeoa.exe

Run Brute Force Uninstaller
Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU).

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
- Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
Click OK.
Press the CleanUp! button to start the program.

Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.

Run AVG Anti-Spyware

Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop).
Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.

Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded, click on NEXT.
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database: extended
- Scan Options: Scan Archives and Scan Mail Bases
Click OK
Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
Now under select a target to scan, select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run all the way.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button and save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

With Your Next Post...
Please paste the following with your next reply (in this order please):

The contents of C:\ComboFix.txt,
AVG Anti-Spyware scan report,
Kaspersky scan report,
a new HiJackThis log taken after Kaspersky finishes.

quaa · 10-14-2006, 12:11 AM

1. The contents of C:\ComboFix.txt,

Owner - 06-10-13 19:11:53.26 Service Pack 1
ComboFix 06.10.14 - Running from: "C:\Documents and Settings\Owner\Desktop\XPFIX\new"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\csvhost.exe
C:\WINDOWS\Eim03.exe
C:\WINDOWS\justin.exe
C:\WINDOWS\MirarSetup_876075.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\RDFX4.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\uni_ehhhh.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\system32\adrotate.dll
C:\WINDOWS\system32\scmt16.exe
C:\WINDOWS\system32\WinNB58.dll
C:\Program Files\Common Files\misc002
C:\Program Files\batty2
C:\Program Files\cmfibula
C:\Program Files\PSLister
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{BC9E7CA7-0701-1033-1122-010928000001}

((((((((((((((((((((((((((((((( Files Created from 2006-09-13 to 2006-10-13 ))))))))))))))))))))))))))))))))))

2006-10-13 18:58 3,968 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2006-10-13 18:49 67,584 --a------ C:\WINDOWS\SYSTEM32\magnify.exe
2006-10-13 18:49 53,760 --a------ C:\WINDOWS\SYSTEM32\cryptsvc.dll
2006-10-13 18:49 51,200 --a------ C:\WINDOWS\SYSTEM32\narrator.exe
2006-10-13 18:49 238,080 --a------ C:\WINDOWS\SYSTEM32\newdev.dll
2006-10-13 18:49 212,480 --a------ C:\WINDOWS\SYSTEM32\osk.exe
2006-10-13 18:49 179,200 --a------ C:\WINDOWS\SYSTEM32\accwiz.exe
2006-10-13 18:48 50,176 --a------ C:\WINDOWS\SYSTEM32\dpwsockx.dll
2006-10-13 18:48 214,528 --a------ C:\WINDOWS\SYSTEM32\dplayx.dll
2006-10-13 18:47 831,519 --a------ C:\WINDOWS\SYSTEM32\mswdat10.dll
2006-10-13 18:47 614,431 --a------ C:\WINDOWS\SYSTEM32\mswstr10.dll
2006-10-13 18:47 552,989 --a------ C:\WINDOWS\SYSTEM32\msrepl40.dll
2006-10-13 18:47 53,279 --a------ C:\WINDOWS\SYSTEM32\msjter40.dll
2006-10-13 18:47 512,029 --a------ C:\WINDOWS\SYSTEM32\msexch40.dll
2006-10-13 18:47 421,919 --a------ C:\WINDOWS\SYSTEM32\msrd2x40.dll
2006-10-13 18:47 380,957 --a------ C:\WINDOWS\SYSTEM32\expsrv.dll
2006-10-13 18:47 358,976 --------- C:\WINDOWS\SYSTEM32\msjetoledb40.dll
2006-10-13 18:47 348,189 --a------ C:\WINDOWS\SYSTEM32\msxbde40.dll
2006-10-13 18:47 348,189 --a------ C:\WINDOWS\SYSTEM32\mspbde40.dll
2006-10-13 18:47 319,517 --a------ C:\WINDOWS\SYSTEM32\msexcl40.dll
2006-10-13 18:47 315,423 --a------ C:\WINDOWS\SYSTEM32\msrd3x40.dll
2006-10-13 18:47 30,749 --a------ C:\WINDOWS\SYSTEM32\vbajet32.dll
2006-10-13 18:47 258,077 --a------ C:\WINDOWS\SYSTEM32\mstext40.dll
2006-10-13 18:47 241,693 --a------ C:\WINDOWS\SYSTEM32\msjtes40.dll
2006-10-13 18:47 213,023 --a------ C:\WINDOWS\SYSTEM32\msltus40.dll
2006-10-13 18:47 151,583 --a------ C:\WINDOWS\SYSTEM32\msjint40.dll
2006-10-13 18:47 1,507,356 --a------ C:\WINDOWS\SYSTEM32\msjet40.dll
2006-10-13 18:46 32,256 --a------ C:\WINDOWS\SYSTEM32\msgsvc.dll
2006-10-13 18:41 260,096 --a------ C:\WINDOWS\SYSTEM32\mstask.dll
2006-10-13 18:41 172,544 --a------ C:\WINDOWS\SYSTEM32\schedsvc.dll
2006-10-13 18:41 10,752 --a------ C:\WINDOWS\SYSTEM32\mstinit.exe
2006-10-13 17:51 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2006-10-13 17:24 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-10-13 16:39 9,216 --a------ C:\WINDOWS\SYSTEM32\wuauserv.dll
2006-10-13 16:39 88,064 --a------ C:\WINDOWS\SYSTEM32\tscfgwmi.dll
2006-10-13 16:39 86,528 --a------ C:\WINDOWS\SYSTEM32\wlnotify.dll
2006-10-13 16:39 86,016 --a------ C:\WINDOWS\SYSTEM32\xactsrv.dll
2006-10-13 16:39 82,944 --a------ C:\WINDOWS\SYSTEM32\smlogsvc.exe
2006-10-13 16:39 81,920 --a------ C:\WINDOWS\SYSTEM32\trkwks.dll
2006-10-13 16:39 77,824 --a------ C:\WINDOWS\SYSTEM32\wmpstub.exe
2006-10-13 16:39 77,824 --a------ C:\WINDOWS\SYSTEM32\wmpshell.dll
2006-10-13 16:39 72,192 --------- C:\WINDOWS\SYSTEM32\telnet.exe
2006-10-13 16:39 71,168 --------- C:\WINDOWS\SYSTEM32\storprop.dll
2006-10-13 16:39 667,648 --a------ C:\WINDOWS\SYSTEM32\ss3dfo.scr
2006-10-13 16:39 66,560 --a------ C:\WINDOWS\SYSTEM32\spoolss.dll
2006-10-13 16:39 638,976 --a------ C:\WINDOWS\SYSTEM32\sstext3d.scr
2006-10-13 16:39 63,488 --a------ C:\WINDOWS\SYSTEM32\srclient.dll
2006-10-13 16:39 61,952 --a------ C:\WINDOWS\SYSTEM32\sti.dll
2006-10-13 16:39 60,416 --a------ C:\WINDOWS\SYSTEM32\wextract.exe
2006-10-13 16:39 569,344 --a------ C:\WINDOWS\SYSTEM32\sspipes.scr
2006-10-13 16:39 56,832 --a------ C:\WINDOWS\SYSTEM32\wzcdlg.dll
2006-10-13 16:39 534,016 --a------ C:\WINDOWS\SYSTEM32\spider.exe
2006-10-13 16:39 51,200 --a------ C:\WINDOWS\SYSTEM32\wmerrenu.dll
2006-10-13 16:39 48,640 --a------ C:\WINDOWS\SYSTEM32\vdmredir.dll
2006-10-13 16:39 48,128 --a------ C:\WINDOWS\SYSTEM32\winsta.dll
2006-10-13 16:39 479,261 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-13 16:39 47,616 --a------ C:\WINDOWS\SYSTEM32\utilman.exe
2006-10-13 16:39 446,464 --a------ C:\WINDOWS\SYSTEM32\wmvdmoe.dll
2006-10-13 16:39 442,398 --a------ C:\WINDOWS\SYSTEM32\wmadmoe.dll
2006-10-13 16:39 43,008 --a------ C:\WINDOWS\SYSTEM32\ssdpsrv.dll
2006-10-13 16:39 409,088 --a------ C:\WINDOWS\SYSTEM32\vssapi.dll
2006-10-13 16:39 40,960 --a------ C:\WINDOWS\SYSTEM32\tscupgrd.exe
2006-10-13 16:39 384,000 --a------ C:\WINDOWS\SYSTEM32\themeui.dll
2006-10-13 16:39 38,912 --a------ C:\WINDOWS\SYSTEM32\wsnmp32.dll
2006-10-13 16:39 364,544 --a------ C:\WINDOWS\SYSTEM32\ssflwbox.scr
2006-10-13 16:39 339,456 --a------ C:\WINDOWS\SYSTEM32\usp10.dll
2006-10-13 16:39 334,848 --a------ C:\WINDOWS\SYSTEM32\smlogcfg.dll
2006-10-13 16:39 32,256 --a------ C:\WINDOWS\SYSTEM32\umandlg.dll
2006-10-13 16:39 316,416 --a------ C:\WINDOWS\SYSTEM32\wiaservc.dll
2006-10-13 16:39 311,327 --a------ C:\WINDOWS\SYSTEM32\wmv8dmod.dll
2006-10-13 16:39 296,448 --a------ C:\WINDOWS\SYSTEM32\wmstream.dll
2006-10-13 16:39 294,912 --a------ C:\WINDOWS\SYSTEM32\wmvdmod.dll
2006-10-13 16:39 274,432 --a------ C:\WINDOWS\SYSTEM32\wmasf.dll
2006-10-13 16:39 27,136 --a------ C:\WINDOWS\SYSTEM32\ssdpapi.dll
2006-10-13 16:39 266,752 --a------ C:\WINDOWS\winhlp32.exe
2006-10-13 16:39 264,704 --a------ C:\WINDOWS\SYSTEM32\wzcsvc.dll
2006-10-13 16:39 258,048 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-13 16:39 253,952 --a------ C:\WINDOWS\SYSTEM32\wmpcd.dll
2006-10-13 16:39 253,952 --a------ C:\WINDOWS\SYSTEM32\wmnetmgr.dll
2006-10-13 16:39 251,904 --a------ C:\WINDOWS\SYSTEM32\strmdll.dll
2006-10-13 16:39 231,424 --a------ C:\WINDOWS\SYSTEM32\upnpui.dll
2006-10-13 16:39 23,552 --------- C:\WINDOWS\SYSTEM32\wzcsapi.dll
2006-10-13 16:39 22,016 --a------ C:\WINDOWS\SYSTEM32\udhisapi.dll
2006-10-13 16:39 203,264 --a------ C:\WINDOWS\SYSTEM32\uxtheme.dll
2006-10-13 16:39 200,192 --a------ C:\WINDOWS\SYSTEM32\termsrv.dll
2006-10-13 16:39 19,456 --a------ C:\WINDOWS\SYSTEM32\ssmarque.scr
2006-10-13 16:39 184,320 --a------ C:\WINDOWS\SYSTEM32\wmadmod.dll
2006-10-13 16:39 18,944 --a------ C:\WINDOWS\SYSTEM32\ssbezier.scr
2006-10-13 16:39 172,664 --a------ C:\WINDOWS\SYSTEM32\xenroll.dll
2006-10-13 16:39 171,520 --a------ C:\WINDOWS\SYSTEM32\winmm.dll
2006-10-13 16:39 17,408 --a------ C:\WINDOWS\SYSTEM32\wtsapi32.dll
2006-10-13 16:39 17,408 --a------ C:\WINDOWS\SYSTEM32\ssmyst.scr
2006-10-13 16:39 168,448 --a------ C:\WINDOWS\SYSTEM32\wldap32.dll
2006-10-13 16:39 165,376 --a------ C:\WINDOWS\SYSTEM32\w32time.dll
2006-10-13 16:39 165,376 --a------ C:\WINDOWS\SYSTEM32\tapi32.dll
2006-10-13 16:39 164,864 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll
2006-10-13 16:39 16,896 --a------ C:\WINDOWS\SYSTEM32\snmpapi.dll
2006-10-13 16:39 16,384 --a------ C:\WINDOWS\SYSTEM32\watchdog.sys
2006-10-13 16:39 16,384 --a------ C:\WINDOWS\SYSTEM32\ups.exe
2006-10-13 16:39 158,720 --a------ C:\WINDOWS\SYSTEM32\srsvc.dll
2006-10-13 16:39 130,560 --a------ C:\WINDOWS\SYSTEM32\sti_ci.dll
2006-10-13 16:39 13,312 --a------ C:\WINDOWS\SYSTEM32\ssstars.scr
2006-10-13 16:39 128,512 --a------ C:\WINDOWS\SYSTEM32\taskmgr.exe
2006-10-13 16:39 124,928 --a------ C:\WINDOWS\SYSTEM32\webvw.dll
2006-10-13 16:39 120,320 --a------ C:\WINDOWS\SYSTEM32\upnp.dll
2006-10-13 16:39 119,808 --a------ C:\WINDOWS\SYSTEM32\wiadss.dll
2006-10-13 16:39 118,784 --a------ C:\WINDOWS\SYSTEM32\wmsdmoe.dll
2006-10-13 16:39 117,760 --a------ C:\WINDOWS\SYSTEM32\stobject.dll
2006-10-13 16:39 110,592 --a------ C:\WINDOWS\SYSTEM32\wmsdmod.dll
2006-10-13 16:39 106,496 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-13 16:39 10,752 --a------ C:\WINDOWS\SYSTEM32\tracert.exe
2006-10-13 16:39 1,998,848 --a------ C:\WINDOWS\SYSTEM32\wmploc.dll
2006-10-13 16:39 1,425,680 --a------ C:\WINDOWS\SYSTEM32\wmpui.dll
2006-10-13 16:39 1,220,608 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-10-13 16:38 98,304 --a------ C:\WINDOWS\SYSTEM32\oleprn.dll
2006-10-13 16:38 95,744 --a------ C:\WINDOWS\SYSTEM32\nlhtml.dll
2006-10-13 16:38 91,136 --a------ C:\WINDOWS\SYSTEM32\rastls.dll
2006-10-13 16:38 87,304 --a------ C:\WINDOWS\SYSTEM32\rdpdd.dll
2006-10-13 16:38 82,944 --a------ C:\WINDOWS\SYSTEM32\psbase.dll
2006-10-13 16:38 8,192 --a------ C:\WINDOWS\SYSTEM32\scrnsave.scr
2006-10-13 16:38 75,912 --a------ C:\WINDOWS\SYSTEM32\rdpwsx.dll
2006-10-13 16:38 74,240 --a------ C:\WINDOWS\SYSTEM32\rtcshare.exe
2006-10-13 16:38 71,168 --a------ C:\WINDOWS\SYSTEM32\sdbinst.exe
2006-10-13 16:38 686,080 --a------ C:\WINDOWS\SYSTEM32\opengl32.dll
2006-10-13 16:38 66,048 --a------ C:\WINDOWS\SYSTEM32\sigverif.exe
2006-10-13 16:38 62,976 --a------ C:\WINDOWS\SYSTEM32\shgina.dll
2006-10-13 16:38 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccu32.dll
2006-10-13 16:38 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccr32.dll
2006-10-13 16:38 60,416 --a------ C:\WINDOWS\SYSTEM32\shimeng.dll
2006-10-13 16:38 6,912 --------- C:\WINDOWS\SYSTEM32\drivers\hidir.sys
2006-10-13 16:38 6,144 --a------ C:\WINDOWS\SYSTEM32\sensapi.dll
2006-10-13 16:38 58,880 --a------ C:\WINDOWS\SYSTEM32\pautoenr.dll
2006-10-13 16:38 57,856 --a------ C:\WINDOWS\SYSTEM32\raschap.dll
2006-10-13 16:38 56,320 --a------ C:\WINDOWS\SYSTEM32\remotepg.dll
2006-10-13 16:38 53,248 --a------ C:\WINDOWS\SYSTEM32\packager.exe
2006-10-13 16:38 53,248 --a------ C:\WINDOWS\SYSTEM32\odbcconf.exe
2006-10-13 16:38 52,224 --a------ C:\WINDOWS\SYSTEM32\secur32.dll
2006-10-13 16:38 511,488 --a------ C:\WINDOWS\SYSTEM32\qedit.dll
2006-10-13 16:38 504,832 --------- C:\WINDOWS\SYSTEM32\msftedit.dll
2006-10-13 16:38 5,504 --------- C:\WINDOWS\SYSTEM32\drivers\smbali.sys
2006-10-13 16:38 5,120 --------- C:\WINDOWS\SYSTEM32\hccoin.dll
2006-10-13 16:38 49,152 --a------ C:\WINDOWS\SYSTEM32\npptools.dll
2006-10-13 16:38 48,128 --a------ C:\WINDOWS\SYSTEM32\reg.exe
2006-10-13 16:38 44,032 --a------ C:\WINDOWS\SYSTEM32\regapi.dll
2006-10-13 16:38 44,032 --a------ C:\WINDOWS\SYSTEM32\rdpclip.exe
2006-10-13 16:38 423,424 --a------ C:\WINDOWS\SYSTEM32\riched20.dll
2006-10-13 16:38 420,864 --a------ C:\WINDOWS\SYSTEM32\shimgvw.dll
2006-10-13 16:38 403,456 --------- C:\WINDOWS\SYSTEM32\winbrand.dll
2006-10-13 16:38 392,704 --a------ C:\WINDOWS\SYSTEM32\ntmssvc.dll
2006-10-13 16:38 38,400 --a------ C:\WINDOWS\SYSTEM32\ntmsapi.dll
2006-10-13 16:38 38,400 --a------ C:\WINDOWS\SYSTEM32\ntlanman.dll
2006-10-13 16:38 36,463 --------- C:\WINDOWS\SYSTEM32\drivers\atintuxx.sys
2006-10-13 16:38 36,352 --a------ C:\WINDOWS\SYSTEM32\sens.dll
2006-10-13 16:38 357,376 --a------ C:\WINDOWS\SYSTEM32\qdvd.dll
2006-10-13 16:38 34,735 --------- C:\WINDOWS\SYSTEM32\drivers\atinxsxx.sys
2006-10-13 16:38 34,304 --a------ C:\WINDOWS\SYSTEM32\rcimlby.exe
2006-10-13 16:38 33,280 --a------ C:\WINDOWS\SYSTEM32\shmgrate.exe
2006-10-13 16:38 32,768 --a------ C:\WINDOWS\SYSTEM32\odbcad32.exe
2006-10-13 16:38 31,744 --------- C:\WINDOWS\SYSTEM32\pid.dll
2006-10-13 16:38 3,584 --------- C:\WINDOWS\SYSTEM32\dsprpres.dll
2006-10-13 16:38 3,338 --a------ C:\WINDOWS\SYSTEM32\redir.exe
2006-10-13 16:38 297,984 --a------ C:\WINDOWS\SYSTEM32\scesrv.dll
2006-10-13 16:38 29,455 --------- C:\WINDOWS\SYSTEM32\drivers\atinxbxx.sys
2006-10-13 16:38 254,976 --a------ C:\WINDOWS\SYSTEM32\pdh.dll
2006-10-13 16:38 24,576 --a------ C:\WINDOWS\SYSTEM32\nmmkcert.dll
2006-10-13 16:38 24,064 --a------ C:\WINDOWS\SYSTEM32\skeys.exe
2006-10-13 16:38 22,528 --a------ C:\WINDOWS\SYSTEM32\slayerxp.dll
2006-10-13 16:38 22,528 --a------ C:\WINDOWS\SYSTEM32\shfolder.dll
2006-10-13 16:38 218,112 --------- C:\WINDOWS\SYSTEM32\sbe.dll
2006-10-13 16:38 20,992 --a------ C:\WINDOWS\SYSTEM32\setup.exe
2006-10-13 16:38 193,536 --a------ C:\WINDOWS\SYSTEM32\rasppp.dll
2006-10-13 16:38 19,328 --------- C:\WINDOWS\SYSTEM32\drivers\usbehci.sys
2006-10-13 16:38 187,904 --------- C:\WINDOWS\SYSTEM32\xpsp1res.dll
2006-10-13 16:38 184,832 --a------ C:\WINDOWS\SYSTEM32\qcap.dll
2006-10-13 16:38 18,944 --------- C:\WINDOWS\SYSTEM32\faxpatch.exe
2006-10-13 16:38 174,592 --a------ C:\WINDOWS\SYSTEM32\scecli.dll
2006-10-13 16:38 172,032 --------- C:\WINDOWS\SYSTEM32\mssap.dll
2006-10-13 16:38 171,008 --a------ C:\WINDOWS\SYSTEM32\sccsccp.dll
2006-10-13 16:38 17,408 --a------ C:\WINDOWS\SYSTEM32\psapi.dll
2006-10-13 16:38 169,984 --a------ C:\WINDOWS\SYSTEM32\sccbase.dll
2006-10-13 16:38 165,888 --a------ C:\WINDOWS\SYSTEM32\ntmsdba.dll
2006-10-13 16:38 16,384 --a------ C:\WINDOWS\SYSTEM32\ping.exe
2006-10-13 16:38 16,384 --a------ C:\WINDOWS\SYSTEM32\odbc32gt.dll
2006-10-13 16:38 155,648 --a------ C:\WINDOWS\SYSTEM32\encdec.dll
2006-10-13 16:38 147,456 --a------ C:\WINDOWS\SYSTEM32\odbctrac.dll
2006-10-13 16:38 14,848 --a------ C:\WINDOWS\SYSTEM32\rdpsnd.dll
2006-10-13 16:38 137,216 --a------ C:\WINDOWS\SYSTEM32\ntshrui.dll
2006-10-13 16:38 135,680 --a------ C:\WINDOWS\SYSTEM32\rdchost.dll
2006-10-13 16:38 134,144 --------- C:\WINDOWS\regedit.exe
2006-10-13 16:38 133,632 --a------ C:\WINDOWS\SYSTEM32\rsaenh.dll
2006-10-13 16:38 133,120 --a------ C:\WINDOWS\SYSTEM32\sfc_os.dll
2006-10-13 16:38 13,824 --a------ C:\WINDOWS\SYSTEM32\rassapi.dll
2006-10-13 16:38 13,056 --------- C:\WINDOWS\SYSTEM32\drivers\wacompen.sys
2006-10-13 16:38 122,880 --a------ C:\WINDOWS\SYSTEM32\odbcconf.dll
2006-10-13 16:38 12,800 --a------ C:\WINDOWS\SYSTEM32\runonce.exe
2006-10-13 16:38 12,288 --a------ C:\WINDOWS\SYSTEM32\rdsaddin.exe
2006-10-13 16:38 12,288 --a------ C:\WINDOWS\SYSTEM32\odbcp32r.dll
2006-10-13 16:38 12,288 --------- C:\WINDOWS\SYSTEM32\encapi.dll
2006-10-13 16:38 112,128 --a------ C:\WINDOWS\SYSTEM32\ntmarta.dll
2006-10-13 16:38 110,080 --------- C:\WINDOWS\SYSTEM32\sbeio.dll
2006-10-13 16:38 11,904 --------- C:\WINDOWS\SYSTEM32\drivers\mutohpen.sys
2006-10-13 16:38 11,776 --a------ C:\WINDOWS\SYSTEM32\sigtab.dll
2006-10-13 16:38 109,568 --a------ C:\WINDOWS\SYSTEM32\offfilt.dll
2006-10-13 16:38 1,677,312 --------- C:\WINDOWS\SYSTEM32\wmvcore2.dll
2006-10-13 16:38 1,350,144 --a------ C:\WINDOWS\SYSTEM32\query.dll
2006-10-13 16:38 1,158,656 --a------ C:\WINDOWS\SYSTEM32\quartz.dll
2006-10-13 16:38 1,157,632 --a------ C:\WINDOWS\SYSTEM32\sfcfiles.dll
2006-10-13 16:37 921,475 --------- C:\WINDOWS\SYSTEM32\ati3d2ag.dll
2006-10-13 16:37 91,136 --a------ C:\WINDOWS\SYSTEM32\MSOERT2.DLL
2006-10-13 16:37 857,600 --a------ C:\WINDOWS\SYSTEM32\netplwiz.dll
2006-10-13 16:37 844,675 --------- C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2006-10-13 16:37 78,848 --a------ C:\WINDOWS\SYSTEM32\msiexec.exe
2006-10-13 16:37 72,192 --a------ C:\WINDOWS\SYSTEM32\uniime.dll
2006-10-13 16:37 699,392 --a------ C:\WINDOWS\SYSTEM32\msxml2.dll
2006-10-13 16:37 68,608 --a------ C:\WINDOWS\SYSTEM32\mscms.dll
2006-10-13 16:37 67,584 --a------ C:\WINDOWS\SYSTEM32\msctfp.dll
2006-10-13 16:37 65,536 --a------ C:\WINDOWS\SYSTEM32\msconf.dll
2006-10-13 16:37 63,663 --------- C:\WINDOWS\SYSTEM32\drivers\atinrvxx.sys
2006-10-13 16:37 6,656 --a------ C:\WINDOWS\SYSTEM32\laprxy.dll
2006-10-13 16:37 598,016 --a------ C:\WINDOWS\SYSTEM32\mstscax.dll
2006-10-13 16:37 584,192 --a------ C:\WINDOWS\SYSTEM32\netcfgx.dll
2006-10-13 16:37 57,856 --a------ C:\WINDOWS\SYSTEM32\licwmi.dll
2006-10-13 16:37 56,591 --------- C:\WINDOWS\SYSTEM32\drivers\atinbtxx.sys
2006-10-13 16:37 56,320 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-13 16:37 504,320 --a------ C:\WINDOWS\SYSTEM32\logonui.exe
2006-10-13 16:37 450,176 --------- C:\WINDOWS\SYSTEM32\drivers\ati2mtag.sys
2006-10-13 16:37 42,496 --a------ C:\WINDOWS\SYSTEM32\ncobjapi.dll
2006-10-13 16:37 401,462 --a------ C:\WINDOWS\SYSTEM32\msvcp60.dll
2006-10-13 16:37 4,608 --a------ C:\WINDOWS\SYSTEM32\msimg32.dll
2006-10-13 16:37 4,126 --a------ C:\WINDOWS\SYSTEM32\msdxmlc.dll
2006-10-13 16:37 399,360 --a------ C:\WINDOWS\SYSTEM32\netlogon.dll
2006-10-13 16:37 39,424 --a------ C:\WINDOWS\SYSTEM32\net.exe
2006-10-13 16:37 388,608 --a------ C:\WINDOWS\SYSTEM32\mstsc.exe
2006-10-13 16:37 381,440 --a------ C:\WINDOWS\SYSTEM32\lmrt.dll
2006-10-13 16:37 377,984 --------- C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2006-10-13 16:37 368,710 --a------ C:\WINDOWS\SYSTEM32\msisam11.dll
2006-10-13 16:37 339,968 --a------ C:\WINDOWS\SYSTEM32\mspaint.exe
2006-10-13 16:37 327,040 --------- C:\WINDOWS\SYSTEM32\drivers\ati2mtaa.sys
2006-10-13 16:37 326,656 --------- C:\WINDOWS\SYSTEM32\netsetup.exe
2006-10-13 16:37 323,072 --a------ C:\WINDOWS\SYSTEM32\msvcrt.dll
2006-10-13 16:37 32,256 --a------ C:\WINDOWS\SYSTEM32\mnmdd.dll
2006-10-13 16:37 319,760 --a------ C:\WINDOWS\SYSTEM32\msnsspc.dll
2006-10-13 16:37 30,671 --------- C:\WINDOWS\SYSTEM32\drivers\atinraxx.sys
2006-10-13 16:37 271,360 --a------ C:\WINDOWS\SYSTEM32\msihnd.dll
2006-10-13 16:37 266,752 --a------ C:\WINDOWS\SYSTEM32\msctf.dll
2006-10-13 16:37 26,367 --------- C:\WINDOWS\SYSTEM32\drivers\atinsnxx.sys
2006-10-13 16:37 245,760 --a------ C:\WINDOWS\SYSTEM32\msscp.dll
2006-10-13 16:37 241,725 --a------ C:\WINDOWS\SYSTEM32\msuni11.dll
2006-10-13 16:37 24,576 --a------ C:\WINDOWS\SYSTEM32\logagent.exe
2006-10-13 16:37 233,472 --a------ C:\WINDOWS\SYSTEM32\mpg4dmod.dll
2006-10-13 16:37 230,400 --a------ C:\WINDOWS\SYSTEM32\msieftp.dll
2006-10-13 16:37 229,376 --a------ C:\WINDOWS\SYSTEM32\MSOEACCT.DLL
2006-10-13 16:37 22,528 --a------ C:\WINDOWS\SYSTEM32\mslbui.dll
2006-10-13 16:37 219,648 --a------ C:\WINDOWS\SYSTEM32\logon.scr
2006-10-13 16:37 210,944 --a------ C:\WINDOWS\SYSTEM32\moricons.dll
2006-10-13 16:37 21,343 --------- C:\WINDOWS\SYSTEM32\drivers\atinttxx.sys
2006-10-13 16:37 202,496 --------- C:\WINDOWS\SYSTEM32\ati2dvag.dll
2006-10-13 16:37 2,890,240 --a------ C:\WINDOWS\SYSTEM32\msi.dll
2006-10-13 16:37 196,096 --a------ C:\WINDOWS\SYSTEM32\mobsync.dll
2006-10-13 16:37 192,512 --a------ C:\WINDOWS\SYSTEM32\mswebdvd.dll
2006-10-13 16:37 19,456 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-13 16:37 182,784 --a------ C:\WINDOWS\SYSTEM32\msutb.dll
2006-10-13 16:37 175,104 --a------ C:\WINDOWS\SYSTEM32\mspmsp.dll
2006-10-13 16:37 174,592 --a------ C:\WINDOWS\SYSTEM32\msnetobj.dll
2006-10-13 16:37 163,840 --a------ C:\WINDOWS\SYSTEM32\mindex.dll
2006-10-13 16:37 143,872 --a------ C:\WINDOWS\SYSTEM32\msimtf.dll
2006-10-13 16:37 131,072 --a------ C:\WINDOWS\SYSTEM32\msorcl32.dll
2006-10-13 16:37 12,288 --a------ C:\WINDOWS\SYSTEM32\mscpx32r.dll
2006-10-13 16:37 12,047 --------- C:\WINDOWS\SYSTEM32\drivers\atinpdxx.sys
2006-10-13 16:37 116,736 --a------ C:\WINDOWS\SYSTEM32\mplay32.exe
2006-10-13 16:37 115,200 --a------ C:\WINDOWS\SYSTEM32\net1.exe
2006-10-13 16:37 113,664 --a------ C:\WINDOWS\SYSTEM32\msvfw32.dll
2006-10-13 16:37 11,615 --------- C:\WINDOWS\SYSTEM32\drivers\atinmdxx.sys
2006-10-13 16:37 10,240 --a------ C:\WINDOWS\SYSTEM32\msrle32.dll
2006-10-13 16:37 10,240 --a------ C:\WINDOWS\SYSTEM32\localui.dll
2006-10-13 16:37 1,622,528 --a------ C:\WINDOWS\SYSTEM32\netshell.dll
2006-10-13 16:37 1,220,608 --a------ C:\WINDOWS\SYSTEM32\msvidctl.dll
2006-10-13 16:37 1,128,960 --a------ C:\WINDOWS\SYSTEM32\mmcndmgr.dll
2006-10-13 16:36 827,438 --a------ C:\WINDOWS\SYSTEM32\imjp81k.dll
2006-10-13 16:36 42,537 --a------ C:\WINDOWS\SYSTEM32\keyboard.sys
2006-10-13 16:35 98,816 --a------ C:\WINDOWS\SYSTEM32\clipbrd.exe
2006-10-13 16:35 94,720 --a------ C:\WINDOWS\SYSTEM32\dmusic.dll
2006-10-13 16:35 91,648 --a------ C:\WINDOWS\SYSTEM32\iuctl.dll
2006-10-13 16:35 91,648 --a------ C:\WINDOWS\SYSTEM32\ahui.exe
2006-10-13 16:35 91,136 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-13 16:35 9,216 --a------ C:\WINDOWS\SYSTEM32\icaapi.dll
2006-10-13 16:35 9,216 --a------ C:\WINDOWS\SYSTEM32\dumprep.exe
2006-10-13 16:35 802,304 --a------ C:\WINDOWS\SYSTEM32\dxmrtp.dll
2006-10-13 16:35 8,832 --a------ C:\WINDOWS\SYSTEM32\framebuf.dll
2006-10-13 16:35 8,192 --------- C:\WINDOWS\SYSTEM32\autolfn.exe
2006-10-13 16:35 786,432 --a------ C:\WINDOWS\SYSTEM32\dxdiag.exe
2006-10-13 16:35 77,312 --a------ C:\WINDOWS\SYSTEM32\dmscript.dll
2006-10-13 16:35 76,830 --a------ C:\WINDOWS\SYSTEM32\drmstor.dll
2006-10-13 16:35 76,288 --a------ C:\WINDOWS\SYSTEM32\dfrgfat.exe
2006-10-13 16:35 76,288 --a------ C:\WINDOWS\SYSTEM32\avifil32.dll
2006-10-13 16:35 74,810 --a------ C:\WINDOWS\SYSTEM32\atl.dll
2006-10-13 16:35 73,728 --a------ C:\WINDOWS\SYSTEM32\ils.dll
2006-10-13 16:35 71,680 --a------ C:\WINDOWS\SYSTEM32\browsewm.dll
2006-10-13 16:35 70,656 --a------ C:\WINDOWS\SYSTEM32\defrag.exe
2006-10-13 16:35 70,144 --a------ C:\WINDOWS\SYSTEM32\cryptdlg.dll
2006-10-13 16:35 7,168 --a------ C:\WINDOWS\SYSTEM32\fxsperf.dll
2006-10-13 16:35 7,040 --a------ C:\WINDOWS\SYSTEM32\kd1394.dll
2006-10-13 16:35 66,560 --a------ C:\WINDOWS\SYSTEM32\faultrep.dll
2006-10-13 16:35 64,512 --a------ C:\WINDOWS\SYSTEM32\ciodm.dll
2006-10-13 16:35 62,976 --a------ C:\WINDOWS\SYSTEM32\browselc.dll
2006-10-13 16:35 62,464 --a------ C:\WINDOWS\SYSTEM32\adsmsext.dll
2006-10-13 16:35 602,112 --a------ C:\WINDOWS\SYSTEM32\drmv2clt.dll
2006-10-13 16:35 6,656 --a------ C:\WINDOWS\SYSTEM32\fxsres.dll
2006-10-13 16:35 6,656 --a------ C:\WINDOWS\SYSTEM32\batt.dll
2006-10-13 16:35 596,480 --a------ C:\WINDOWS\SYSTEM32\INETCOMM.DLL
2006-10-13 16:35 59,904 --a------ C:\WINDOWS\SYSTEM32\cabinet.dll
2006-10-13 16:35 59,392 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-13 16:35 58,368 --a------ C:\WINDOWS\SYSTEM32\dpvsetup.exe
2006-10-13 16:35 57,344 --a------ C:\WINDOWS\SYSTEM32\dmcompos.dll
2006-10-13 16:35 56,320 --a------ C:\WINDOWS\SYSTEM32\dpnhupnp.dll
2006-10-13 16:35 559,616 --a------ C:\WINDOWS\SYSTEM32\fxsst.dll
2006-10-13 16:35 55,296 --a------ C:\WINDOWS\SYSTEM32\digest.dll
2006-10-13 16:35 54,272 --a------ C:\WINDOWS\SYSTEM32\clusapi.dll
2006-10-13 16:35 51,712 --a------ C:\WINDOWS\SYSTEM32\ipconfig.exe
2006-10-13 16:35 5,120 --a------ C:\WINDOWS\SYSTEM32\asferror.dll
2006-10-13 16:35 498,205 --a------ C:\WINDOWS\SYSTEM32\dxmasf.dll
2006-10-13 16:35 49,664 --a------ C:\WINDOWS\SYSTEM32\ixsso.dll
2006-10-13 16:35 49,152 --a------ C:\WINDOWS\SYSTEM32\eventlog.dll
2006-10-13 16:35 49,152 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2006-10-13 16:35 489,984 --------- C:\WINDOWS\SYSTEM32\dbghelp.dll
2006-10-13 16:35 45,568 --a------ C:\WINDOWS\SYSTEM32\docprop2.dll
2006-10-13 16:35 443,392 --a------ C:\WINDOWS\SYSTEM32\fxsapi.dll
2006-10-13 16:35 41,984 --a------ C:\WINDOWS\SYSTEM32\alg.exe
2006-10-13 16:35 41,472 --a------ C:\WINDOWS\SYSTEM32\cmdl32.exe
2006-10-13 16:35 395,264 --a------ C:\WINDOWS\SYSTEM32\fxsxp32.dll
2006-10-13 16:35 391,168 --a------ C:\WINDOWS\SYSTEM32\fxstiff.dll
2006-10-13 16:35 38,912 --a------ C:\WINDOWS\SYSTEM32\audiosrv.dll
2006-10-13 16:35 36,922 --a------ C:\WINDOWS\SYSTEM32\imeshare.dll
2006-10-13 16:35 35,328 --a------ C:\WINDOWS\SYSTEM32\dfrgsnap.dll
2006-10-13 16:35 324,608 --a------ C:\WINDOWS\SYSTEM32\cmdial32.dll
2006-10-13 16:35 32,768 --a------ C:\WINDOWS\SYSTEM32\cfgbkend.dll
2006-10-13 16:35 32,512 --------- C:\WINDOWS\SYSTEM32\drivers\amdk7.sys
2006-10-13 16:35 318,464 --a------ C:\WINDOWS\SYSTEM32\ippromon.dll
2006-10-13 16:35 31,744 --a------ C:\WINDOWS\SYSTEM32\dmloader.dll
2006-10-13 16:35 307,712 --a------ C:\WINDOWS\SYSTEM32\cscui.dll
2006-10-13 16:35 30,208 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-13 16:35 294,912 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-13 16:35 29,696 --a------ C:\WINDOWS\SYSTEM32\dpnhpast.dll
2006-10-13 16:35 28,672 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-13 16:35 28,672 --a------ C:\WINDOWS\SYSTEM32\dbnmpntw.dll
2006-10-13 16:35 271,360 --a------ C:\WINDOWS\SYSTEM32\fxscomex.dll
2006-10-13 16:35 27,648 --------- C:\WINDOWS\SYSTEM32\pidgen.dll
2006-10-13 16:35 266,240 --a------ C:\WINDOWS\SYSTEM32\drmclien.dll
2006-10-13 16:35 263,680 --a------ C:\WINDOWS\SYSTEM32\duser.dll
2006-10-13 16:35 263,168 --a------ C:\WINDOWS\SYSTEM32\devmgr.dll
2006-10-13 16:35 26,112 --a------ C:\WINDOWS\SYSTEM32\dmband.dll
2006-10-13 16:35 253,440 --a------ C:\WINDOWS\SYSTEM32\ddraw.dll
2006-10-13 16:35 250,368 --a------ C:\WINDOWS\SYSTEM32\fxssvc.exe
2006-10-13 16:35 25,600 --a------ C:\WINDOWS\SYSTEM32\dfsshlex.dll
2006-10-13 16:35 240,640 --a------ C:\WINDOWS\SYSTEM32\hnetcfg.dll
2006-10-13 16:35 24,576 --a------ C:\WINDOWS\SYSTEM32\dbmsvinn.dll
2006-10-13 16:35 24,576 --a------ C:\WINDOWS\SYSTEM32\dbmsrpcn.dll
2006-10-13 16:35 24,576 --a------ C:\WINDOWS\SYSTEM32\conime.exe
2006-10-13 16:35 24,064 --a------ C:\WINDOWS\SYSTEM32\fxsdrv.dll
2006-10-13 16:35 239,616 --a------ C:\WINDOWS\SYSTEM32\adsnt.dll
2006-10-13 16:35 238,592 --a------ C:\WINDOWS\SYSTEM32\compatui.dll
2006-10-13 16:35 237,056 --a------ C:\WINDOWS\SYSTEM32\icm32.dll
2006-10-13 16:35 236,032 --a------ C:\WINDOWS\SYSTEM32\fxst30.dll
2006-10-13 16:35 227,840 --a------ C:\WINDOWS\SYSTEM32\dsquery.dll
2006-10-13 16:35 22,528 --a------ C:\WINDOWS\SYSTEM32\at.exe
2006-10-13 16:35 216,064 --a------ C:\WINDOWS\SYSTEM32\fxscover.exe
2006-10-13 16:35 206,336 --a------ C:\WINDOWS\SYSTEM32\dpvoice.dll
2006-10-13 16:35 204,288 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-13 16:35 20,992 --a------ C:\WINDOWS\SYSTEM32\fxsext32.dll
2006-10-13 16:35 20,480 --a------ C:\WINDOWS\SYSTEM32\hidserv.dll
2006-10-13 16:35 20,480 --a------ C:\WINDOWS\SYSTEM32\dbmsadsn.dll
2006-10-13 16:35 19,456 --a------ C:\WINDOWS\SYSTEM32\fontview.exe
2006-10-13 16:35 19,456 --a------ C:\WINDOWS\SYSTEM32\ersvc.dll
2006-10-13 16:35 186,880 --a------ C:\WINDOWS\SYSTEM32\certcli.dll
2006-10-13 16:35 185,856 --a------ C:\WINDOWS\SYSTEM32\fxswzrd.dll
2006-10-13 16:35 180,224 --a------ C:\WINDOWS\SYSTEM32\dwwin.exe
2006-10-13 16:35 179,712 --a------ C:\WINDOWS\SYSTEM32\cewmdm.dll
2006-10-13 16:35 178,688 --a------ C:\WINDOWS\SYSTEM32\eudcedit.exe
2006-10-13 16:35 172,544 --a------ C:\WINDOWS\SYSTEM32\dmime.dll
2006-10-13 16:35 168,960 --a------ C:\WINDOWS\SYSTEM32\dinput8.dll
2006-10-13 16:35 165,376 --a------ C:\WINDOWS\SYSTEM32\els.dll
2006-10-13 16:35 162,816 --a------ C:\WINDOWS\SYSTEM32\adsldp.dll
2006-10-13 16:35 16,384 --a------ C:\WINDOWS\SYSTEM32\ds32gt.dll
2006-10-13 16:35 158,720 --a------ C:\WINDOWS\SYSTEM32\credui.dll
2006-10-13 16:35 156,672 --a------ C:\WINDOWS\SYSTEM32\dpnet.dll
2006-10-13 16:35 151,552 --a------ C:\WINDOWS\SYSTEM32\dinput.dll
2006-10-13 16:35 149,504 --a------ C:\WINDOWS\SYSTEM32\fxsui.dll
2006-10-13 16:35 14,366 --a------ C:\WINDOWS\SYSTEM32\asfsipc.dll
2006-10-13 16:35 139,776 --a------ C:\WINDOWS\SYSTEM32\adsldpc.dll
2006-10-13 16:35 135,680 --a------ C:\WINDOWS\SYSTEM32\dsprop.dll
2006-10-13 16:35 130,048 --a------ C:\WINDOWS\SYSTEM32\fxsclnt.exe
2006-10-13 16:35 13,312 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2006-10-13 16:35 126,976 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-13 16:35 124,928 --a------ C:\WINDOWS\SYSTEM32\dssenh.dll
2006-10-13 16:35 123,904 --a------ C:\WINDOWS\SYSTEM32\imapi.exe
2006-10-13 16:35 115,712 --a------ C:\WINDOWS\SYSTEM32\apphelp.dll
2006-10-13 16:35 115,200 --a------ C:\WINDOWS\SYSTEM32\dpcdll.dll
2006-10-13 16:35 114,176 --a------ C:\WINDOWS\SYSTEM32\input.dll
2006-10-13 16:35 113,152 --a------ C:\WINDOWS\SYSTEM32\idq.dll
2006-10-13 16:35 113,152 --a------ C:\WINDOWS\SYSTEM32\dfrgui.dll
2006-10-13 16:35 110,080 --a------ C:\WINDOWS\SYSTEM32\dmstyle.dll
2006-10-13 16:35 103,936 --a------ C:\WINDOWS\SYSTEM32\imm32.dll
2006-10-13 16:35 103,424 --a------ C:\WINDOWS\SYSTEM32\dgnet.dll
2006-10-13 16:35 1,180,672 --a------ C:\WINDOWS\SYSTEM32\d3d8.dll
2006-10-13 16:35 1,004,032 --a------ C:\WINDOWS\explorer.exe
2006-10-13 16:20 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2006-10-13 16:20 548,352 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2006-10-13 16:20 439,808 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2006-10-13 16:20 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2006-10-13 16:18 68,608 --a------ C:\WINDOWS\SYSTEM32\locator.exe
2006-10-13 16:17 974,336 --a------ C:\WINDOWS\SYSTEM32\msdtctm.dll
2006-10-13 16:17 97,280 --a------ C:\WINDOWS\SYSTEM32\txflog.dll
2006-10-13 16:17 535,552 --a------ C:\WINDOWS\SYSTEM32\rpcrt4.dll
2006-10-13 16:17 499,200 --a------ C:\WINDOWS\SYSTEM32\comuid.dll
2006-10-13 16:17 368,640 --a------ C:\WINDOWS\SYSTEM32\msdtcprx.dll
2006-10-13 16:17 150,528 --a------ C:\WINDOWS\SYSTEM32\msdtcuiu.dll
2006-10-13 16:17 110,080 --a------ C:\WINDOWS\SYSTEM32\clbcatex.dll
2006-10-13 16:16 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2006-10-13 16:16 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2006-10-13 16:16 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2006-10-13 16:16 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-10-13 16:16 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2006-10-13 16:16 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2006-10-13 16:16 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2006-10-13 16:16 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2006-10-13 16:16 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2006-10-13 16:16 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2006-10-13 16:16 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2006-10-13 16:16 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2006-10-13 16:16 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2006-10-13 16:16 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2006-10-13 16:16 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2006-10-13 16:16 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2006-10-13 16:16 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2006-10-13 16:07 226,816 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2006-10-13 16:04 38,912 --a------ C:\WINDOWS\SYSTEM32\hhsetup.dll
2006-10-13 16:04 143,872 --a------ C:\WINDOWS\SYSTEM32\itircl.dll
2006-10-13 16:04 128,000 --a------ C:\WINDOWS\SYSTEM32\itss.dll
2006-10-13 16:04 10,752 --a------ C:\WINDOWS\hh.exe
2006-10-13 16:01 125,440 --a------ C:\WINDOWS\SYSTEM32\shmedia.dll
2006-10-13 15:50 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2006-10-12 07:14 78,848 --a------ C:\WINDOWS\SYSTEM32\nsz197.dll
2006-10-06 21:32 76,560 --a------ C:\WINDOWS\SYSTEM32\drivers\tmcomm.sys
2006-10-06 20:54 163,840 --a------ C:\WINDOWS\win32109-1130464082006.exe
2006-10-06 20:53 163,840 --a------ C:\WINDOWS\ms074089-1130462006.exe
2006-10-06 18:37 32,768 --a------ C:\WINDOWS\zudimjll.exe
2006-10-06 18:11 65,536 --a------ C:\WINDOWS\SYSTEM32\Winwcd.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-13 19:12 -------- d-------- C:\Program Files\Common Files
2006-10-13 19:06 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-13 19:01 -------- d-------- C:\Program Files\Zone Labs
2006-10-13 18:58 -------- d-------- C:\Program Files\Grisoft
2006-10-13 18:43 -------- d-------- C:\Program Files\Windows Media Player
2006-10-13 18:18 -------- d-------- C:\Program Files\Outlook Express
2006-10-13 18:18 -------- d-------- C:\Program Files\Common Files\System
2006-10-13 18:06 -------- d-------- C:\Program Files\Messenger
2006-10-13 17:11 -------- d-------- C:\Program Files\NetMeeting
2006-10-13 16:48 -------- d-------- C:\Program Files\Movie Maker
2006-10-13 16:48 -------- d-------- C:\Program Files\Internet Explorer
2006-10-06 23:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\U3
2006-10-06 23:02 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-06 22:44 -------- d-------- C:\Program Files\iTunes
2006-10-06 22:12 -------- d-------- C:\Program Files\PSDream
2006-10-06 19:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-10-06 19:07 -------- d-------- C:\Program Files\Lavasoft
2006-10-06 18:59 -------- d-------- C:\Program Files\CleanUp!
2006-10-06 18:54 -------- d-------- C:\Program Files\Common Files\orfm
2006-10-06 18:35 -------- d-------- C:\Program Files\QuickTime
2006-10-06 18:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-10-06 18:26 1233 --a------ C:\WINDOWS\SYSTEM32\azfd6ea9.sys
2006-09-12 22:09 1110528 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-03 15:54 24 --a------ C:\WINDOWS\trnty.dll
2006-08-31 12:52 53120 --a------ C:\WINDOWS\srvvyvlqcg.exe
2006-08-31 12:52 25105 --a------ C:\WINDOWS\idlemg.exe
2006-08-31 12:52 186219 --a------ C:\WINDOWS\srvbtsebdr.exe
2006-08-31 12:52 140 --a------ C:\WINDOWS\file.bat
2006-08-31 12:49 2560 --a------ C:\WINDOWS\ac3_0002.exe
2006-08-31 12:49 215308 --a------ C:\WINDOWS\Setup90.exe
2006-08-30 23:46 -------- d-------- C:\Documents and Settings\Owner\Application Data\SystemDoctor 2006 Free
2006-08-25 08:53 561664 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-25 02:14 595968 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll
2006-08-16 21:07 48 --a------ C:\WINDOWS\SYSTEM32\iehttpcheck.bat
2006-08-16 21:07 39936 --a------ C:\WINDOWS\SYSTEM32\iehttpcheck.dll
2006-08-16 19:16 29784 --a------ C:\Program Files\popcorn Terms.html
2006-08-16 05:14 95232 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-08-16 05:14 70656 --a------ C:\WINDOWS\SYSTEM32\ws2_32.dll
2006-08-16 05:14 54272 --a------ C:\WINDOWS\SYSTEM32\ipv6mon.dll
2006-08-16 05:14 31232 --a------ C:\WINDOWS\SYSTEM32\inetmib1.dll
2006-08-16 05:14 13312 --a------ C:\WINDOWS\SYSTEM32\wship6.dll
2006-08-16 02:42 159232 --a------ C:\WINDOWS\SYSTEM32\xpob2res.dll
2006-08-16 02:28 48640 --a------ C:\WINDOWS\SYSTEM32\ipv6.exe
2006-08-16 02:28 205120 --a------ C:\WINDOWS\SYSTEM32\drivers\tcpip6.sys
2006-08-16 02:27 83456 --a------ C:\WINDOWS\SYSTEM32\netsh.exe
2006-08-16 02:27 11776 --a------ C:\WINDOWS\SYSTEM32\drivers\tunmp.sys
2006-08-14 01:59 321536 --a------ C:\WINDOWS\SYSTEM32\drivers\srv.sys
2006-08-10 22:09 795 --a------ C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
2006-08-07 08:17 61440 --a------ C:\WINDOWS\SYSTEM32\BattyRun2.dll
2006-07-21 01:30 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"License Manager"="\"C:\\Program Files\\License_Manager\\license_manager.exe \" /silent"
"DriverLoad"=""
"DriverCheck"=""
"SystemDriverLoad"=""
"cprocsvc"="C:\\WINDOWS\\System32\\crunner\\cproc.exe"
"PSDream"="\"C:\\Program Files\\PSDream\\PSDream.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"MCAgentExe"="C:\\Program Files\\mcafee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\Program Files\\mcafee.com\\Agent\\mcupdate.exe /embedding"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"USB"="C:\\WINDOWS\\system32\\usb.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"loaddr"="C:\\qeoa.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DriverLoad"=""
"DriverCheck"=""
"SystemDriverLoad"=""
"SystemDriver"="c:\\DriverLoad\\windrv.exe"
"FDriver"="c:\\DriverLoad\\windrv.exe"
"ADriver"="c:\\DriverLoad\\windrv.exe"
"CDriver"="c:\\DriverLoad\\windrv.exe"
"DDriver"="c:\\DriverLoad\\windrv.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DriverLoad"=""
"DriverCheck"=""
"SystemDriverLoad"=""
"SystemDriver"="c:\\DriverLoad\\windrv.exe"
"FDriver"="c:\\DriverLoad\\windrv.exe"
"ADriver"="c:\\DriverLoad\\windrv.exe"
"CDriver"="c:\\DriverLoad\\windrv.exe"
"DDriver"="c:\\DriverLoad\\windrv.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"DriverLoad"=""
"DriverCheck"=""
"SystemDriverLoad"=""
"Winhost"=""
"Winhost1"=""
"Winhost2"=""
"Winhost3"=""
"Winhost4"=""
"SystemDriver"="c:\\DriverLoad\\windrv.exe"
"FDriver"="c:\\DriverLoad\\windrv.exe"
"ADriver"="c:\\DriverLoad\\windrv.exe"
"CDriver"="c:\\DriverLoad\\windrv.exe"
"DDriver"="c:\\DriverLoad\\windrv.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-13 19:12:47.53
C:\ComboFix.txt ... 06-10-13 19:12

2. AVG Anti-Spyware scan report,

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:00:02 PM 10/13/2006

+ Scan result:

C:\WINDOWS\Downloaded Program Files\APInstall_Tiny.dll -> Adware.AccessMedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041645.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041663.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033886.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033888.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\zudimjll.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041672.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041673.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\BattyRun2.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031795.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024776.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0034007.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041670.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033940.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0033403.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041660.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\876056.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033481.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033892.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033522.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041668.dll -> Adware.TrafficSol : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0033408.dll -> Adware.TrafficSol : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024775.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033372.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033374.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033377.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033379.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033385.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033920.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033927.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP101\A0034582.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024781.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0025777.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0026778.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0027775.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0028778.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0029778.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0030777.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031777.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0032362.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033362.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033389.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0033398.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033546.sys -> Backdoor.ForBot.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP101\A0034581.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033928.exe -> Downloader.Agent.acv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033528.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031788.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041677.exe -> Downloader.Agent.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041678.exe -> Downloader.Agent.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041657.exe -> Downloader.Agent.xq : Cleaned with backup (quarantined).
C:\WINDOWS\srvvyvlqcg.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033533.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033535.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033536.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041641.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031793.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031797.exe -> Downloader.Small.dsx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024756.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024770.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024801.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0026782.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0027781.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0028786.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0030780.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031785.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033865.exe -> Downloader.Tiny.bn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033503.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033502.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033526.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041671.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033501.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031796.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031794.exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033511.exe -> Downloader.VB.alu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041642.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041643.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041644.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041708.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041709.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033518.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033519.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033972.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041661.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031786.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031787.exe -> Hijacker.Aplugin.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024800.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033513.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033512.exe -> Hijacker.VB.ij : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033922.sys -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033941.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033964.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033971.dll -> Trojan.Mutech.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031789.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031791.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033539.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033855.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0031798.exe -> Trojan.Sinowal.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0033405.dll -> Trojan.Sinowal.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033947.exe -> Trojan.Sinowal.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033966.dll -> Trojan.Sinowal.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033946.exe -> Trojan.Sinowal.ay : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033968.dll -> Trojan.Sinowal.bd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033967.dll -> Trojan.Sinowal.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041664.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041665.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024772.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024773.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024798.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0024799.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0025772.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033516.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033517.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033970.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mmf32.exe -> Worm.Nanspy.i : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mmsvc32.exe -> Worm.Nanspy.i : Cleaned with backup (quarantined).

::Report end

3. Kaspersky scan report,

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 14, 2006 12:07:54 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/10/2006
Kaspersky Anti-Virus database records: 231705
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 65412
Number of viruses found: 23
Number of infected objects: 45 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:38:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\GIB\01setup.EXE Infected: not-a-virus:Porn-Dialer.Win32.Generic skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0034679.exe Infected: Trojan.Win32.Agent.gq skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0036375.exe Infected: Trojan.Win32.Agent.gq skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0037020.exe Infected: Trojan.Win32.Agent.gq skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0037095.exe Infected: Trojan.Win32.Agent.gq skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041658.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041658.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041658.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041659.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041659.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041659.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041669.exe Infected: Trojan-Downloader.Win32.Small.dib skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041676.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041676.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041705.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041717.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041718.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041719.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041720.exe Infected: Net-Worm.Win32.Nanspy.i skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041721.exe Infected: Net-Worm.Win32.Nanspy.i skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041722.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041723.dll Infected: not-a-virus:AdWare.Win32.CASClient.n skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041724.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\A0041725.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP191\change.log Object is locked skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0032353.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033365.exe Infected: Trojan-Downloader.Win32.Dyfuca.ez skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP85\A0033371.exe Infected: Trojan-Downloader.Win32.Dyfuca.ez skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033490.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033490.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033490.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033490.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033490.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033490.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033524.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033524.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.a skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033524.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.a skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP87\A0033524.exe RarSFX: infected - 3 skipped
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe Infected: Trojan.Win32.Agent.gq skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YOUR-W92P4BHLZG.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Setup90.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe NSIS: infected - 3 skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8B8A8C49-2B4E-4C9D-B6EB-E407AC71A5AB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\srvbtsebdr.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\WINDOWS\srvbtsebdr.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT05c8f.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05cca.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

4. a new HiJackThis log taken after Kaspersky finishes.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:19 AM, on 10/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\XPFIX\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/in...altpmtscab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160200901498
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

quaa · 10-15-2006, 12:18 PM

Bump? ive had this computer long enough, i need to get it back to my customer.

there have been zero popups, but i just want to see if its done..

**Deckard** · 10-15-2006, 02:24 PM

Sorry, I was out of town yesterday. Unfortunately, there is a nasty rootkit on this computer that we really need to get rid of before you give it back to the customer. This is going to take at least another round to make sure that we got everything.

Download The Avenger
Please download The Avenger to your Desktop.

Click on Avenger.zip to open the file.
Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C:
Code:
```
Drivers to unload:
pe386

Files to delete:
C:\Program Files\GIB\01setup.EXE
C:\WINDOWS\SYSTEM32\i
C:\WINDOWS\Setup90.exe
C:\WINDOWS\srvbtsebdr.exe
```
NOTE: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
- It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please post the contents of c:\avenger.txt with your next reply.

Online Scan
Please perform an BitDefender Online Scan using Internet Explorer. Once finished, click on the Details button to view the results. To the upper right of the results you will see an option saying "Click here to export the scan results". Please do so and save it to your desktop. Post the results of the scan with your next post.

Re-Download ComboFix
ComboFix has been updated since you downloaded it. Please delete your copy and download ComboFix from one of the following links:

Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply.

Run ADS Spy

Please open HIjackThis, and go to Config || Misc Tools
Click the button labelled "Open ADSSpy"
Make sure "Ignore Safe System Info Streams" and "Quick Scan (Windows based folders only)" are checked.
Click the "Scan" button.
When it has finished scanning, checkmark/tick all that entries that it found.
Click the "remove selected" button, then Click "Yes" at the following prompt.
Click the "Scan" button once again.
Click the "Save Log" button once this scan is complete.

Please post that log here for review.

With Your Next Post
Please paste the following logs in this order:

The contents of C:\avenger.txt,
The results of the BitDefender scan,
The contents of C:\ComboFix.txt,
The results of ADS Spy, and
A new HijackThis log taken after ComboFix has finished.

quaa · 10-15-2006, 06:38 PM

Since Whenever i posted my reply it always messed up, i threw the logs on my server

Avenger log
http://myweb.cableone.net/ttctbt/avenger.txt

Everything else...
http://myweb.cableone.net/ttctbt/SCANLOGS.rtf

**Deckard** · 10-15-2006, 07:43 PM

We're really close. These last steps and it should be clean.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\ DriverLoad
C:\WINDOWS\SYSTEM32\ azfd6ea9.sys
C:\WINDOWS\SYSTEM32\ iehttpcheck.bat
C:\WINDOWS\ trnty.dll
C:\WINDOWS\ file.bat

Download Attachment
Download the file attached to this post and save it to your desktop. Extract it and double-click on the quaa.reg file. It will ask you if you want to merge/add it to the registry -- choose Yes. You may delete both files now.

Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan.

Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker.
Enter your e-mail address, country, and state and click Scan Now.
Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control.
Begin the scan by selecting My Computer. Note:
- Please turn off the real time scanner of any existing antivirus program while performing the online scan.
- Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
- Click on See report then click Save report.
- It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report.

Reboot
Please reboot. I want to make sure the entries I removed from the registry do not come back.

Re-run ComboFix
Double click combofix.exe & follow the prompts. When the tool has finished, it will move the old log to C:\ComboFix2.txt and produce a new log in C:\ComboFix.txt.

Post the Panda Scan result along with the C:\ComboFix.txt log.

quaa · 10-16-2006, 01:10 PM

Panda Scan

Incident Status Location

Dialer:dialer generic Not disinfected c:\program files\dialers
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/adrotator Not disinfected Windows Registry
Adware:adware/picsplace Not disinfected Windows Registry
Dialer:Dialer.BCA Not disinfected C:\avenger\backup.zip[avenger/01setup.EXE]
Spyware:Spyware/7r7t Not disinfected C:\avenger\backup.zip[avenger/srvbtsebdr.exe]
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Dialer:Dialer.Gen Not disinfected C:\Program Files\dialers\personal_party\personal_party.exe
Spyware:Cookie/LinkExchange Not disinfected C:\Program Files\EarthLink 5.0\tanya309@earthlink.net\Cookies\owner@linkexchange[1].txt
Adware:Adware/TVMedia Not disinfected C:\WINDOWS\Downloaded Program Files\Install.inf
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IA\KE.vbs
Hacktool:Rootkit/Rustock Not disinfected C:\WINDOWS\SYSTEM32:lzx32.sys
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\SYSTEM32\Connect2Party-uninstall.exe
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\SYSTEM32\Personal_Party-uninstall.exe

combofix
Owner - 06-10-16 13:02:04.71 Service Pack 1
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Owner\Desktop\XPFIX"

((((((((((((((((((((((((((((((( Files Created from 2006-09-16 to 2006-10-16 ))))))))))))))))))))))))))))))))))

2006-10-13 18:58 3,968 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2006-10-13 18:49 67,584 --a------ C:\WINDOWS\SYSTEM32\magnify.exe
2006-10-13 18:49 53,760 --a------ C:\WINDOWS\SYSTEM32\cryptsvc.dll
2006-10-13 18:49 51,200 --a------ C:\WINDOWS\SYSTEM32\narrator.exe
2006-10-13 18:49 238,080 --a------ C:\WINDOWS\SYSTEM32\newdev.dll
2006-10-13 18:49 212,480 --a------ C:\WINDOWS\SYSTEM32\osk.exe
2006-10-13 18:49 179,200 --a------ C:\WINDOWS\SYSTEM32\accwiz.exe
2006-10-13 18:48 50,176 --a------ C:\WINDOWS\SYSTEM32\dpwsockx.dll
2006-10-13 18:48 214,528 --a------ C:\WINDOWS\SYSTEM32\dplayx.dll
2006-10-13 18:47 831,519 --a------ C:\WINDOWS\SYSTEM32\mswdat10.dll
2006-10-13 18:47 614,431 --a------ C:\WINDOWS\SYSTEM32\mswstr10.dll
2006-10-13 18:47 552,989 --a------ C:\WINDOWS\SYSTEM32\msrepl40.dll
2006-10-13 18:47 53,279 --a------ C:\WINDOWS\SYSTEM32\msjter40.dll
2006-10-13 18:47 512,029 --a------ C:\WINDOWS\SYSTEM32\msexch40.dll
2006-10-13 18:47 421,919 --a------ C:\WINDOWS\SYSTEM32\msrd2x40.dll
2006-10-13 18:47 380,957 --a------ C:\WINDOWS\SYSTEM32\expsrv.dll
2006-10-13 18:47 358,976 --------- C:\WINDOWS\SYSTEM32\msjetoledb40.dll
2006-10-13 18:47 348,189 --a------ C:\WINDOWS\SYSTEM32\msxbde40.dll
2006-10-13 18:47 348,189 --a------ C:\WINDOWS\SYSTEM32\mspbde40.dll
2006-10-13 18:47 319,517 --a------ C:\WINDOWS\SYSTEM32\msexcl40.dll
2006-10-13 18:47 315,423 --a------ C:\WINDOWS\SYSTEM32\msrd3x40.dll
2006-10-13 18:47 30,749 --a------ C:\WINDOWS\SYSTEM32\vbajet32.dll
2006-10-13 18:47 258,077 --a------ C:\WINDOWS\SYSTEM32\mstext40.dll
2006-10-13 18:47 241,693 --a------ C:\WINDOWS\SYSTEM32\msjtes40.dll
2006-10-13 18:47 213,023 --a------ C:\WINDOWS\SYSTEM32\msltus40.dll
2006-10-13 18:47 151,583 --a------ C:\WINDOWS\SYSTEM32\msjint40.dll
2006-10-13 18:47 1,507,356 --a------ C:\WINDOWS\SYSTEM32\msjet40.dll
2006-10-13 18:46 32,256 --a------ C:\WINDOWS\SYSTEM32\msgsvc.dll
2006-10-13 18:41 260,096 --a------ C:\WINDOWS\SYSTEM32\mstask.dll
2006-10-13 18:41 172,544 --a------ C:\WINDOWS\SYSTEM32\schedsvc.dll
2006-10-13 18:41 10,752 --a------ C:\WINDOWS\SYSTEM32\mstinit.exe
2006-10-13 17:51 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2006-10-13 17:24 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-10-13 16:39 9,216 --a------ C:\WINDOWS\SYSTEM32\wuauserv.dll
2006-10-13 16:39 88,064 --a------ C:\WINDOWS\SYSTEM32\tscfgwmi.dll
2006-10-13 16:39 86,528 --a------ C:\WINDOWS\SYSTEM32\wlnotify.dll
2006-10-13 16:39 86,016 --a------ C:\WINDOWS\SYSTEM32\xactsrv.dll
2006-10-13 16:39 82,944 --a------ C:\WINDOWS\SYSTEM32\smlogsvc.exe
2006-10-13 16:39 81,920 --a------ C:\WINDOWS\SYSTEM32\trkwks.dll
2006-10-13 16:39 77,824 --a------ C:\WINDOWS\SYSTEM32\wmpstub.exe
2006-10-13 16:39 77,824 --a------ C:\WINDOWS\SYSTEM32\wmpshell.dll
2006-10-13 16:39 72,192 --------- C:\WINDOWS\SYSTEM32\telnet.exe
2006-10-13 16:39 71,168 --------- C:\WINDOWS\SYSTEM32\storprop.dll
2006-10-13 16:39 667,648 --a------ C:\WINDOWS\SYSTEM32\ss3dfo.scr
2006-10-13 16:39 66,560 --a------ C:\WINDOWS\SYSTEM32\spoolss.dll
2006-10-13 16:39 638,976 --a------ C:\WINDOWS\SYSTEM32\sstext3d.scr
2006-10-13 16:39 63,488 --a------ C:\WINDOWS\SYSTEM32\srclient.dll
2006-10-13 16:39 61,952 --a------ C:\WINDOWS\SYSTEM32\sti.dll
2006-10-13 16:39 60,416 --a------ C:\WINDOWS\SYSTEM32\wextract.exe
2006-10-13 16:39 569,344 --a------ C:\WINDOWS\SYSTEM32\sspipes.scr
2006-10-13 16:39 56,832 --a------ C:\WINDOWS\SYSTEM32\wzcdlg.dll
2006-10-13 16:39 534,016 --a------ C:\WINDOWS\SYSTEM32\spider.exe
2006-10-13 16:39 51,200 --a------ C:\WINDOWS\SYSTEM32\wmerrenu.dll
2006-10-13 16:39 48,640 --a------ C:\WINDOWS\SYSTEM32\vdmredir.dll
2006-10-13 16:39 48,128 --a------ C:\WINDOWS\SYSTEM32\winsta.dll
2006-10-13 16:39 479,261 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-13 16:39 47,616 --a------ C:\WINDOWS\SYSTEM32\utilman.exe
2006-10-13 16:39 446,464 --a------ C:\WINDOWS\SYSTEM32\wmvdmoe.dll
2006-10-13 16:39 442,398 --a------ C:\WINDOWS\SYSTEM32\wmadmoe.dll
2006-10-13 16:39 43,008 --a------ C:\WINDOWS\SYSTEM32\ssdpsrv.dll
2006-10-13 16:39 409,088 --a------ C:\WINDOWS\SYSTEM32\vssapi.dll
2006-10-13 16:39 40,960 --a------ C:\WINDOWS\SYSTEM32\tscupgrd.exe
2006-10-13 16:39 384,000 --a------ C:\WINDOWS\SYSTEM32\themeui.dll
2006-10-13 16:39 38,912 --a------ C:\WINDOWS\SYSTEM32\wsnmp32.dll
2006-10-13 16:39 364,544 --a------ C:\WINDOWS\SYSTEM32\ssflwbox.scr
2006-10-13 16:39 339,456 --a------ C:\WINDOWS\SYSTEM32\usp10.dll
2006-10-13 16:39 334,848 --a------ C:\WINDOWS\SYSTEM32\smlogcfg.dll
2006-10-13 16:39 32,256 --a------ C:\WINDOWS\SYSTEM32\umandlg.dll
2006-10-13 16:39 316,416 --a------ C:\WINDOWS\SYSTEM32\wiaservc.dll
2006-10-13 16:39 311,327 --a------ C:\WINDOWS\SYSTEM32\wmv8dmod.dll
2006-10-13 16:39 296,448 --a------ C:\WINDOWS\SYSTEM32\wmstream.dll
2006-10-13 16:39 294,912 --a------ C:\WINDOWS\SYSTEM32\wmvdmod.dll
2006-10-13 16:39 274,432 --a------ C:\WINDOWS\SYSTEM32\wmasf.dll
2006-10-13 16:39 27,136 --a------ C:\WINDOWS\SYSTEM32\ssdpapi.dll
2006-10-13 16:39 266,752 --a------ C:\WINDOWS\winhlp32.exe
2006-10-13 16:39 264,704 --a------ C:\WINDOWS\SYSTEM32\wzcsvc.dll
2006-10-13 16:39 258,048 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-13 16:39 253,952 --a------ C:\WINDOWS\SYSTEM32\wmpcd.dll
2006-10-13 16:39 253,952 --a------ C:\WINDOWS\SYSTEM32\wmnetmgr.dll
2006-10-13 16:39 251,904 --a------ C:\WINDOWS\SYSTEM32\strmdll.dll
2006-10-13 16:39 231,424 --a------ C:\WINDOWS\SYSTEM32\upnpui.dll
2006-10-13 16:39 23,552 --------- C:\WINDOWS\SYSTEM32\wzcsapi.dll
2006-10-13 16:39 22,016 --a------ C:\WINDOWS\SYSTEM32\udhisapi.dll
2006-10-13 16:39 203,264 --a------ C:\WINDOWS\SYSTEM32\uxtheme.dll
2006-10-13 16:39 200,192 --a------ C:\WINDOWS\SYSTEM32\termsrv.dll
2006-10-13 16:39 19,456 --a------ C:\WINDOWS\SYSTEM32\ssmarque.scr
2006-10-13 16:39 184,320 --a------ C:\WINDOWS\SYSTEM32\wmadmod.dll
2006-10-13 16:39 18,944 --a------ C:\WINDOWS\SYSTEM32\ssbezier.scr
2006-10-13 16:39 172,664 --a------ C:\WINDOWS\SYSTEM32\xenroll.dll
2006-10-13 16:39 171,520 --a------ C:\WINDOWS\SYSTEM32\winmm.dll
2006-10-13 16:39 17,408 --a------ C:\WINDOWS\SYSTEM32\wtsapi32.dll
2006-10-13 16:39 17,408 --a------ C:\WINDOWS\SYSTEM32\ssmyst.scr
2006-10-13 16:39 168,448 --a------ C:\WINDOWS\SYSTEM32\wldap32.dll
2006-10-13 16:39 165,376 --a------ C:\WINDOWS\SYSTEM32\w32time.dll
2006-10-13 16:39 165,376 --a------ C:\WINDOWS\SYSTEM32\tapi32.dll
2006-10-13 16:39 164,864 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll
2006-10-13 16:39 16,896 --a------ C:\WINDOWS\SYSTEM32\snmpapi.dll
2006-10-13 16:39 16,384 --a------ C:\WINDOWS\SYSTEM32\watchdog.sys
2006-10-13 16:39 16,384 --a------ C:\WINDOWS\SYSTEM32\ups.exe
2006-10-13 16:39 158,720 --a------ C:\WINDOWS\SYSTEM32\srsvc.dll
2006-10-13 16:39 130,560 --a------ C:\WINDOWS\SYSTEM32\sti_ci.dll
2006-10-13 16:39 13,312 --a------ C:\WINDOWS\SYSTEM32\ssstars.scr
2006-10-13 16:39 128,512 --a------ C:\WINDOWS\SYSTEM32\taskmgr.exe
2006-10-13 16:39 124,928 --a------ C:\WINDOWS\SYSTEM32\webvw.dll
2006-10-13 16:39 120,320 --a------ C:\WINDOWS\SYSTEM32\upnp.dll
2006-10-13 16:39 119,808 --a------ C:\WINDOWS\SYSTEM32\wiadss.dll
2006-10-13 16:39 118,784 --a------ C:\WINDOWS\SYSTEM32\wmsdmoe.dll
2006-10-13 16:39 117,760 --a------ C:\WINDOWS\SYSTEM32\stobject.dll
2006-10-13 16:39 110,592 --a------ C:\WINDOWS\SYSTEM32\wmsdmod.dll
2006-10-13 16:39 106,496 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-13 16:39 10,752 --a------ C:\WINDOWS\SYSTEM32\tracert.exe
2006-10-13 16:39 1,998,848 --a------ C:\WINDOWS\SYSTEM32\wmploc.dll
2006-10-13 16:39 1,425,680 --a------ C:\WINDOWS\SYSTEM32\wmpui.dll
2006-10-13 16:39 1,220,608 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-10-13 16:38 98,304 --a------ C:\WINDOWS\SYSTEM32\oleprn.dll
2006-10-13 16:38 95,744 --a------ C:\WINDOWS\SYSTEM32\nlhtml.dll
2006-10-13 16:38 91,136 --a------ C:\WINDOWS\SYSTEM32\rastls.dll
2006-10-13 16:38 87,304 --a------ C:\WINDOWS\SYSTEM32\rdpdd.dll
2006-10-13 16:38 82,944 --a------ C:\WINDOWS\SYSTEM32\psbase.dll
2006-10-13 16:38 8,192 --a------ C:\WINDOWS\SYSTEM32\scrnsave.scr
2006-10-13 16:38 75,912 --a------ C:\WINDOWS\SYSTEM32\rdpwsx.dll
2006-10-13 16:38 74,240 --a------ C:\WINDOWS\SYSTEM32\rtcshare.exe
2006-10-13 16:38 71,168 --a------ C:\WINDOWS\SYSTEM32\sdbinst.exe
2006-10-13 16:38 686,080 --a------ C:\WINDOWS\SYSTEM32\opengl32.dll
2006-10-13 16:38 66,048 --a------ C:\WINDOWS\SYSTEM32\sigverif.exe
2006-10-13 16:38 62,976 --a------ C:\WINDOWS\SYSTEM32\shgina.dll
2006-10-13 16:38 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccu32.dll
2006-10-13 16:38 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccr32.dll
2006-10-13 16:38 60,416 --a------ C:\WINDOWS\SYSTEM32\shimeng.dll
2006-10-13 16:38 6,912 --------- C:\WINDOWS\SYSTEM32\drivers\hidir.sys
2006-10-13 16:38 6,144 --a------ C:\WINDOWS\SYSTEM32\sensapi.dll
2006-10-13 16:38 58,880 --a------ C:\WINDOWS\SYSTEM32\pautoenr.dll
2006-10-13 16:38 57,856 --a------ C:\WINDOWS\SYSTEM32\raschap.dll
2006-10-13 16:38 56,320 --a------ C:\WINDOWS\SYSTEM32\remotepg.dll
2006-10-13 16:38 53,248 --a------ C:\WINDOWS\SYSTEM32\packager.exe
2006-10-13 16:38 53,248 --a------ C:\WINDOWS\SYSTEM32\odbcconf.exe
2006-10-13 16:38 52,224 --a------ C:\WINDOWS\SYSTEM32\secur32.dll
2006-10-13 16:38 511,488 --a------ C:\WINDOWS\SYSTEM32\qedit.dll
2006-10-13 16:38 504,832 --------- C:\WINDOWS\SYSTEM32\msftedit.dll
2006-10-13 16:38 5,504 --------- C:\WINDOWS\SYSTEM32\drivers\smbali.sys
2006-10-13 16:38 5,120 --------- C:\WINDOWS\SYSTEM32\hccoin.dll
2006-10-13 16:38 49,152 --a------ C:\WINDOWS\SYSTEM32\npptools.dll
2006-10-13 16:38 48,128 --a------ C:\WINDOWS\SYSTEM32\reg.exe
2006-10-13 16:38 44,032 --a------ C:\WINDOWS\SYSTEM32\regapi.dll
2006-10-13 16:38 44,032 --a------ C:\WINDOWS\SYSTEM32\rdpclip.exe
2006-10-13 16:38 423,424 --a------ C:\WINDOWS\SYSTEM32\riched20.dll
2006-10-13 16:38 420,864 --a------ C:\WINDOWS\SYSTEM32\shimgvw.dll
2006-10-13 16:38 403,456 --------- C:\WINDOWS\SYSTEM32\winbrand.dll
2006-10-13 16:38 392,704 --a------ C:\WINDOWS\SYSTEM32\ntmssvc.dll
2006-10-13 16:38 38,400 --a------ C:\WINDOWS\SYSTEM32\ntmsapi.dll
2006-10-13 16:38 38,400 --a------ C:\WINDOWS\SYSTEM32\ntlanman.dll
2006-10-13 16:38 36,463 --------- C:\WINDOWS\SYSTEM32\drivers\atintuxx.sys
2006-10-13 16:38 36,352 --a------ C:\WINDOWS\SYSTEM32\sens.dll
2006-10-13 16:38 357,376 --a------ C:\WINDOWS\SYSTEM32\qdvd.dll
2006-10-13 16:38 34,735 --------- C:\WINDOWS\SYSTEM32\drivers\atinxsxx.sys
2006-10-13 16:38 34,304 --a------ C:\WINDOWS\SYSTEM32\rcimlby.exe
2006-10-13 16:38 33,280 --a------ C:\WINDOWS\SYSTEM32\shmgrate.exe
2006-10-13 16:38 32,768 --a------ C:\WINDOWS\SYSTEM32\odbcad32.exe
2006-10-13 16:38 31,744 --------- C:\WINDOWS\SYSTEM32\pid.dll
2006-10-13 16:38 3,584 --------- C:\WINDOWS\SYSTEM32\dsprpres.dll
2006-10-13 16:38 3,338 --a------ C:\WINDOWS\SYSTEM32\redir.exe
2006-10-13 16:38 297,984 --a------ C:\WINDOWS\SYSTEM32\scesrv.dll
2006-10-13 16:38 29,455 --------- C:\WINDOWS\SYSTEM32\drivers\atinxbxx.sys
2006-10-13 16:38 254,976 --a------ C:\WINDOWS\SYSTEM32\pdh.dll
2006-10-13 16:38 24,576 --a------ C:\WINDOWS\SYSTEM32\nmmkcert.dll
2006-10-13 16:38 24,064 --a------ C:\WINDOWS\SYSTEM32\skeys.exe
2006-10-13 16:38 22,528 --a------ C:\WINDOWS\SYSTEM32\slayerxp.dll
2006-10-13 16:38 22,528 --a------ C:\WINDOWS\SYSTEM32\shfolder.dll
2006-10-13 16:38 218,112 --------- C:\WINDOWS\SYSTEM32\sbe.dll
2006-10-13 16:38 20,992 --a------ C:\WINDOWS\SYSTEM32\setup.exe
2006-10-13 16:38 193,536 --a------ C:\WINDOWS\SYSTEM32\rasppp.dll
2006-10-13 16:38 19,328 --------- C:\WINDOWS\SYSTEM32\drivers\usbehci.sys
2006-10-13 16:38 187,904 --------- C:\WINDOWS\SYSTEM32\xpsp1res.dll
2006-10-13 16:38 184,832 --a------ C:\WINDOWS\SYSTEM32\qcap.dll
2006-10-13 16:38 18,944 --------- C:\WINDOWS\SYSTEM32\faxpatch.exe
2006-10-13 16:38 174,592 --a------ C:\WINDOWS\SYSTEM32\scecli.dll
2006-10-13 16:38 172,032 --------- C:\WINDOWS\SYSTEM32\mssap.dll
2006-10-13 16:38 171,008 --a------ C:\WINDOWS\SYSTEM32\sccsccp.dll
2006-10-13 16:38 17,408 --a------ C:\WINDOWS\SYSTEM32\psapi.dll
2006-10-13 16:38 169,984 --a------ C:\WINDOWS\SYSTEM32\sccbase.dll
2006-10-13 16:38 165,888 --a------ C:\WINDOWS\SYSTEM32\ntmsdba.dll
2006-10-13 16:38 16,384 --a------ C:\WINDOWS\SYSTEM32\ping.exe
2006-10-13 16:38 16,384 --a------ C:\WINDOWS\SYSTEM32\odbc32gt.dll
2006-10-13 16:38 155,648 --a------ C:\WINDOWS\SYSTEM32\encdec.dll
2006-10-13 16:38 147,456 --a------ C:\WINDOWS\SYSTEM32\odbctrac.dll
2006-10-13 16:38 14,848 --a------ C:\WINDOWS\SYSTEM32\rdpsnd.dll
2006-10-13 16:38 137,216 --a------ C:\WINDOWS\SYSTEM32\ntshrui.dll
2006-10-13 16:38 135,680 --a------ C:\WINDOWS\SYSTEM32\rdchost.dll
2006-10-13 16:38 134,144 --------- C:\WINDOWS\regedit.exe
2006-10-13 16:38 133,632 --a------ C:\WINDOWS\SYSTEM32\rsaenh.dll
2006-10-13 16:38 133,120 --a------ C:\WINDOWS\SYSTEM32\sfc_os.dll
2006-10-13 16:38 13,824 --a------ C:\WINDOWS\SYSTEM32\rassapi.dll
2006-10-13 16:38 13,056 --------- C:\WINDOWS\SYSTEM32\drivers\wacompen.sys
2006-10-13 16:38 122,880 --a------ C:\WINDOWS\SYSTEM32\odbcconf.dll
2006-10-13 16:38 12,800 --a------ C:\WINDOWS\SYSTEM32\runonce.exe
2006-10-13 16:38 12,288 --a------ C:\WINDOWS\SYSTEM32\rdsaddin.exe
2006-10-13 16:38 12,288 --a------ C:\WINDOWS\SYSTEM32\odbcp32r.dll
2006-10-13 16:38 12,288 --------- C:\WINDOWS\SYSTEM32\encapi.dll
2006-10-13 16:38 112,128 --a------ C:\WINDOWS\SYSTEM32\ntmarta.dll
2006-10-13 16:38 110,080 --------- C:\WINDOWS\SYSTEM32\sbeio.dll
2006-10-13 16:38 11,904 --------- C:\WINDOWS\SYSTEM32\drivers\mutohpen.sys
2006-10-13 16:38 11,776 --a------ C:\WINDOWS\SYSTEM32\sigtab.dll
2006-10-13 16:38 109,568 --a------ C:\WINDOWS\SYSTEM32\offfilt.dll
2006-10-13 16:38 1,677,312 --------- C:\WINDOWS\SYSTEM32\wmvcore2.dll
2006-10-13 16:38 1,350,144 --a------ C:\WINDOWS\SYSTEM32\query.dll
2006-10-13 16:38 1,158,656 --a------ C:\WINDOWS\SYSTEM32\quartz.dll
2006-10-13 16:38 1,157,632 --a------ C:\WINDOWS\SYSTEM32\sfcfiles.dll
2006-10-13 16:37 921,475 --------- C:\WINDOWS\SYSTEM32\ati3d2ag.dll
2006-10-13 16:37 91,136 --a------ C:\WINDOWS\SYSTEM32\MSOERT2.DLL
2006-10-13 16:37 857,600 --a------ C:\WINDOWS\SYSTEM32\netplwiz.dll
2006-10-13 16:37 844,675 --------- C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2006-10-13 16:37 78,848 --a------ C:\WINDOWS\SYSTEM32\msiexec.exe
2006-10-13 16:37 72,192 --a------ C:\WINDOWS\SYSTEM32\uniime.dll
2006-10-13 16:37 699,392 --a------ C:\WINDOWS\SYSTEM32\msxml2.dll
2006-10-13 16:37 68,608 --a------ C:\WINDOWS\SYSTEM32\mscms.dll
2006-10-13 16:37 67,584 --a------ C:\WINDOWS\SYSTEM32\msctfp.dll
2006-10-13 16:37 65,536 --a------ C:\WINDOWS\SYSTEM32\msconf.dll
2006-10-13 16:37 63,663 --------- C:\WINDOWS\SYSTEM32\drivers\atinrvxx.sys
2006-10-13 16:37 6,656 --a------ C:\WINDOWS\SYSTEM32\laprxy.dll
2006-10-13 16:37 598,016 --a------ C:\WINDOWS\SYSTEM32\mstscax.dll
2006-10-13 16:37 584,192 --a------ C:\WINDOWS\SYSTEM32\netcfgx.dll
2006-10-13 16:37 57,856 --a------ C:\WINDOWS\SYSTEM32\licwmi.dll
2006-10-13 16:37 56,591 --------- C:\WINDOWS\SYSTEM32\drivers\atinbtxx.sys
2006-10-13 16:37 56,320 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-13 16:37 504,320 --a------ C:\WINDOWS\SYSTEM32\logonui.exe
2006-10-13 16:37 450,176 --------- C:\WINDOWS\SYSTEM32\drivers\ati2mtag.sys
2006-10-13 16:37 42,496 --a------ C:\WINDOWS\SYSTEM32\ncobjapi.dll
2006-10-13 16:37 401,462 --a------ C:\WINDOWS\SYSTEM32\msvcp60.dll
2006-10-13 16:37 4,608 --a------ C:\WINDOWS\SYSTEM32\msimg32.dll
2006-10-13 16:37 4,126 --a------ C:\WINDOWS\SYSTEM32\msdxmlc.dll
2006-10-13 16:37 399,360 --a------ C:\WINDOWS\SYSTEM32\netlogon.dll
2006-10-13 16:37 39,424 --a------ C:\WINDOWS\SYSTEM32\net.exe
2006-10-13 16:37 388,608 --a------ C:\WINDOWS\SYSTEM32\mstsc.exe
2006-10-13 16:37 381,440 --a------ C:\WINDOWS\SYSTEM32\lmrt.dll
2006-10-13 16:37 377,984 --------- C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2006-10-13 16:37 368,710 --a------ C:\WINDOWS\SYSTEM32\msisam11.dll
2006-10-13 16:37 339,968 --a------ C:\WINDOWS\SYSTEM32\mspaint.exe
2006-10-13 16:37 327,040 --------- C:\WINDOWS\SYSTEM32\drivers\ati2mtaa.sys
2006-10-13 16:37 326,656 --------- C:\WINDOWS\SYSTEM32\netsetup.exe
2006-10-13 16:37 323,072 --a------ C:\WINDOWS\SYSTEM32\msvcrt.dll
2006-10-13 16:37 32,256 --a------ C:\WINDOWS\SYSTEM32\mnmdd.dll
2006-10-13 16:37 319,760 --a------ C:\WINDOWS\SYSTEM32\msnsspc.dll
2006-10-13 16:37 30,671 --------- C:\WINDOWS\SYSTEM32\drivers\atinraxx.sys
2006-10-13 16:37 271,360 --a------ C:\WINDOWS\SYSTEM32\msihnd.dll
2006-10-13 16:37 266,752 --a------ C:\WINDOWS\SYSTEM32\msctf.dll
2006-10-13 16:37 26,367 --------- C:\WINDOWS\SYSTEM32\drivers\atinsnxx.sys
2006-10-13 16:37 245,760 --a------ C:\WINDOWS\SYSTEM32\msscp.dll
2006-10-13 16:37 241,725 --a------ C:\WINDOWS\SYSTEM32\msuni11.dll
2006-10-13 16:37 24,576 --a------ C:\WINDOWS\SYSTEM32\logagent.exe
2006-10-13 16:37 233,472 --a------ C:\WINDOWS\SYSTEM32\mpg4dmod.dll
2006-10-13 16:37 230,400 --a------ C:\WINDOWS\SYSTEM32\msieftp.dll
2006-10-13 16:37 229,376 --a------ C:\WINDOWS\SYSTEM32\MSOEACCT.DLL
2006-10-13 16:37 22,528 --a------ C:\WINDOWS\SYSTEM32\mslbui.dll
2006-10-13 16:37 219,648 --a------ C:\WINDOWS\SYSTEM32\logon.scr
2006-10-13 16:37 210,944 --a------ C:\WINDOWS\SYSTEM32\moricons.dll
2006-10-13 16:37 21,343 --------- C:\WINDOWS\SYSTEM32\drivers\atinttxx.sys
2006-10-13 16:37 202,496 --------- C:\WINDOWS\SYSTEM32\ati2dvag.dll
2006-10-13 16:37 2,890,240 --a------ C:\WINDOWS\SYSTEM32\msi.dll
2006-10-13 16:37 196,096 --a------ C:\WINDOWS\SYSTEM32\mobsync.dll
2006-10-13 16:37 192,512 --a------ C:\WINDOWS\SYSTEM32\mswebdvd.dll
2006-10-13 16:37 19,456 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-13 16:37 182,784 --a------ C:\WINDOWS\SYSTEM32\msutb.dll
2006-10-13 16:37 175,104 --a------ C:\WINDOWS\SYSTEM32\mspmsp.dll
2006-10-13 16:37 174,592 --a------ C:\WINDOWS\SYSTEM32\msnetobj.dll
2006-10-13 16:37 163,840 --a------ C:\WINDOWS\SYSTEM32\mindex.dll
2006-10-13 16:37 143,872 --a------ C:\WINDOWS\SYSTEM32\msimtf.dll
2006-10-13 16:37 131,072 --a------ C:\WINDOWS\SYSTEM32\msorcl32.dll
2006-10-13 16:37 12,288 --a------ C:\WINDOWS\SYSTEM32\mscpx32r.dll
2006-10-13 16:37 12,047 --------- C:\WINDOWS\SYSTEM32\drivers\atinpdxx.sys
2006-10-13 16:37 116,736 --a------ C:\WINDOWS\SYSTEM32\mplay32.exe
2006-10-13 16:37 115,200 --a------ C:\WINDOWS\SYSTEM32\net1.exe
2006-10-13 16:37 113,664 --a------ C:\WINDOWS\SYSTEM32\msvfw32.dll
2006-10-13 16:37 11,615 --------- C:\WINDOWS\SYSTEM32\drivers\atinmdxx.sys
2006-10-13 16:37 10,240 --a------ C:\WINDOWS\SYSTEM32\msrle32.dll
2006-10-13 16:37 10,240 --a------ C:\WINDOWS\SYSTEM32\localui.dll
2006-10-13 16:37 1,622,528 --a------ C:\WINDOWS\SYSTEM32\netshell.dll
2006-10-13 16:37 1,220,608 --a------ C:\WINDOWS\SYSTEM32\msvidctl.dll
2006-10-13 16:37 1,128,960 --a------ C:\WINDOWS\SYSTEM32\mmcndmgr.dll
2006-10-13 16:36 827,438 --a------ C:\WINDOWS\SYSTEM32\imjp81k.dll
2006-10-13 16:36 42,537 --a------ C:\WINDOWS\SYSTEM32\keyboard.sys
2006-10-13 16:35 98,816 --a------ C:\WINDOWS\SYSTEM32\clipbrd.exe
2006-10-13 16:35 94,720 --a------ C:\WINDOWS\SYSTEM32\dmusic.dll
2006-10-13 16:35 91,648 --a------ C:\WINDOWS\SYSTEM32\iuctl.dll
2006-10-13 16:35 91,648 --a------ C:\WINDOWS\SYSTEM32\ahui.exe
2006-10-13 16:35 91,136 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-13 16:35 9,216 --a------ C:\WINDOWS\SYSTEM32\icaapi.dll
2006-10-13 16:35 9,216 --a------ C:\WINDOWS\SYSTEM32\dumprep.exe
2006-10-13 16:35 802,304 --a------ C:\WINDOWS\SYSTEM32\dxmrtp.dll
2006-10-13 16:35 8,832 --a------ C:\WINDOWS\SYSTEM32\framebuf.dll
2006-10-13 16:35 8,192 --------- C:\WINDOWS\SYSTEM32\autolfn.exe
2006-10-13 16:35 786,432 --a------ C:\WINDOWS\SYSTEM32\dxdiag.exe
2006-10-13 16:35 77,312 --a------ C:\WINDOWS\SYSTEM32\dmscript.dll
2006-10-13 16:35 76,830 --a------ C:\WINDOWS\SYSTEM32\drmstor.dll
2006-10-13 16:35 76,288 --a------ C:\WINDOWS\SYSTEM32\dfrgfat.exe
2006-10-13 16:35 76,288 --a------ C:\WINDOWS\SYSTEM32\avifil32.dll
2006-10-13 16:35 74,810 --a------ C:\WINDOWS\SYSTEM32\atl.dll
2006-10-13 16:35 73,728 --a------ C:\WINDOWS\SYSTEM32\ils.dll
2006-10-13 16:35 71,680 --a------ C:\WINDOWS\SYSTEM32\browsewm.dll
2006-10-13 16:35 70,656 --a------ C:\WINDOWS\SYSTEM32\defrag.exe
2006-10-13 16:35 70,144 --a------ C:\WINDOWS\SYSTEM32\cryptdlg.dll
2006-10-13 16:35 7,168 --a------ C:\WINDOWS\SYSTEM32\fxsperf.dll
2006-10-13 16:35 7,040 --a------ C:\WINDOWS\SYSTEM32\kd1394.dll
2006-10-13 16:35 66,560 --a------ C:\WINDOWS\SYSTEM32\faultrep.dll
2006-10-13 16:35 64,512 --a------ C:\WINDOWS\SYSTEM32\ciodm.dll
2006-10-13 16:35 62,976 --a------ C:\WINDOWS\SYSTEM32\browselc.dll
2006-10-13 16:35 62,464 --a------ C:\WINDOWS\SYSTEM32\adsmsext.dll
2006-10-13 16:35 602,112 --a------ C:\WINDOWS\SYSTEM32\drmv2clt.dll
2006-10-13 16:35 6,656 --a------ C:\WINDOWS\SYSTEM32\fxsres.dll
2006-10-13 16:35 6,656 --a------ C:\WINDOWS\SYSTEM32\batt.dll
2006-10-13 16:35 596,480 --a------ C:\WINDOWS\SYSTEM32\INETCOMM.DLL
2006-10-13 16:35 59,904 --a------ C:\WINDOWS\SYSTEM32\cabinet.dll
2006-10-13 16:35 59,392 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-13 16:35 58,368 --a------ C:\WINDOWS\SYSTEM32\dpvsetup.exe
2006-10-13 16:35 57,344 --a------ C:\WINDOWS\SYSTEM32\dmcompos.dll
2006-10-13 16:35 56,320 --a------ C:\WINDOWS\SYSTEM32\dpnhupnp.dll
2006-10-13 16:35 559,616 --a------ C:\WINDOWS\SYSTEM32\fxsst.dll
2006-10-13 16:35 55,296 --a------ C:\WINDOWS\SYSTEM32\digest.dll
2006-10-13 16:35 54,272 --a------ C:\WINDOWS\SYSTEM32\clusapi.dll
2006-10-13 16:35 51,712 --a------ C:\WINDOWS\SYSTEM32\ipconfig.exe
2006-10-13 16:35 5,120 --a------ C:\WINDOWS\SYSTEM32\asferror.dll
2006-10-13 16:35 498,205 --a------ C:\WINDOWS\SYSTEM32\dxmasf.dll
2006-10-13 16:35 49,664 --a------ C:\WINDOWS\SYSTEM32\ixsso.dll
2006-10-13 16:35 49,152 --a------ C:\WINDOWS\SYSTEM32\eventlog.dll
2006-10-13 16:35 49,152 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2006-10-13 16:35 489,984 --------- C:\WINDOWS\SYSTEM32\dbghelp.dll
2006-10-13 16:35 45,568 --a------ C:\WINDOWS\SYSTEM32\docprop2.dll
2006-10-13 16:35 443,392 --a------ C:\WINDOWS\SYSTEM32\fxsapi.dll
2006-10-13 16:35 41,984 --a------ C:\WINDOWS\SYSTEM32\alg.exe
2006-10-13 16:35 41,472 --a------ C:\WINDOWS\SYSTEM32\cmdl32.exe
2006-10-13 16:35 395,264 --a------ C:\WINDOWS\SYSTEM32\fxsxp32.dll
2006-10-13 16:35 391,168 --a------ C:\WINDOWS\SYSTEM32\fxstiff.dll
2006-10-13 16:35 38,912 --a------ C:\WINDOWS\SYSTEM32\audiosrv.dll
2006-10-13 16:35 36,922 --a------ C:\WINDOWS\SYSTEM32\imeshare.dll
2006-10-13 16:35 35,328 --a------ C:\WINDOWS\SYSTEM32\dfrgsnap.dll
2006-10-13 16:35 324,608 --a------ C:\WINDOWS\SYSTEM32\cmdial32.dll
2006-10-13 16:35 32,768 --a------ C:\WINDOWS\SYSTEM32\cfgbkend.dll
2006-10-13 16:35 32,512 --------- C:\WINDOWS\SYSTEM32\drivers\amdk7.sys
2006-10-13 16:35 318,464 --a------ C:\WINDOWS\SYSTEM32\ippromon.dll
2006-10-13 16:35 31,744 --a------ C:\WINDOWS\SYSTEM32\dmloader.dll
2006-10-13 16:35 307,712 --a------ C:\WINDOWS\SYSTEM32\cscui.dll
2006-10-13 16:35 30,208 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-13 16:35 294,912 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-13 16:35 29,696 --a------ C:\WINDOWS\SYSTEM32\dpnhpast.dll
2006-10-13 16:35 28,672 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-13 16:35 28,672 --a------ C:\WINDOWS\SYSTEM32\dbnmpntw.dll
2006-10-13 16:35 271,360 --a------ C:\WINDOWS\SYSTEM32\fxscomex.dll
2006-10-13 16:35 27,648 --------- C:\WINDOWS\SYSTEM32\pidgen.dll
2006-10-13 16:35 266,240 --a------ C:\WINDOWS\SYSTEM32\drmclien.dll
2006-10-13 16:35 263,680 --a------ C:\WINDOWS\SYSTEM32\duser.dll
2006-10-13 16:35 263,168 --a------ C:\WINDOWS\SYSTEM32\devmgr.dll
2006-10-13 16:35 26,112 --a------ C:\WINDOWS\SYSTEM32\dmband.dll
2006-10-13 16:35 253,440 --a------ C:\WINDOWS\SYSTEM32\ddraw.dll
2006-10-13 16:35 250,368 --a------ C:\WINDOWS\SYSTEM32\fxssvc.exe
2006-10-13 16:35 25,600 --a------ C:\WINDOWS\SYSTEM32\dfsshlex.dll
2006-10-13 16:35 240,640 --a------ C:\WINDOWS\SYSTEM32\hnetcfg.dll
2006-10-13 16:35 24,576 --a------ C:\WINDOWS\SYSTEM32\dbmsvinn.dll
2006-10-13 16:35 24,576 --a------ C:\WINDOWS\SYSTEM32\dbmsrpcn.dll
2006-10-13 16:35 24,576 --a------ C:\WINDOWS\SYSTEM32\conime.exe
2006-10-13 16:35 24,064 --a------ C:\WINDOWS\SYSTEM32\fxsdrv.dll
2006-10-13 16:35 239,616 --a------ C:\WINDOWS\SYSTEM32\adsnt.dll
2006-10-13 16:35 238,592 --a------ C:\WINDOWS\SYSTEM32\compatui.dll
2006-10-13 16:35 237,056 --a------ C:\WINDOWS\SYSTEM32\icm32.dll
2006-10-13 16:35 236,032 --a------ C:\WINDOWS\SYSTEM32\fxst30.dll
2006-10-13 16:35 227,840 --a------ C:\WINDOWS\SYSTEM32\dsquery.dll
2006-10-13 16:35 22,528 --a------ C:\WINDOWS\SYSTEM32\at.exe
2006-10-13 16:35 216,064 --a------ C:\WINDOWS\SYSTEM32\fxscover.exe
2006-10-13 16:35 206,336 --a------ C:\WINDOWS\SYSTEM32\dpvoice.dll
2006-10-13 16:35 204,288 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-13 16:35 20,992 --a------ C:\WINDOWS\SYSTEM32\fxsext32.dll
2006-10-13 16:35 20,480 --a------ C:\WINDOWS\SYSTEM32\hidserv.dll
2006-10-13 16:35 20,480 --a------ C:\WINDOWS\SYSTEM32\dbmsadsn.dll
2006-10-13 16:35 19,456 --a------ C:\WINDOWS\SYSTEM32\fontview.exe
2006-10-13 16:35 19,456 --a------ C:\WINDOWS\SYSTEM32\ersvc.dll
2006-10-13 16:35 186,880 --a------ C:\WINDOWS\SYSTEM32\certcli.dll
2006-10-13 16:35 185,856 --a------ C:\WINDOWS\SYSTEM32\fxswzrd.dll
2006-10-13 16:35 180,224 --a------ C:\WINDOWS\SYSTEM32\dwwin.exe
2006-10-13 16:35 179,712 --a------ C:\WINDOWS\SYSTEM32\cewmdm.dll
2006-10-13 16:35 178,688 --a------ C:\WINDOWS\SYSTEM32\eudcedit.exe
2006-10-13 16:35 172,544 --a------ C:\WINDOWS\SYSTEM32\dmime.dll
2006-10-13 16:35 168,960 --a------ C:\WINDOWS\SYSTEM32\dinput8.dll
2006-10-13 16:35 165,376 --a------ C:\WINDOWS\SYSTEM32\els.dll
2006-10-13 16:35 162,816 --a------ C:\WINDOWS\SYSTEM32\adsldp.dll
2006-10-13 16:35 16,384 --a------ C:\WINDOWS\SYSTEM32\ds32gt.dll
2006-10-13 16:35 158,720 --a------ C:\WINDOWS\SYSTEM32\credui.dll
2006-10-13 16:35 156,672 --a------ C:\WINDOWS\SYSTEM32\dpnet.dll
2006-10-13 16:35 151,552 --a------ C:\WINDOWS\SYSTEM32\dinput.dll
2006-10-13 16:35 149,504 --a------ C:\WINDOWS\SYSTEM32\fxsui.dll
2006-10-13 16:35 14,366 --a------ C:\WINDOWS\SYSTEM32\asfsipc.dll
2006-10-13 16:35 139,776 --a------ C:\WINDOWS\SYSTEM32\adsldpc.dll
2006-10-13 16:35 135,680 --a------ C:\WINDOWS\SYSTEM32\dsprop.dll
2006-10-13 16:35 130,048 --a------ C:\WINDOWS\SYSTEM32\fxsclnt.exe
2006-10-13 16:35 13,312 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2006-10-13 16:35 126,976 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-13 16:35 124,928 --a------ C:\WINDOWS\SYSTEM32\dssenh.dll
2006-10-13 16:35 123,904 --a------ C:\WINDOWS\SYSTEM32\imapi.exe
2006-10-13 16:35 115,712 --a------ C:\WINDOWS\SYSTEM32\apphelp.dll
2006-10-13 16:35 115,200 --a------ C:\WINDOWS\SYSTEM32\dpcdll.dll
2006-10-13 16:35 114,176 --a------ C:\WINDOWS\SYSTEM32\input.dll
2006-10-13 16:35 113,152 --a------ C:\WINDOWS\SYSTEM32\idq.dll
2006-10-13 16:35 113,152 --a------ C:\WINDOWS\SYSTEM32\dfrgui.dll
2006-10-13 16:35 110,080 --a------ C:\WINDOWS\SYSTEM32\dmstyle.dll
2006-10-13 16:35 103,936 --a------ C:\WINDOWS\SYSTEM32\imm32.dll
2006-10-13 16:35 103,424 --a------ C:\WINDOWS\SYSTEM32\dgnet.dll
2006-10-13 16:35 1,180,672 --a------ C:\WINDOWS\SYSTEM32\d3d8.dll
2006-10-13 16:35 1,004,032 --a------ C:\WINDOWS\explorer.exe
2006-10-13 16:20 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2006-10-13 16:20 548,352 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2006-10-13 16:20 439,808 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2006-10-13 16:20 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2006-10-13 16:18 68,608 --a------ C:\WINDOWS\SYSTEM32\locator.exe
2006-10-13 16:17 974,336 --a------ C:\WINDOWS\SYSTEM32\msdtctm.dll
2006-10-13 16:17 97,280 --a------ C:\WINDOWS\SYSTEM32\txflog.dll
2006-10-13 16:17 535,552 --a------ C:\WINDOWS\SYSTEM32\rpcrt4.dll
2006-10-13 16:17 499,200 --a------ C:\WINDOWS\SYSTEM32\comuid.dll
2006-10-13 16:17 368,640 --a------ C:\WINDOWS\SYSTEM32\msdtcprx.dll
2006-10-13 16:17 150,528 --a------ C:\WINDOWS\SYSTEM32\msdtcuiu.dll
2006-10-13 16:17 110,080 --a------ C:\WINDOWS\SYSTEM32\clbcatex.dll
2006-10-13 16:16 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2006-10-13 16:16 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2006-10-13 16:16 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2006-10-13 16:16 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-10-13 16:16 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2006-10-13 16:16 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2006-10-13 16:16 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2006-10-13 16:16 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2006-10-13 16:16 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2006-10-13 16:16 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2006-10-13 16:16 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2006-10-13 16:16 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2006-10-13 16:16 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2006-10-13 16:16 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2006-10-13 16:16 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2006-10-13 16:16 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2006-10-13 16:16 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2006-10-13 16:07 226,816 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2006-10-13 16:04 38,912 --a------ C:\WINDOWS\SYSTEM32\hhsetup.dll
2006-10-13 16:04 143,872 --a------ C:\WINDOWS\SYSTEM32\itircl.dll
2006-10-13 16:04 128,000 --a------ C:\WINDOWS\SYSTEM32\itss.dll
2006-10-13 16:04 10,752 --a------ C:\WINDOWS\hh.exe
2006-10-13 16:01 125,440 --a------ C:\WINDOWS\SYSTEM32\shmedia.dll
2006-10-13 15:50 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2006-10-06 21:32 76,560 --a------ C:\WINDOWS\SYSTEM32\drivers\tmcomm.sys
2006-10-06 18:11 65,536 --a------ C:\WINDOWS\SYSTEM32\Winwcd.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-16 12:44 -------- d-------- C:\Program Files\Messenger
2006-10-16 12:43 -------- d-------- C:\Program Files\iTunes
2006-10-16 12:43 -------- d-------- C:\Program Files\Internet Explorer
2006-10-15 16:54 -------- d-------- C:\Program Files\GIB
2006-10-15 16:51 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-15 16:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\U3
2006-10-13 19:31 -------- d-------- C:\Program Files\Common Files
2006-10-13 19:01 -------- d-------- C:\Program Files\Zone Labs
2006-10-13 18:58 -------- d-------- C:\Program Files\Grisoft
2006-10-13 18:43 -------- d-------- C:\Program Files\Windows Media Player
2006-10-13 18:18 -------- d-------- C:\Program Files\Outlook Express
2006-10-13 18:18 -------- d-------- C:\Program Files\Common Files\System
2006-10-13 17:11 -------- d-------- C:\Program Files\NetMeeting
2006-10-13 16:48 -------- d-------- C:\Program Files\Movie Maker
2006-10-06 23:02 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-06 19:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-10-06 19:07 -------- d-------- C:\Program Files\Lavasoft
2006-10-06 18:59 -------- d-------- C:\Program Files\CleanUp!
2006-10-06 18:35 -------- d-------- C:\Program Files\QuickTime
2006-10-06 18:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-09-12 22:09 1110528 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-08-30 23:46 -------- d-------- C:\Documents and Settings\Owner\Application Data\SystemDoctor 2006 Free
2006-08-25 08:53 561664 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-25 02:14 595968 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll
2006-08-16 19:16 29784 --a------ C:\Program Files\popcorn Terms.html
2006-08-16 05:14 95232 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-08-16 05:14 70656 --a------ C:\WINDOWS\SYSTEM32\ws2_32.dll
2006-08-16 05:14 54272 --a------ C:\WINDOWS\SYSTEM32\ipv6mon.dll
2006-08-16 05:14 31232 --a------ C:\WINDOWS\SYSTEM32\inetmib1.dll
2006-08-16 05:14 13312 --a------ C:\WINDOWS\SYSTEM32\wship6.dll
2006-08-16 02:42 159232 --a------ C:\WINDOWS\SYSTEM32\xpob2res.dll
2006-08-16 02:28 48640 --a------ C:\WINDOWS\SYSTEM32\ipv6.exe
2006-08-16 02:28 205120 --a------ C:\WINDOWS\SYSTEM32\drivers\tcpip6.sys
2006-08-16 02:27 83456 --a------ C:\WINDOWS\SYSTEM32\netsh.exe
2006-08-16 02:27 11776 --a------ C:\WINDOWS\SYSTEM32\drivers\tunmp.sys
2006-08-10 22:09 795 --a------ C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
2006-07-21 01:30 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"DriverLoad"=""
"DriverCheck"=""
"SystemDriverLoad"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"MCAgentExe"="C:\\Program Files\\mcafee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\Program Files\\mcafee.com\\Agent\\mcupdate.exe /embedding"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"USB"="C:\\WINDOWS\\system32\\usb.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-16 13:03:17.79
C:\ComboFix.txt ... 06-10-16 13:03

hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 1:07:31 PM, on 10/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\Program Files\mcafee.com\Agent\mcupdate.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\XPFIX\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/in...altpmtscab.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160200901498
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

quaa · 10-16-2006, 01:22 PM

oh yeah the C:\DriverLoad folder was missing.

**Deckard** · 10-16-2006, 07:48 PM

I figured DriverLoad would be missing, but I wanted to be sure.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

Go to Start > Run and type: regsvr32 /u occache.dll and click OK.
Delete:
C:\avenger\backup.zip
C:\Program Files\dialers
C:\WINDOWS\Downloaded Program Files\Install.inf
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\SYSTEM32\Connect2Party-uninstall.exe
C:\WINDOWS\SYSTEM32\Personal_Party-uninstall.exe
Go to Start > Run and type: regsvr32 occache.dll and click OK.

ADS Deletions
Start HijackThis & Go to Config → Misc Tools → Open ADS Spy

Uncheck "Quick scan (Windows base folder only)"
Check "Ignore safe system info streams" if it is not already checked.
Click the "Scan" button.
When it has finished scanning, checkmark/tick all that it found.
Click the "remove selected" button.

Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm and then click OK.

Reset System Restore

Go to Start>Run, type SYSDM.CPL and press Enter.
Select the System Restore tab.
Check "Turn off System Restore on all drives" and click Apply.
Now uncheck the same option and click OK.

Re-enable Protection
Turn back on any malware prevention tools we might have had you switch off.

Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Please ensure that you have already patched your system against these recent critical exploits:

WMF exploit: KB912919
VML exploit: KB925486

Enable Windows Auto Update:

Go to Start>Run, type WUAUCPL.CPL and press Enter.
Make sure "Keep my computer up to date" is checked.
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Update Java
You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without multi-language and save to your desktop.
Close any programs you may have running -- especially your web browser(s).
Go to Startâ†'Control Panel double-click on Add/Remove Programs.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each version of Java.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
After the reboot, go back into the Control Panel and double-click the Java icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL three checked:
- Downloaded Applets
- Downloaded Applications
- Other Files
Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the cache.
Click OK to leave the Java Control Panel.

Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Antivirus
AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.

AOL Active Virus Shield (powered by Kaspersky Antivirus)
BitDefender
Avira PersonalEdition Classic
Avast!
AVG

Firewalls
A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.

Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.

Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:

Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
Miranda-IM - another Instant Messenger client with multiple IM capabilities.
Desktop Weather - A taskbar weather program that is free and resource light.

Please respond to this thread one more time so we can mark this thread as resolved.

quaa · 10-16-2006, 10:31 PM

Thanks! ill give the list of things to do to my customer. you guys are a lifesaver.

10-06-2006, 11:21 PM	#1 (permalink)
quaa Registered User Join Date: Jan 2006 Posts: 20 OS: XP HOME	Virus:Trj/Jupillites.G hello, i have a computer that i am working on that has random popups, excessivly. i ran panda active scan and the log is for the second scan: Incident Status Location Adware:Adware/DigInk Not disinfected c:\windows\win3208089-1130464.exe Adware:Adware/DigInk Not disinfected c:\windows\sys011130464089-.exe Adware:Adware/DigInk Not disinfected c:\windows\ms0664089-11304.exe Adware:Adware/DigInk Not disinfected c:\windows\ms05464089-1130.exe Adware:Adware/DigInk Not disinfected c:\windows\duce6.exe Virus:Trj/Jupillites.G Disinfected Operating system i also have the scan results for hijackthis Logfile of HijackThis v1.99.1 Scan saved at 11:17:14 PM, on 10/6/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\windows\system\hpsysdrv.exe C:\Program Files\mcafee.com\Agent\mcagent.exe C:\Program Files\mcafee.com\Agent\mcupdate.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\Duce6.exe C:\WINDOWS\ms0664089-11304.exe C:\WINDOWS\sys011130464089-.exe C:\WINDOWS\win3208089-1130464.exe C:\Program Files\Common Files\{BC9E7CA7-0701-1033-1122-010928000001}\Update.exe C:\WINDOWS\System32\PackethSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\win32ssr.exe C:\Program Files\PSDream\PSDream.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Owner\Desktop\XPFIX\HijackThis.exe F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsw4F.dll O2 - BHO: IE HTTP Checker - {7A22BB1D-4B19-45CF-9A10-20534D997ED2} - C:\WINDOWS\system32\iehttpcheck.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [loaddr] C:\qeoa.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [ms0664089-11304] C:\WINDOWS\ms0664089-11304.exe O4 - HKLM\..\Run: [sys011130464089-] C:\WINDOWS\sys011130464089-.exe O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate" O4 - HKLM\..\Run: [win3208089-1130464] C:\WINDOWS\win3208089-1130464.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe" O4 - HKCU\..\Run: [orfm] C:\PROGRA~1\COMMON~1\orfm\orfmm.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing) O15 - Trusted Zone: *.elitemediagroup.net O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/in...altpmtscab.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160200901498 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

10-07-2006, 08:33 PM	#2 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello quaa, and welcome to TSF. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Unhide Files Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK. Firewall Required You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall Sunbelt Kerio Personal Firewall Outpost Firewall PRO Please pick one and install it. Unpatched Operating System IMPORTANT! Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least Service Pack 1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online. Download CleanUp! Download and install CleanUp! but do not run it yet. WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp! WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it. Download AVG Anti-Spyware Please download, install, and update AVG Anti-Spyware Anti-Spyware. Load AVG Anti-Spyware and then click the Shield tab at the top Click on the word active to change it to inactive. Click the Update tab at the top: Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater. Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours. Click the Scanner tab at the top and then the Settings sub-tab: Under How to act?, click Recommended actions and select Quarantine. Under Reports, select Automatically generate report after every scan Close AVG Anti-Spyware. Do not run a scan with it yet. Download Brute Force Uninstaller Please download Brute Force Uninstaller to your desktop. Right click bfu.zip on your desktop, and choose Extract All. Click "Next". In the box to choose where to extract the files to, click "Browse". Click on the + sign next to "My Computer". Click on "Local Disk (C:) (or whatever your primary drive is). Click "Make New Folder" and type in BFU. Click "Next". Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU). Download ComboFix Download ComboFix from one of the following links: http://www.techsupportforum.com/sectools/combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply. Disable Service You need to disable two services. Click Start>Run - type SERVICES.MSC and then click on the OK button. Locate the service - MS Software Shadow Download Provider Stop the service by using the Stop button. Change the Startup Type to Disabled and click the OK button. Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service. In the popup box that appears, type in dnlsvc. Click the OK button and answer No if prompted to reboot. Locate the service - Win32Sr Double-click on it to open the Properties dialog. Under the General tab, write down the name of "Service name". We will need it momentarily. Stop the service by using the Stop button. Change the Startup Type to Disabled and click the OK button. Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service. In the popup box that appears, copy/paste the value you obtained in step 3. Click the OK button and answer No if prompted to reboot. Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): License_Manager PSDream webHancer Please let me know if any of these were unable to uninstall. Reboot Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: IE HTTP Checker - {7A22BB1D-4B19-45CF-9A10-20534D997ED2} - C:\WINDOWS\system32\iehttpcheck.dll O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsw4F.dll O4 - HKLM\..\Run: [loaddr] C:\qeoa.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [ms0664089-11304] C:\WINDOWS\ms0664089-11304.exe O4 - HKLM\..\Run: [sys011130464089-] C:\WINDOWS\sys011130464089-.exe O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate" O4 - HKLM\..\Run: [win3208089-1130464] C:\WINDOWS\win3208089-1130464.exe O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe" O4 - HKCU\..\Run: [orfm] C:\PROGRA~1\COMMON~1\orfm\orfmm.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present *O15 - Trusted Zone: .elitemediagroup.net O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing) O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Documents and Settings\Owner\Local Settings\Temp\dnlsvc.exe C:\Program Files\Common Files\orfm C:\Program Files\License_Manager C:\Program Files\PSDream C:\Program Files\webHancer C:\WINDOWS\system32\crunner C:\WINDOWS\system32\iehttpcheck.dll C:\WINDOWS\system32\nsw4F.dll C:\WINDOWS\Duce6.exe C:\WINDOWS\ms0664089-11304.exe C:\WINDOWS\sys011130464089-.exe C:\WINDOWS\win3208089-1130464.exe C:\WINDOWS\win32ssr.exe C:\qeoa.exe Run Brute Force Uninstaller Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU). Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Run CleanUp! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked. Click OK. Press the CleanUp! button to start the program. Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later. Run AVG Anti-Spyware Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side. Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop). Close AVG Anti-Spyware. Reboot Reboot your system to Normal Mode. Online Scan Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT. Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: extended Scan Options: Scan Archives and Scan Mail Bases Click OK Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done. Now under select a target to scan, select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run all the way. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button and save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. With Your Next Post... Please paste the following with your next reply (in this order please): The contents of C:\ComboFix.txt, AVG Anti-Spyware scan report, Kaspersky scan report, a new HiJackThis log taken after Kaspersky finishes. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting.** Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-15-2006, 02:24 PM	#5 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Sorry, I was out of town yesterday. Unfortunately, there is a nasty rootkit on this computer that we really need to get rid of before you give it back to the customer. This is going to take at least another round to make sure that we got everything. Download The Avenger Please download The Avenger to your Desktop. Click on Avenger.zip to open the file. Extract avenger.exe to your desktop Copy all the text contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C: Code: Drivers to unload: pe386 Files to delete: C:\Program Files\GIB\01setup.EXE C:\WINDOWS\SYSTEM32\i C:\WINDOWS\Setup90.exe C:\WINDOWS\srvbtsebdr.exe NOTE: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. The Avenger will automatically do the following: It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. Please post the contents of c:\avenger.txt with your next reply. Online Scan Please perform an BitDefender Online Scan using Internet Explorer. Once finished, click on the Details button to view the results. To the upper right of the results you will see an option saying "Click here to export the scan results". Please do so and save it to your desktop. Post the results of the scan with your next post. Re-Download ComboFix ComboFix has been updated since you downloaded it. Please delete your copy and download ComboFix from one of the following links: http://www.techsupportforum.com/sectools/combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply. Run ADS Spy Please open HIjackThis, and go to Config \|\| Misc Tools Click the button labelled "Open ADSSpy" Make sure "Ignore Safe System Info Streams" and "Quick Scan (Windows based folders only)" are checked. Click the "Scan" button. When it has finished scanning, checkmark/tick all that entries that it found. Click the "remove selected" button, then Click "Yes" at the following prompt. Click the "Scan" button once again. Click the "Save Log" button once this scan is complete. Please post that log here for review. With Your Next Post Please paste the following logs in this order: The contents of C:\avenger.txt, The results of the BitDefender scan, The contents of C:\ComboFix.txt, The results of ADS Spy, and A new HijackThis log taken after ComboFix has finished. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-15-2006, 06:38 PM	#6 (permalink)
quaa Registered User Join Date: Jan 2006 Posts: 20 OS: XP HOME	Since Whenever i posted my reply it always messed up, i threw the logs on my server Avenger log http://myweb.cableone.net/ttctbt/avenger.txt Everything else... http://myweb.cableone.net/ttctbt/SCANLOGS.rtf Last edited by quaa; 10-15-2006 at 06:52 PM.

10-15-2006, 07:43 PM	#7 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	We're really close. These last steps and it should be clean. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\ DriverLoad C:\WINDOWS\SYSTEM32\ azfd6ea9.sys C:\WINDOWS\SYSTEM32\ iehttpcheck.bat C:\WINDOWS\ trnty.dll C:\WINDOWS\ file.bat Download Attachment Download the file attached to this post and save it to your desktop. Extract it and double-click on the quaa.reg file. It will ask you if you want to merge/add it to the registry -- choose Yes. You may delete both files now. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan. Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker. Enter your e-mail address, country, and state and click Scan Now. Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control. Begin the scan by selecting My Computer. Note: Please turn off the real time scanner of any existing antivirus program while performing the online scan. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report. It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report. Reboot Please reboot. I want to make sure the entries I removed from the registry do not come back. Re-run ComboFix Double click combofix.exe & follow the prompts. When the tool has finished, it will move the old log to C:\ComboFix2.txt and produce a new log in C:\ComboFix.txt. Post the Panda Scan result along with the C:\ComboFix.txt log. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006 Last edited by Deckard; 11-02-2006 at 05:54 PM.

10-15-2006, 12:18 PM	#4 (permalink)
quaa Registered User Join Date: Jan 2006 Posts: 20 OS: XP HOME	Bump? ive had this computer long enough, i need to get it back to my customer. there have been zero popups, but i just want to see if its done..

10-16-2006, 01:22 PM	#9 (permalink)
quaa Registered User Join Date: Jan 2006 Posts: 20 OS: XP HOME	oh yeah the C:\DriverLoad folder was missing.

10-16-2006, 07:48 PM	#10 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	I figured DriverLoad would be missing, but I wanted to be sure. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. Go to Start > Run and type: regsvr32 /u occache.dll and click OK. Delete: C:\avenger\backup.zip C:\Program Files\dialers C:\WINDOWS\Downloaded Program Files\Install.inf C:\WINDOWS\IA\KE.vbs C:\WINDOWS\SYSTEM32\Connect2Party-uninstall.exe C:\WINDOWS\SYSTEM32\Personal_Party-uninstall.exe Go to Start > Run and type: regsvr32 occache.dll and click OK. ADS Deletions Start HijackThis & Go to Config → Misc Tools → Open ADS Spy Uncheck "Quick scan (Windows base folder only)" Check "Ignore safe system info streams" if it is not already checked. Click the "Scan" button. When it has finished scanning, checkmark/tick all that it found. Click the "remove selected" button. Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm and then click OK. Reset System Restore Go to Start>Run, type SYSDM.CPL and press Enter. Select the System Restore tab. Check "Turn off System Restore on all drives" and click Apply. Now uncheck the same option and click OK. Re-enable Protection Turn back on any malware prevention tools we might have had you switch off. Microsoft Updates It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection. Please ensure that you have already patched your system against these recent critical exploits: WMF exploit: KB912919 VML exploit: KB925486 Enable Windows Auto Update: Go to Start>Run, type WUAUCPL.CPL and press Enter. Make sure "Keep my computer up to date" is checked. Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Update Java You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without multi-language and save to your desktop. Close any programs you may have running -- especially your web browser(s). Go to Startâ†'Control Panel double-click on Add/Remove Programs. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each version of Java. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. After the reboot, go back into the Control Panel and double-click the Java icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL three checked: Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the cache. Click OK to leave the Java Control Panel. Malware Prevention This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them. Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer". The following is a list of free software we recommend: Antivirus AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one. AOL Active Virus Shield (powered by Kaspersky Antivirus) BitDefender Avira PersonalEdition Classic Avast! AVG Firewalls A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall Sunbelt Kerio Personal Firewall Outpost Firewall PRO Realtime Malware Prevention Tools These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time. Spyware Guard Spybot Search & Destroy AdAware WinPatrol - with tutorial Passive Malware Prevention Tools These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources. SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates. IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage. MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites. McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox. Alternative Web Browsers Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites. Firefox Opera Alternative Miscellaneous Here are some alternatives that are worth looking into if you use their features: Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.) Miranda-IM - another Instant Messenger client with multiple IM capabilities. Desktop Weather - A taskbar weather program that is free and resource light. Please respond to this thread one more time so we can mark this thread as resolved. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-16-2006, 10:31 PM	#11 (permalink)
quaa Registered User Join Date: Jan 2006 Posts: 20 OS: XP HOME	Thanks! ill give the list of things to do to my customer. you guys are a lifesaver.