Trojan / Virus vbsys2.dll itunesff.exe

djade80 · 11-22-2006, 02:08 PM

Hi Guys,

While browsing this week I have picked up Malware. I have Secrurity on my computer but it got through. Although Windows work ok, the Internet is playing up.

Here is my hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 20:31:30, on 22/11/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\TalkTalk Online Security\backweb\81720\program\fsbwsys.exe
C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
C:\Program Files\TalkTalk Online Security\Common\FSMB32.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\TalkTalk Online Security\Common\FCH32.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TalkTalk Online Security\Common\FAMEH32.EXE
C:\WINNT\Explorer.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsrw.exe
C:\Program Files\TalkTalk Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fssm32.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINNT\loadqm.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE
C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsav32.exe
C:\PROGRA~1\TALKTA~1\ANTI-S~1\fsaw.exe
C:\Program Files\TalkTalk Online Security\FSGUI\fsguidll.exe
C:\Secrurity\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 66.38.215.115 www.kazza.com
O1 - Hosts: 66.38.215.115 kaza.com
O1 - Hosts: 66.38.215.115 www.kaza.com
O1 - Hosts: 66.38.215.115 kaaza.com
O1 - Hosts: 66.38.215.115 www.kaaza.com
O1 - Hosts: 66.38.215.115 kahza.com
O1 - Hosts: 66.38.215.115 www.kahza.com
O1 - Hosts: 66.38.215.115 edonkey.com
O1 - Hosts: 66.38.215.115 www.edonkey.com
O1 - Hosts: 66.38.215.115 emule.com
O1 - Hosts: 66.38.215.115 www.emule.com
O1 - Hosts: 66.38.215.115 suprnova.com
O1 - Hosts: 66.38.215.115 www.suprnova.com
O1 - Hosts: 64.124.166.37 klite.com
O1 - Hosts: 64.124.166.37 www.klite.com
O1 - Hosts: 64.124.166.37 k-lite.com
O1 - Hosts: 64.124.166.37 www.k-lite.com
O1 - Hosts: 64.124.166.37 kazaalite.com
O1 - Hosts: 64.124.166.37 www.kazzalite.com
O1 - Hosts: 64.124.166.37 kazalite.com
O1 - Hosts: 64.124.166.37 www.kazalite.com
O1 - Hosts: 64.124.166.37 kaazalite.com
O1 - Hosts: 64.124.166.37 www.kaazalite.com
O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: SuperBar - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [ypqfqdgb] C:\WINNT\ypqfqdgb.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TalkTalk Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\TalkTalk Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [dmjtj.exe] C:\WINNT\System32\dmjtj.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TalkTalk Online Security.lnk = C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\TalkTalk Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield (HKLM)
O9 - Extra 'Tools' menuitem: IE Shield... (HKLM)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB

Thanks Adrian

djade80 · 11-22-2006, 03:32 PM

I forgot to mention earlier that when using Internet Exporer my Tolbars have vanished.

Here is my Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 22, 2006 11:30:05 PM
Operating System: Microsoft Windows 2000 Professional, (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/11/2006
Kaspersky Anti-Virus database records: 230296
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 49603
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:48:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\ade\Application Data\ispnews\ispn.ini Object is locked skipped
C:\Documents and Settings\ade\Application Data\ispnews\ispnc.items Object is locked skipped
C:\Documents and Settings\ade\Application Data\ispnews\ispnr.items Object is locked skipped
C:\Documents and Settings\ade\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ade\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\History\History.IE5\MSHist012006112220061123\index.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ade\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ade\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Program Files\Common Files\AOL\ACS\UK\forms.fdb Object is locked skipped
C:\Program Files\Common Files\AOL\ACS\UK\static Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\cache.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\fsbwupst.log Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\L0000012.FCS Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\TalkTalk Online Security\Common\admin.pub Object is locked skipped
C:\Program Files\TalkTalk Online Security\Common\policy.bpf Object is locked skipped
C:\Program Files\TalkTalk Online Security\Common\policy.ipf Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\dmeep.exe Object is locked skipped
C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped

Scan process completed.

tetonbob · 11-24-2006, 10:57 PM

You are using an outdated version of Hijack This. Please delete your current version and download HijackThis. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Please post a new log with the updated version.

djade80 · 11-25-2006, 03:18 AM

Hi thanks for your reply. Since the initial problems and first log I have done various sweeps of the computer and here is my new log.
I have also changed Browsers as Internet Explorer was playing up. I am now using Firefox

Adrian

Logfile of HijackThis v1.99.1
Scan saved at 11:16:30, on 25/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
C:\WINNT\system32\csrs.exe
C:\di21.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\Program Files\Common Files\{74D1919C-06FC-1033-0708-02061902002c}\Update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 66.38.215.115 www.kazza.com
O1 - Hosts: 66.38.215.115 kaza.com
O1 - Hosts: 66.38.215.115 www.kaza.com
O1 - Hosts: 66.38.215.115 kaaza.com
O1 - Hosts: 66.38.215.115 www.kaaza.com
O1 - Hosts: 66.38.215.115 kahza.com
O1 - Hosts: 66.38.215.115 www.kahza.com
O1 - Hosts: 66.38.215.115 edonkey.com
O1 - Hosts: 66.38.215.115 www.edonkey.com
O1 - Hosts: 66.38.215.115 emule.com
O1 - Hosts: 66.38.215.115 www.emule.com
O1 - Hosts: 66.38.215.115 suprnova.com
O1 - Hosts: 66.38.215.115 www.suprnova.com
O1 - Hosts: 64.124.166.37 klite.com
O1 - Hosts: 64.124.166.37 www.klite.com
O1 - Hosts: 64.124.166.37 k-lite.com
O1 - Hosts: 64.124.166.37 www.k-lite.com
O1 - Hosts: 64.124.166.37 kazaalite.com
O1 - Hosts: 64.124.166.37 www.kazzalite.com
O1 - Hosts: 64.124.166.37 kazalite.com
O1 - Hosts: 64.124.166.37 www.kazalite.com
O1 - Hosts: 64.124.166.37 kaazalite.com
O1 - Hosts: 64.124.166.37 www.kaazalite.com
O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: (no name) - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe
O4 - HKLM\..\Run: [Services] C:\di21.exe
O4 - HKLM\..\Run: [dmeqs.exe] C:\WINNT\system32\dmeqs.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4110E99-88F6-4A1C-A7A7-C16171602426}: NameServer = 62.24.128.17 62.24.128.18
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

tetonbob · 11-25-2006, 07:55 AM

You have a couple of different infections. We'll take this in stages.

First:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 66.38.215.115 www.kazza.com
O1 - Hosts: 66.38.215.115 kaza.com
O1 - Hosts: 66.38.215.115 www.kaza.com
O1 - Hosts: 66.38.215.115 kaaza.com
O1 - Hosts: 66.38.215.115 www.kaaza.com
O1 - Hosts: 66.38.215.115 kahza.com
O1 - Hosts: 66.38.215.115 www.kahza.com
O1 - Hosts: 66.38.215.115 edonkey.com
O1 - Hosts: 66.38.215.115 www.edonkey.com
O1 - Hosts: 66.38.215.115 emule.com
O1 - Hosts: 66.38.215.115 www.emule.com
O1 - Hosts: 66.38.215.115 suprnova.com
O1 - Hosts: 66.38.215.115 www.suprnova.com
O1 - Hosts: 64.124.166.37 klite.com
O1 - Hosts: 64.124.166.37 www.klite.com
O1 - Hosts: 64.124.166.37 k-lite.com
O1 - Hosts: 64.124.166.37 www.k-lite.com
O1 - Hosts: 64.124.166.37 kazaalite.com
O1 - Hosts: 64.124.166.37 www.kazzalite.com
O1 - Hosts: 64.124.166.37 kazalite.com
O1 - Hosts: 64.124.166.37 www.kazalite.com
O1 - Hosts: 64.124.166.37 kaazalite.com
O1 - Hosts: 64.124.166.37 www.kaazalite.com
O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing)
O3 - Toolbar: (no name) - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - (no file)
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
O4 - HKLM\..\Run: [dmeqs.exe] C:\WINNT\system32\dmeqs.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

Close HijackThis now.

---------------------------------------------------------------------------------------------

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Delete these if present:

c:\ex.cab
C:\WINNT\system32\dmeqs.exe

Next,

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

djade80 · 11-25-2006, 12:41 PM

Hi there,

I followed your instructions above, a couple of files did not exist as you said, and only thing to note was window frooze just after SDfix finished.

New Logs below :

Logfile of HijackThis v1.99.1
Scan saved at 20:38:07, on 25/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\Secrurity\HijackThis v1.99.0.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

SDFix: Version 1.43
-------------------

Scan run on:
Date:Sat 25/11/2006 Time:20:24:45.70

Microsoft Windows 2000 [Version 5.00.2195]

Running from C:\SDFix

Stage One - Safe Mode

Checking Services...

Name:
-----

Path:
----

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\DOCUME~1\ade\LOCALS~1\Temp\setup.exe
C:\WINNT\system32\csrs.exe
C:\WINNT\system32\winmx.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Backups folder: - C:\SDFix\backups\backups.zip

AuthorizedApplication Key Export:

Checking For Hidden Files:

FINISHED

tetonbob · 11-25-2006, 01:58 PM

Windows froze, but it's ok now?

We have more work to do, but I want to be sure of this.

djade80 · 11-25-2006, 04:01 PM

Windows but fine now after the reboot.

My current antivirus still records a Trojan win32.qhost.gf trying to gain access.

Look forward to your reply

tetonbob · 11-25-2006, 04:18 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ) into this topic.

----------------------------------------------------------------------------------------------------------

Also, please do this:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJack This log. and the report from FixWareout

djade80 · 11-26-2006, 03:42 AM

Hi there,

I have done the fixwareout and report is below.

when I went to do the Panda active scan, and during the downloading of the ActiveX Controls my Antivirus found WIN32:CTX in /as5free/motor.cab\psha
and I had to abort download.

reports logs are below.

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xevol
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmiml.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSRZG.EXE 51,764 2006-11-20
C:\WINNT\SYSTEM32\DMCPL.EXE 266,240 2002-05-03
C:\WINNT\SYSTEM32\DMIML.EXE 60,461 2003-06-19

Other suspects.
Directory of C:\WINNT\system32
{D91B0F98-6D65-4E53-B704-C236BB81E512}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Logfile of HijackThis v1.99.1
Scan saved at 11:42:51, on 26/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Secrurity\HijackThis v1.99.0.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4110E99-88F6-4A1C-A7A7-C16171602426}: NameServer = 62.24.252.135 62.24.252.134
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Look forward to your reply

Adrian

tetonbob · 11-26-2006, 07:52 AM

Hello, Adrian.

Good work on providing the info from your AV scanner. We've rooted out the bad guys now.

Delete these files:

C:\WINNT\SYSTEM32\CSRZG.EXE
C:\WINNT\SYSTEM32\DMCPL.EXE
C:\WINNT\SYSTEM32\DMIML.EXE
C:\WINNT\SYSTEM32\{D91B0F98-6D65-4E53-B704-C236BB81E512}.exe

If they resist deletion, boot to safe mode and delete from there.

-----------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Please continue with the online scan at Panda. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database. You will need to disable Avast during the downlaod and install of the ActiveX controls, as indicated in the original instructions.

djade80 · 11-26-2006, 05:08 PM

Hi there,

I deleted the files as stated.

Ran CleanUP & AVG scanner, report below.

during scanner found ranky.gb and IRCBot.xv
also found csrs.exe which on Actions as required, said was embedded in an archive zip file. Quarantine whole achive ? I answered Yes.

Switched off Avest antivirus and downloaded Pandascan Active controls, but then didnt seem to do anything, scan than is.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:37:44 27/11/2006

+ Scan result:

C:\SDFix\backups\backups.zip/backups/csrs.exe -> Backdoor.IRCBot.xv : Cleaned with backup (quarantined).
C:\di21.exe -> Proxy.Ranky.gb : Cleaned with backup (quarantined).

::Report end

New Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 01:08:14, on 27/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Secrurity\HijackThis v1.99.0.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4110E99-88F6-4A1C-A7A7-C16171602426}: NameServer = 62.24.222.134 62.24.222.135
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Thanks again, Adrian

tetonbob · 11-26-2006, 06:21 PM

That's looking much better, but I'd like to get one online scan in. They can often see what other tools may miss.

Please try this one:

Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

How is your system behaving, please?

djade80 · 11-27-2006, 05:05 AM

Thanks for this I will carry out the actions when I get home to my pc, at work now.
the pc is better, although I noticed after I start , and windows opens up a 'Mixer' window tries to open , the closes.

I have all my web browsers behaving now, and it looks as though a lot of cxxp has been cleared out.

Thanks

djade80 · 11-27-2006, 11:01 AM

have actioned the kaspersky report and result as follows

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 27, 2006 6:57:33 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/11/2006
Kaspersky Anti-Virus database records: 246029
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 47148
Number of viruses found: 3
Number of infected objects: 4 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:33:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\ade\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ade\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\History\History.IE5\MSHist012006112720061128\index.dat Object is locked skipped
C:\Documents and Settings\ade\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ade\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ade\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ade\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Common Files\AOL\ACS\UK\forms.fdb Object is locked skipped
C:\Program Files\Common Files\AOL\ACS\UK\static Object is locked skipped
C:\Program Files\Common Files\{74D1919C-06FC-1033-0708-02061902002c}\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\Common Files\{74D1919C-06FD-1033-0708-02061902002c}\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped
C:\stl32.exe Infected: Trojan-Proxy.Win32.Agent.by skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\mc-110-12-0000144.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
C:\WINNT\system32\Perflib_Perfdata_24c.dat Object is locked skipped
C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Still a couple of bits there I see.

Look forward to your reply.

Cheers Adrian

tetonbob · 11-27-2006, 03:29 PM

Some remnants of mulitple infections....odd to me that AVG AS did not pull a couple of those out.

Please do this:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\Program Files\Common Files\{74D1919C-06FC-1033-0708-02061902002c}
C:\stl32.exe
C:\WINNT\system32\mc-110-12-0000144.exe

If they resist deletion, boot to safe mode and delete from there.

---------------------------------------------------------------------------------------------

Download combofix.exe to your desktop.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

djade80 · 11-28-2006, 10:58 AM

Hi there,

right here we go with combofix and hjt report logs

ade - Tue 28/11/2006 18:48:44.76 Service Pack 4
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\ade\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\hosts
C:\Program Files\Inetget2
C:\Program Files\Common Files\{34D1919C-06FC-1033-0708-02061902002c}
C:\Program Files\Common Files\{34D1919C-06FD-1033-0708-02061902002c}
C:\Program Files\Common Files\{74D1919C-06FD-1033-0708-02061902002c}

((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))

2006-11-27 21:52 <DIR> d-------- C:\Program Files\Poker.com
2006-11-27 20:55 <DIR> d-------- C:\Program Files\CasinoOnNet
2006-11-27 20:28 <DIR> d-------- C:\WINNT\PlayerStats
2006-11-27 20:28 <DIR> d-------- C:\Documents and Settings\ade\Application Data\djade
2006-11-26 23:23 <DIR> d-------- C:\Program Files\CleanUp!
2006-11-26 23:15 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2006-11-26 23:14 <DIR> d-------- C:\Program Files\Grisoft
2006-11-26 11:32 <DIR> d-------- C:\WINNT\system32\ActiveScan
2006-11-26 11:13 <DIR> d-------- C:\fixwareout
2006-11-25 21:56 225,280 --a------ C:\WINNT\system32\wmpdxm.dll
2006-11-25 21:56 20,480 --a------ C:\WINNT\system32\wmpui.dll
2006-11-25 21:56 20,480 --a------ C:\WINNT\system32\wmpcore.dll
2006-11-25 21:56 20,480 --a------ C:\WINNT\system32\wmpcd.dll
2006-11-25 21:56 2,940,928 --a------ C:\WINNT\system32\wmploc.dll
2006-11-25 21:56 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2006-11-25 19:53 <DIR> d-------- C:\SDFix
2006-11-25 11:13 <DIR> d-------- C:\Program Files\HijackThis
2006-11-25 03:04 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB911562-x86-ENU$
2006-11-25 03:01 <DIR> d-------- C:\WINNT\mui
2006-11-24 20:02 840,976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-11-24 19:43 <DIR> d-------- C:\WINNT\system32\BITS
2006-11-24 19:40 <DIR> d-------- C:\Program Files\AutoPatcher 2K
2006-11-24 19:36 127,208 --a------ C:\WINNT\system32\mucltui.dll
2006-11-24 19:35 18,200 --a------ C:\WINNT\system32\wups2.dll
2006-11-24 19:34 465,176 --a------ C:\WINNT\system32\wuapi.dll
2006-11-24 19:34 41,240 --a------ C:\WINNT\system32\wups.dll
2006-11-24 19:34 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2006-11-24 19:34 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2006-11-24 19:34 127,256 --a------ C:\WINNT\system32\wucltui.dll
2006-11-24 19:31 <DIR> d-------- C:\WINNT\ime
2006-11-24 19:24 <DIR> d-------- C:\WINNT\system32\ie_de
2006-11-24 19:24 <DIR> d-------- C:\WINNT\system32\CertSrv
2006-11-24 19:24 <DIR> d-------- C:\WINNT\ServicePackFiles
2006-11-24 19:22 3,856 --------- C:\WINNT\system32\SVCPACK1.DLL
2006-11-24 19:19 977,680 --a------ C:\WINNT\system32\vfpodbc.dll
2006-11-24 19:19 92,432 --a------ C:\WINNT\system32\xactsrv.dll
2006-11-24 19:19 83,888 --a------ C:\WINNT\system32\vga.dll
2006-11-24 19:19 8,464 --a------ C:\WINNT\system32\wshirda.dll
2006-11-24 19:19 79,120 --a------ C:\WINNT\system32\winscard.dll
2006-11-24 19:19 74,512 --a------ C:\WINNT\system32\wmicore.dll
2006-11-24 19:19 69,904 --a------ C:\WINNT\system32\ws2_32.dll
2006-11-24 19:19 59,152 --a------ C:\WINNT\system32\winfax.dll
2006-11-24 19:19 57,616 --a------ C:\WINNT\system32\wlnotify.dll
2006-11-24 19:19 57,104 --a------ C:\WINNT\system32\w32tm.exe
2006-11-24 19:19 51,472 --a------ C:\WINNT\system32\w32time.dll
2006-11-24 19:19 49,776 --------- C:\WINNT\system32\drivers\usbhub20.sys
2006-11-24 19:19 42,768 --a------ C:\WINNT\system32\webhits.dll
2006-11-24 19:19 403,216 --a------ C:\WINNT\system32\USER32.DLL
2006-11-24 19:19 4,368 --a------ C:\WINNT\system32\winver.exe
2006-11-24 19:19 39,696 --a------ C:\WINNT\system32\wsnmp32.dll
2006-11-24 19:19 39,184 --a------ C:\WINNT\system32\winsta.dll
2006-11-24 19:19 389,904 --a------ C:\WINNT\system32\USERENV.DLL
2006-11-24 19:19 315,664 --a------ C:\WINNT\system32\usp10.dll
2006-11-24 19:19 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2006-11-24 19:19 29,968 --a------ C:\WINNT\system32\wpnpinst.exe
2006-11-24 19:19 28,400 --a------ C:\WINNT\system32\wupdinfo.dll
2006-11-24 19:19 270,608 --a------ C:\WINNT\winhlp32.exe
2006-11-24 19:19 26,384 --a------ C:\WINNT\system32\utildll.dll
2006-11-24 19:19 240,912 --a------ C:\WINNT\system32\wow32.dll
2006-11-24 19:19 24,848 --a------ C:\WINNT\system32\spdwnw2k.exe
2006-11-24 19:19 239,376 --a------ C:\WINNT\system32\winsmon.dll
2006-11-24 19:19 22,800 --a------ C:\WINNT\system32\utilman.exe
2006-11-24 19:19 22,752 --a------ C:\WINNT\system32\spupdsvc.exe
2006-11-24 19:19 21,776 --a------ C:\WINNT\system32\wsock32.dll
2006-11-24 19:19 21,776 --------- C:\WINNT\system32\spupdw2k.exe
2006-11-24 19:19 193,296 --a------ C:\WINNT\winrep.exe
2006-11-24 19:19 19,728 --------- C:\WINNT\system32\drivers\usbehci.sys
2006-11-24 19:19 181,008 --a------ C:\WINNT\system32\WINLOGON.EXE
2006-11-24 19:19 172,664 --a------ C:\WINNT\system32\XENROLL.DLL
2006-11-24 19:19 17,680 --a------ C:\WINNT\system32\wshtcpip.dll
2006-11-24 19:19 166,160 --a------ C:\WINNT\system32\WINTRUST.DLL
2006-11-24 19:19 162,064 --a------ C:\WINNT\system32\WLDAP32.DLL
2006-11-24 19:19 16,144 --a------ C:\WINNT\system32\version.dll
2006-11-24 19:19 155,920 --a------ C:\WINNT\system32\wavemsp.dll
2006-11-24 19:19 138,288 --------- C:\WINNT\system32\drivers\usbport.sys
2006-11-24 19:19 11,536 --a------ C:\WINNT\system32\usbmon.dll
2006-11-24 19:19 10,000 --a------ C:\WINNT\system32\wshatm.dll
2006-11-24 19:18 971,024 --a------ C:\WINNT\system32\sfcfiles.dll
2006-11-24 19:18 97,040 --a------ C:\WINNT\system32\rtm.dll
2006-11-24 19:18 95,024 --a------ C:\WINNT\system32\sfc.dll
2006-11-24 19:18 90,384 --a------ C:\WINNT\system32\trkwks.dll
2006-11-24 19:18 87,312 --a------ C:\WINNT\system32\TASKMGR.EXE
2006-11-24 19:18 85,776 --a------ C:\WINNT\system32\smlogsvc.exe
2006-11-24 19:18 81,168 --a------ C:\WINNT\system32\stobject.dll
2006-11-24 19:18 80,144 --a------ C:\WINNT\system32\telnet.exe
2006-11-24 19:18 77,584 --a------ C:\WINNT\system32\scripto.dll
2006-11-24 19:18 77,072 --a------ C:\WINNT\system32\rsvpsp.dll
2006-11-24 19:18 73,488 --a------ C:\WINNT\regedit.exe
2006-11-24 19:18 7,440 --a------ C:\WINNT\system32\svcpack.dll
2006-11-24 19:18 7,440 --a------ C:\WINNT\system32\sensapi.dll
2006-11-24 19:18 69,392 --a------ C:\WINNT\system32\shim.dll
2006-11-24 19:18 68,368 --a------ C:\WINNT\system32\unimdmat.dll
2006-11-24 19:18 68,368 --a------ C:\WINNT\system32\regsvc.exe
2006-11-24 19:18 65,601 --a------ C:\WINNT\system32\servdeps.dll
2006-11-24 19:18 63,248 --a------ C:\WINNT\system32\RASSCRPT.DLL
2006-11-24 19:18 62,736 --a------ C:\WINNT\system32\sstext3d.scr
2006-11-24 19:18 61,712 --a------ C:\WINNT\system32\stisvc.exe
2006-11-24 19:18 60,688 --a------ C:\WINNT\system32\RASCHAP.DLL
2006-11-24 19:18 6,928 --a------ C:\WINNT\system32\skdll.dll
2006-11-24 19:18 55,056 --a------ C:\WINNT\system32\tlntsess.exe
2006-11-24 19:18 524,560 --a------ C:\WINNT\system32\sqlsrv32.dll
2006-11-24 19:18 49,424 --a------ C:\WINNT\system32\sqlwoa.dll
2006-11-24 19:18 48,912 --a------ C:\WINNT\system32\secur32.dll
2006-11-24 19:18 48,200 --------- C:\WINNT\system32\scrdx86.dll
2006-11-24 19:18 48,200 --------- C:\WINNT\system32\scrdenrl.dll
2006-11-24 19:18 47,888 --a------ C:\WINNT\system32\ssbezier.scr
2006-11-24 19:18 45,840 --a------ C:\WINNT\system32\skeys.exe
2006-11-24 19:18 44,816 --a------ C:\WINNT\system32\rsm.exe
2006-11-24 19:18 431,888 --a------ C:\WINNT\system32\riched20.dll
2006-11-24 19:18 419,600 --a------ C:\WINNT\system32\ssmaze.scr
2006-11-24 19:18 41,744 --a------ C:\WINNT\system32\tcpmon.dll
2006-11-24 19:18 41,744 --a------ C:\WINNT\system32\sti.dll
2006-11-24 19:18 41,744 --a------ C:\WINNT\system32\ssflwbox.scr
2006-11-24 19:18 40,720 --a------ C:\WINNT\system32\RESUTILS.DLL
2006-11-24 19:18 38,672 --a------ C:\WINNT\system32\ssmarque.scr
2006-11-24 19:18 38,160 --a------ C:\WINNT\system32\sens.dll
2006-11-24 19:18 375,568 --a------ C:\WINNT\system32\tapi3.dll
2006-11-24 19:18 36,624 --a------ C:\WINNT\system32\ssmyst.scr
2006-11-24 19:18 36,624 --a------ C:\WINNT\system32\RNR20.DLL
2006-11-24 19:18 36,112 --a------ C:\WINNT\system32\regapi.dll
2006-11-24 19:18 35,600 --a------ C:\WINNT\system32\storprop.dll
2006-11-24 19:18 33,552 --a------ C:\WINNT\system32\shmgrate.exe
2006-11-24 19:18 33,040 --a------ C:\WINNT\system32\ssstars.scr
2006-11-24 19:18 31,504 --a------ C:\WINNT\system32\traffic.dll
2006-11-24 19:18 285,456 --a------ C:\WINNT\system32\smlogcfg.dll
2006-11-24 19:18 28,432 --a------ C:\WINNT\system32\scrnsave.scr
2006-11-24 19:18 27,920 --a------ C:\WINNT\system32\umandlg.dll
2006-11-24 19:18 254,736 --a------ C:\WINNT\system32\scesrv.dll
2006-11-24 19:18 25,360 --a------ C:\WINNT\system32\rsfsaps.dll
2006-11-24 19:18 25,360 --a------ C:\WINNT\system32\rapilib.dll
2006-11-24 19:18 246,544 --a------ C:\WINNT\system32\strmdll.dll
2006-11-24 19:18 24,848 --a------ C:\WINNT\system32\sqlwid.dll
2006-11-24 19:18 24,336 --a------ C:\WINNT\system32\rpcns4.dll
2006-11-24 19:18 22,800 --a------ C:\WINNT\system32\routeext.dll
2006-11-24 19:18 214,288 --a------ C:\WINNT\system32\snmpsnap.dll
2006-11-24 19:18 21,264 --a------ C:\WINNT\system32\stimon.exe
2006-11-24 19:18 20,752 --a------ C:\WINNT\system32\sclgntfy.dll
2006-11-24 19:18 198,928 --a------ C:\WINNT\system32\rasppp.dll
2006-11-24 19:18 187,664 --a------ C:\WINNT\system32\thumbvw.dll
2006-11-24 19:18 187,024 --a------ C:\WINNT\system32\spcmdcon.sys
2006-11-24 19:18 186,128 --a------ C:\WINNT\system32\tlntsvr.exe
2006-11-24 19:18 176,912 --a------ C:\WINNT\system32\rsvp.exe
2006-11-24 19:18 17,680 --a------ C:\WINNT\system32\tftp.exe
2006-11-24 19:18 17,680 --a------ C:\WINNT\system32\SNMPAPI.DLL
2006-11-24 19:18 17,168 --a------ C:\WINNT\system32\seclogon.dll
2006-11-24 19:18 17,168 --a------ C:\WINNT\system32\secedit.exe
2006-11-24 19:18 154,896 --a------ C:\WINNT\system32\rasmontr.dll
2006-11-24 19:18 15,120 --a------ C:\WINNT\system32\sisbkup.dll
2006-11-24 19:18 14,608 --a------ C:\WINNT\system32\uniplat.dll
2006-11-24 19:18 14,608 --a------ C:\WINNT\system32\RASSAPI.DLL
2006-11-24 19:18 14,096 --a------ C:\WINNT\system32\rsh.exe
2006-11-24 19:18 139,536 --a------ C:\WINNT\system32\regedt32.exe
2006-11-24 19:18 138,000 --a------ C:\WINNT\system32\ss3dfo.scr
2006-11-24 19:18 132,368 --a------ C:\WINNT\system32\RSABASE.DLL
2006-11-24 19:18 13,072 --a------ C:\WINNT\system32\tcpmib.dll
2006-11-24 19:18 126,736 --a------ C:\WINNT\system32\TAPI32.DLL
2006-11-24 19:18 119,056 --a------ C:\WINNT\system32\sqlstr.dll
2006-11-24 19:18 114,448 --a------ C:\WINNT\system32\scecli.dll
2006-11-24 19:18 11,024 --a------ C:\WINNT\system32\REGSVR32.EXE
2006-11-24 19:18 108,304 --a------ C:\WINNT\system32\rsnotify.exe
2006-11-24 19:18 107,792 --a------ C:\WINNT\system32\sndrec32.exe
2006-11-24 19:18 105,232 --a------ C:\WINNT\system32\rend.dll
2006-11-24 19:18 102,160 --a------ C:\WINNT\system32\sspipes.scr
2006-11-24 19:18 100,624 --a------ C:\WINNT\system32\rastls.dll
2006-11-24 19:18 10,000 --a------ C:\WINNT\system32\runas.exe
2006-11-24 19:18 1,427,728 --a------ C:\WINNT\system32\query.dll
2006-11-24 19:17 90,112 --a------ C:\WINNT\system32\odbcint.dll
2006-11-24 19:17 9,216 --------- C:\WINNT\system32\wuauserv.dll
2006-11-24 19:17 89,600 --a------ C:\WINNT\system32\nlhtml.dll
2006-11-24 19:17 85,776 --a------ C:\WINNT\system32\ntsdexts.dll
2006-11-24 19:17 79,632 --a------ C:\WINNT\system32\ntdskcc.dll
2006-11-24 19:17 70,928 --a------ C:\WINNT\system32\olethk32.dll
2006-11-24 19:17 692,496 --a------ C:\WINNT\system32\OPENGL32.DLL
2006-11-24 19:17 67,344 --a------ C:\WINNT\system32\ntdsetup.dll
2006-11-24 19:17 57,616 --a------ C:\WINNT\system32\ntdsapi.dll
2006-11-24 19:17 57,104 --a------ C:\WINNT\system32\ocmanage.dll
2006-11-24 19:17 53,520 --a------ C:\WINNT\system32\odbcji32.dll
2006-11-24 19:17 53,520 --a------ C:\WINNT\system32\ntmsapi.dll
2006-11-24 19:17 53,008 --a------ C:\WINNT\system32\packager.exe
2006-11-24 19:17 52,496 --------- C:\WINNT\system32\wzcdlg.dll
2006-11-24 19:17 444,176 --a------ C:\WINNT\system32\oieng400.dll
2006-11-24 19:17 41,232 --a------ C:\WINNT\system32\odbcconf.exe
2006-11-24 19:17 41,232 --a------ C:\WINNT\system32\odbcconf.dll
2006-11-24 19:17 401,168 --a------ C:\WINNT\system32\ntmssvc.dll
2006-11-24 19:17 37,136 --a------ C:\WINNT\system32\ODBCAD32.exe
2006-11-24 19:17 362,496 --a------ C:\WINNT\system32\qmgr.dll
2006-11-24 19:17 35,648 --a------ C:\WINNT\system32\ntio411.sys
2006-11-24 19:17 35,408 --a------ C:\WINNT\system32\ntio412.sys
2006-11-24 19:17 34,576 --------- C:\WINNT\system32\wzcsetup.exe
2006-11-24 19:17 34,544 --a------ C:\WINNT\system32\ntio804.sys
2006-11-24 19:17 34,544 --a------ C:\WINNT\system32\ntio404.sys
2006-11-24 19:17 33,824 --a------ C:\WINNT\system32\NTIO.SYS
2006-11-24 19:17 32,016 --a------ C:\WINNT\system32\ntdsatq.dll
2006-11-24 19:17 29,968 --a------ C:\WINNT\system32\profmap.dll
2006-11-24 19:17 29,968 --a------ C:\WINNT\system32\ntdsbsrv.dll
2006-11-24 19:17 29,968 --------- C:\WINNT\system32\wzcsapi.dll
2006-11-24 19:17 29,456 --a------ C:\WINNT\system32\perfproc.dll
2006-11-24 19:17 28,432 --a------ C:\WINNT\system32\ntdsbcli.dll
2006-11-24 19:17 278,800 --a------ C:\WINNT\system32\odbcjt32.dll
2006-11-24 19:17 24,848 --a------ C:\WINNT\system32\perfdisk.dll
2006-11-24 19:17 24,848 --a------ C:\WINNT\system32\odbcbcp.dll
2006-11-24 19:17 24,848 --a------ C:\WINNT\system32\ODBC32GT.dll
2006-11-24 19:17 221,456 --a------ C:\WINNT\system32\osk.exe
2006-11-24 19:17 214,800 --a------ C:\WINNT\system32\objsel.dll
2006-11-24 19:17 212,992 --a------ C:\WINNT\system32\odbc32.dll
2006-11-24 19:17 200,976 --a------ C:\WINNT\system32\odbccu32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odtext32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odpdx32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odfox32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odexl32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\oddbse32.dll
2006-11-24 19:17 196,880 --a------ C:\WINNT\system32\odbccr32.dll
2006-11-24 19:17 195,856 --------- C:\WINNT\system32\wzcsvc.dll
2006-11-24 19:17 18,192 --------- C:\WINNT\system32\sp4iis.exe
2006-11-24 19:17 173,328 --a------ C:\WINNT\system32\ntmsdba.dll
2006-11-24 19:17 165,136 --a------ C:\WINNT\system32\ntdsutil.exe
2006-11-24 19:17 164,112 --a------ C:\WINNT\system32\OLEPRO32.DLL
2006-11-24 19:17 155,920 --a------ C:\WINNT\system32\ODBCTRAC.dll
2006-11-24 19:17 151,824 --a------ C:\WINNT\system32\pdh.dll
2006-11-24 19:17 134,928 --a------ C:\WINNT\system32\rsaenh.dll
2006-11-24 19:17 13,584 --a------ C:\WINNT\system32\powrprof.dll
2006-11-24 19:17 13,072 --------- C:\WINNT\system32\spiisupd.exe
2006-11-24 19:17 124,184 --a------ C:\WINNT\system32\wuauclt.exe
2006-11-24 19:17 115,472 --a------ C:\WINNT\system32\PSBASE.DLL
2006-11-24 19:17 113,936 --a------ C:\WINNT\system32\newdev.dll
2006-11-24 19:17 110,080 --a------ C:\WINNT\system32\offfilt.dll
2006-11-24 19:17 11,536 --------- C:\WINNT\system32\sptsupd.exe
2006-11-24 19:17 106,256 --a------ C:\WINNT\system32\oleprn.dll
2006-11-24 19:17 102,672 --a------ C:\WINNT\system32\ODBCCP32.dll
2006-11-24 19:17 102,672 --a------ C:\WINNT\system32\NTMARTA.DLL
2006-11-24 19:17 1,343,768 --a------ C:\WINNT\system32\wuaueng.dll
2006-11-24 19:17 1,040,656 --a------ C:\WINNT\system32\ntdsa.dll
2006-11-24 19:16 884,736 --a------ C:\WINNT\system32\msimsg.dll
2006-11-24 19:16 831,760 --a------ C:\WINNT\system32\mswdat10.dll
2006-11-24 19:16 78,848 --a------ C:\WINNT\system32\msiexec.exe
2006-11-24 19:16 76,560 --a------ C:\WINNT\system32\msw3prt.dll
2006-11-24 19:16 71,952 --a------ C:\WINNT\system32\netui0.dll
2006-11-24 19:16 7,440 --a------ C:\WINNT\system32\msswchx.exe
2006-11-24 19:16 64,272 --a------ C:\WINNT\system32\mswsock.dll
2006-11-24 19:16 614,672 --a------ C:\WINNT\system32\mswstr10.dll
2006-11-24 19:16 6,928 --------- C:\WINNT\system32\perfvd.exe
2006-11-24 19:16 57,104 --a------ C:\WINNT\system32\mydocs.dll
2006-11-24 19:16 553,232 --a------ C:\WINNT\system32\msrepl40.dll
2006-11-24 19:16 55,056 --------- C:\WINNT\system32\authz.dll
2006-11-24 19:16 547,600 --a------ C:\WINNT\system32\netcfgx.dll
2006-11-24 19:16 53,520 --a------ C:\WINNT\system32\msjter40.dll
2006-11-24 19:16 514,320 --a------ C:\WINNT\system32\msxml.dll
2006-11-24 19:16 477,456 --a------ C:\WINNT\system32\netshell.dll
2006-11-24 19:16 47,104 --a------ C:\WINNT\system32\MSPRIVS.DLL
2006-11-24 19:16 45,840 --------- C:\WINNT\system32\msmqprop.exe
2006-11-24 19:16 422,160 --a------ C:\WINNT\system32\msrd2x40.dll
2006-11-24 19:16 4,880 --a------ C:\WINNT\system32\NDDEAPIR.EXE
2006-11-24 19:16 371,984 --a------ C:\WINNT\system32\NETLOGON.DLL
2006-11-24 19:16 35,088 --a------ C:\WINNT\system32\MSSIGN32.DLL
2006-11-24 19:16 348,432 --a------ C:\WINNT\system32\msxbde40.dll
2006-11-24 19:16 348,432 --a------ C:\WINNT\system32\mspbde40.dll
2006-11-24 19:16 348,432 --a------ C:\WINNT\system32\msjetoledb40.dll
2006-11-24 19:16 34,816 --------- C:\WINNT\system32\msiregmv.exe
2006-11-24 19:16 33,616 --------- C:\WINNT\system32\drivers\fips.sys
2006-11-24 19:16 315,664 --a------ C:\WINNT\system32\msrd3x40.dll
2006-11-24 19:16 286,773 --a------ C:\WINNT\system32\msvcrt.dll
2006-11-24 19:16 271,360 --a------ C:\WINNT\system32\msihnd.dll
2006-11-24 19:16 26,896 --a------ C:\WINNT\system32\NETSTAT.EXE
2006-11-24 19:16 26,896 --a------ C:\WINNT\system32\mtxdm.dll
2006-11-24 19:16 26,624 --------- C:\WINNT\system32\msxmlr.dll
2006-11-24 19:16 258,320 --a------ C:\WINNT\system32\mstext40.dll
2006-11-24 19:16 241,936 --a------ C:\WINNT\system32\msjtes40.dll
2006-11-24 19:16 24,848 --a------ C:\WINNT\system32\narrator.exe
2006-11-24 19:16 24,336 --------- C:\WINNT\system32\ftpqfe.exe
2006-11-24 19:16 216,848 --a------ C:\WINNT\system32\mstask.dll
2006-11-24 19:16 213,264 --a------ C:\WINNT\system32\msltus40.dll
2006-11-24 19:16 20,208 --------- C:\WINNT\system32\drivers\msircomm.sys
2006-11-24 19:16 2,890,240 --a------ C:\WINNT\system32\msi.dll
2006-11-24 19:16 173,840 --a------ C:\WINNT\system32\netplwiz.dll
2006-11-24 19:16 16,144 --a------ C:\WINNT\system32\NDDEAPI.DLL
2006-11-24 19:16 155,920 --a------ C:\WINNT\system32\msorcl32.dll
2006-11-24 19:16 151,824 --a------ C:\WINNT\system32\msjint40.dll
2006-11-24 19:16 15,360 --a------ C:\WINNT\system32\msisip.dll
2006-11-24 19:16 147,216 --a------ C:\WINNT\system32\dssenh.dll
2006-11-24 19:16 14,608 --a------ C:\WINNT\system32\msswch.dll
2006-11-24 19:16 131,344 --a------ C:\WINNT\system32\netid.dll
2006-11-24 19:16 124,176 --a------ C:\WINNT\system32\net1.exe
2006-11-24 19:16 123,152 --a------ C:\WINNT\system32\mtxoci.dll
2006-11-24 19:16 119,568 --a------ C:\WINNT\system32\mstask.exe
2006-11-24 19:16 116,496 --a------ C:\WINNT\system32\msvfw32.dll
2006-11-24 19:16 110,352 --a------ C:\WINNT\system32\mycomput.dll
2006-11-24 19:16 11,984 --------- C:\WINNT\system32\drivers\ndisuio.sys
2006-11-24 19:16 11,024 --a------ C:\WINNT\system32\msrle32.dll
2006-11-24 19:16 108,816 --a------ C:\WINNT\system32\NETDDE.EXE
2006-11-24 19:16 10,288 --------- C:\WINNT\system32\drivers\irenum.sys
2006-11-24 19:16 1,507,600 --a------ C:\WINNT\system32\msjet40.dll
2006-11-24 19:16 1,385,744 --a------ C:\WINNT\system32\MSVBVM60.DLL
2006-11-24 19:15 99,088 --a------ C:\WINNT\system32\modemui.dll
2006-11-24 19:15 96,016 --a------ C:\WINNT\system32\msdtclog.dll
2006-11-24 19:15 76,048 --a------ C:\WINNT\system32\mdhcp.dll
2006-11-24 19:15 69,904 --a------ C:\WINNT\system32\mprddm.dll
2006-11-24 19:15 56,080 --a------ C:\WINNT\system32\mprui.dll
2006-11-24 19:15 512,272 --a------ C:\WINNT\system32\msexch40.dll
2006-11-24 19:15 47,376 --a------ C:\WINNT\system32\mprdim.dll
2006-11-24 19:15 43,792 --a------ C:\WINNT\system32\magnify.exe
2006-11-24 19:15 4,126 --a------ C:\WINNT\system32\msdxmlc.dll
2006-11-24 19:15 334,096 --a------ C:\WINNT\system32\MSGINA.DLL
2006-11-24 19:15 319,760 --a------ C:\WINNT\system32\msexcl40.dll
2006-11-24 19:15 24,848 --a------ C:\WINNT\system32\msdart32.dll
2006-11-24 19:15 236,304 --a------ C:\WINNT\system32\msclus.dll
2006-11-24 19:15 19,728 --a------ C:\WINNT\system32\mimefilt.dll
2006-11-24 19:15 169,232 --a------ C:\WINNT\system32\mobsync.dll
2006-11-24 19:15 153,872 --a------ C:\WINNT\system32\msdtcui.dll
2006-11-24 19:15 13,824 --a------ C:\WINNT\system32\mscpxl32.dLL
2006-11-24 19:15 111,376 --a------ C:\WINNT\system32\mobsync.exe
2006-11-24 19:15 108,816 --a------ C:\WINNT\system32\msafd.dll
2006-11-24 19:15 102,160 --a------ C:\WINNT\system32\mdminst.dll
2006-11-24 19:15 10,000 --a------ C:\WINNT\system32\lz32.dll
2006-11-24 19:15 1,015,859 --a------ C:\WINNT\system32\mfc42.dll
2006-11-24 19:15 1,011,764 --a------ C:\WINNT\system32\mfc42u.dll
2006-11-24 19:14 66,320 --a------ C:\WINNT\system32\LOADPERF.DLL
2006-11-24 19:14 48,400 --a------ C:\WINNT\system32\loghours.dll
2006-11-24 19:14 25,872 --a------ C:\WINNT\system32\LODCTR.EXE
2006-11-24 19:14 246,032 --a------ C:\WINNT\system32\localsec.dll
2006-11-24 19:14 20,240 --a------ C:\WINNT\system32\lpk.dll
2006-11-24 19:14 130,832 --a------ C:\WINNT\system32\logon.scr
2006-11-24 19:12 92,032 --a------ C:\WINNT\system32\KRNL386.EXE
2006-11-24 19:12 73,488 --a------ C:\WINNT\system32\irmon.dll
2006-11-24 19:12 72,464 --a------ C:\WINNT\system32\isign32.dll
2006-11-24 19:12 6,928 --a------ C:\WINNT\system32\KBDCA.DLL
2006-11-24 19:12 57,296 --a------ C:\WINNT\system32\drivers\irda.sys
2006-11-24 19:12 49,936 --a------ C:\WINNT\system32\ixsso.dll
2006-11-24 19:12 441,616 --a------ C:\WINNT\system32\ipnathlp.dll
2006-11-24 19:12 42,809 --a------ C:\WINNT\system32\key01.sys
2006-11-24 19:12 42,537 --a------ C:\WINNT\system32\KEYBOARD.SYS
2006-11-24 19:12 4,368 --a------ C:\WINNT\system32\IPROP.DLL
2006-11-24 19:12 374,032 --a------ C:\WINNT\system32\JET500.DLL
2006-11-24 19:12 159,504 --a------ C:\WINNT\system32\iprtrmgr.dll
2006-11-24 19:12 143,872 --a------ C:\WINNT\system32\itircl.dll
2006-11-24 19:12 128,000 --a------ C:\WINNT\system32\itss.dll
2006-11-24 19:11 97,040 --a------ C:\WINNT\system32\iasrad.dll
2006-11-24 19:11 96,528 --a------ C:\WINNT\system32\imm32.dll
2006-11-24 19:11 94,992 --a------ C:\WINNT\system32\FAXSVC.EXE
2006-11-24 19:11 92,944 --a------ C:\WINNT\system32\faxadmin.dll
2006-11-24 19:11 80,144 --a------ C:\WINNT\system32\faxcom.dll
2006-11-24 19:11 77,584 --------- C:\WINNT\system32\gpresult.exe
2006-11-24 19:11 76,560 --a------ C:\WINNT\system32\hotplug.dll
2006-11-24 19:11 75,536 --a------ C:\WINNT\system32\iasads.dll
2006-11-24 19:11 72,704 --a------ C:\WINNT\system32\hlink.dll
2006-11-24 19:11 66,832 --a------ C:\WINNT\system32\inetpp.dll
2006-11-24 19:11 60,176 --a------ C:\WINNT\system32\iassvcs.dll
2006-11-24 19:11 60,176 --a------ C:\WINNT\system32\iasnap.dll
2006-11-24 19:11 6,416 --------- C:\WINNT\system32\hccoin.dll
2006-11-24 19:11 55,568 --a------ C:\WINNT\system32\esentutl.exe
2006-11-24 19:11 50,448 --a------ C:\WINNT\system32\fdeploy.dll
2006-11-24 19:11 498,205 --a------ C:\WINNT\system32\dxmasf.dll
2006-11-24 19:11 47,888 --a------ C:\WINNT\system32\EVENTLOG.DLL
2006-11-24 19:11 380,957 --a------ C:\WINNT\system32\expsrv.dll
2006-11-24 19:11 38,912 --a------ C:\WINNT\system32\hhsetup.dll
2006-11-24 19:11 305,424 --a------ C:\WINNT\system32\gpedit.dll
2006-11-24 19:11 294,672 --a------ C:\WINNT\system32\filemgmt.dll
2006-11-24 19:11 29,456 --a------ C:\WINNT\system32\INETMIB1.DLL
2006-11-24 19:11 28,944 --a------ C:\WINNT\system32\iasacct.dll
2006-11-24 19:11 269,584 --a------ C:\WINNT\system32\iassdo.dll
2006-11-24 19:11 265,488 --a------ C:\WINNT\system32\dxmrtp.dll
2006-11-24 19:11 25,872 --a------ C:\WINNT\system32\findstr.exe
2006-11-24 19:11 246,032 --a------ C:\WINNT\system32\icm32.dll
2006-11-24 19:11 243,472 --a------ C:\WINNT\explorer.exe
2006-11-24 19:11 21,776 --a------ C:\WINNT\system32\HTICONS.DLL
2006-11-24 19:11 206,096 --a------ C:\WINNT\system32\infosoft.dll
2006-11-24 19:11 200,976 --a------ C:\WINNT\system32\FONTEXT.DLL
2006-11-24 19:11 20,752 --a------ C:\WINNT\system32\iasperf.dll
2006-11-24 19:11 187,152 --a------ C:\WINNT\system32\eudcedit.exe
2006-11-24 19:11 185,616 --a------ C:\WINNT\system32\faxt30.dll
2006-11-24 19:11 18,192 --a------ C:\WINNT\system32\hid.dll
2006-11-24 19:11 163,088 --a------ C:\WINNT\system32\h323msp.dll
2006-11-24 19:11 157,968 --a------ C:\WINNT\system32\els.dll
2006-11-24 19:11 15,120 --a------ C:\WINNT\system32\faxdrv.dll
2006-11-24 19:11 138,000 --a------ C:\WINNT\system32\INITPKI.DLL
2006-11-24 19:11 122,128 --a------ C:\WINNT\system32\idq.dll
2006-11-24 19:11 118,544 --a------ C:\WINNT\system32\gptext.dll
2006-11-24 19:11 100,624 --a------ C:\WINNT\system32\iassam.dll
2006-11-24 19:11 10,752 --a------ C:\WINNT\hh.exe
2006-11-24 19:11 1,842,672 -ra------ C:\WINNT\system32\dtcsetup.exe
2006-11-24 19:11 1,135,376 --a------ C:\WINNT\system32\esent.dll
2006-11-24 19:10 97,552 --a------ C:\WINNT\system32\comrepl.dll
2006-11-24 19:10 97,040 --a------ C:\WINNT\system32\clbcatex.dll
2006-11-24 19:10 92,944 --a------ C:\WINNT\system32\dskquota.dll
2006-11-24 19:10 90,384 --a------ C:\WINNT\system32\CRYPTDLG.DLL
2006-11-24 19:10 82,704 --a------ C:\WINNT\system32\cmnquery.dll
2006-11-24 19:10 8,976 --a------ C:\WINNT\system32\autolfn.exe
2006-11-24 19:10 78,608 --a------ C:\WINNT\system32\avifil32.dll
2006-11-24 19:10 78,096 --a------ C:\WINNT\system32\aclui.dll
2006-11-24 19:10 76,048 --a------ C:\WINNT\system32\cryptsvc.dll
2006-11-24 19:10 75,544 --a------ C:\WINNT\system32\cdm.dll
2006-11-24 19:10 74,810 --a------ C:\WINNT\system32\atl.dll
2006-11-24 19:10 74,512 --a------ C:\WINNT\system32\dsauth.dll
2006-11-24 19:10 7,440 --a------ C:\WINNT\system32\control.exe
2006-11-24 19:10 68,880 --a------ C:\WINNT\system32\browser.dll
2006-11-24 19:10 625,936 --a------ C:\WINNT\system32\comuid.dll
2006-11-24 19:10 62,736 --a------ C:\WINNT\system32\adsmsext.dll
2006-11-24 19:10 62,224 --a------ C:\WINNT\system32\dfrgfat.exe
2006-11-24 19:10 61,712 --a------ C:\WINNT\system32\cliconfg.dll
2006-11-24 19:10 595,728 --a------ C:\WINNT\system32\catsrvut.dll
2006-11-24 19:10 568,592 --a------ C:\WINNT\system32\autofmt.exe
2006-11-24 19:10 55,568 --a------ C:\WINNT\system32\CLUSAPI.DLL
2006-11-24 19:10 50,620 --a------ C:\WINNT\system32\command.com
2006-11-24 19:10 5,904 --a------ C:\WINNT\system32\dllhst3g.exe
2006-11-24 19:10 479,504 --a------ C:\WINNT\system32\CRYPT32.DLL
2006-11-24 19:10 45,328 --a------ C:\WINNT\system32\cmstp.exe
2006-11-24 19:10 443,664 --a------ C:\WINNT\system32\CRYPTUI.DLL
2006-11-24 19:10 44,304 --a------ C:\WINNT\system32\cryptdll.dll
2006-11-24 19:10 43,280 --a------ C:\WINNT\system32\dmutil.dll
2006-11-24 19:10 43,280 --a------ C:\WINNT\system32\CRYPTNET.DLL
2006-11-24 19:10 422,160 --a------ C:\WINNT\system32\certmgr.dll
2006-11-24 19:10 42,768 --a------ C:\WINNT\system32\dfrgsnap.dll
2006-11-24 19:10 42,256 --a------ C:\WINNT\system32\BASESRV.DLL
2006-11-24 19:10 41,744 --a------ C:\WINNT\system32\dsfolder.dll
2006-11-24 19:10 41,744 --a------ C:\WINNT\system32\colbact.dll
2006-11-24 19:10 402,704 --a------ C:\WINNT\system32\cdonts.dll
2006-11-24 19:10 37,136 --a------ C:\WINNT\system32\cliconfg.exe
2006-11-24 19:10 36,112 --a------ C:\WINNT\system32\cipher.exe
2006-11-24 19:10 33,040 --a------ C:\WINNT\system32\dbnmpntw.dll
2006-11-24 19:10 33,040 --a------ C:\WINNT\system32\dbmsspxn.dll
2006-11-24 19:10 33,040 --a------ C:\WINNT\system32\dbmsadsn.dll
2006-11-24 19:10 316,176 --a------ C:\WINNT\system32\dmconfig.dll
2006-11-24 19:10 31,504 --a------ C:\WINNT\system32\atmlib.dll
2006-11-24 19:10 306,448 --a------ C:\WINNT\system32\dhcpmon.dll
2006-11-24 19:10 3,856 --a------ C:\WINNT\system32\COMCAT.DLL
2006-11-24 19:10 299,792 --a------ C:\WINNT\system32\dsprop.dll
2006-11-24 19:10 291,888 --a------ C:\WINNT\system32\atmfd.dll
2006-11-24 19:10 28,944 --a------ C:\WINNT\system32\dssec.dll
2006-11-24 19:10 28,944 --a------ C:\WINNT\system32\dbmsvinn.dLL
2006-11-24 19:10 28,944 --a------ C:\WINNT\system32\dbmsrpcn.dll
2006-11-24 19:10 27,097 --a------ C:\WINNT\system32\country.sys
2006-11-24 19:10 25,872 --a------ C:\WINNT\system32\conime.exe
2006-11-24 19:10 242,960 --a------ C:\WINNT\system32\cscui.dll
2006-11-24 19:10 24,848 --a------ C:\WINNT\system32\ds32gt.dll
2006-11-24 19:10 236,304 --a------ C:\WINNT\system32\CMD.EXE
2006-11-24 19:10 23,824 --a------ C:\WINNT\system32\at.exe
2006-11-24 19:10 226,576 --a------ C:\WINNT\system32\avtapi.dll
2006-11-24 19:10 224,016 --a------ C:\WINNT\system32\appmgr.dll
2006-11-24 19:10 221,968 --a------ C:\WINNT\system32\devmgr.dll
2006-11-24 19:10 22,800 --a------ C:\WINNT\system32\dfsshlex.dll
2006-11-24 19:10 22,288 --a------ C:\WINNT\system32\cmutil.dll
2006-11-24 19:10 219,920 --a------ C:\WINNT\system32\confmsp.dll
2006-11-24 19:10 201,488 --a------ C:\WINNT\system32\adsnt.dll
2006-11-24 19:10 20,752 --a------ C:\WINNT\system32\batmeter.dll
2006-11-24 19:10 2,532,112 --a------ C:\WINNT\system32\cdosys.dll
2006-11-24 19:10 193,808 --a------ C:\WINNT\system32\cmdial32.dll
2006-11-24 19:10 182,032 --a------ C:\WINNT\system32\activeds.dll
2006-11-24 19:10 174,864 --a------ C:\WINNT\system32\dmdlgs.dll
2006-11-24 19:10 165,648 --a------ C:\WINNT\system32\catsrv.dll
2006-11-24 19:10 164,112 --a------ C:\WINNT\system32\adsnds.dll
2006-11-24 19:10 163,600 --a------ C:\WINNT\system32\dmdskmgr.dll
2006-11-24 19:10 163,088 --a------ C:\WINNT\system32\dbghelp.dll
2006-11-24 19:10 16,144 --a------ C:\WINNT\system32\diskcopy.dll
2006-11-24 19:10 159,807 --a------ C:\WINNT\system32\cmprops.dll
2006-11-24 19:10 157,456 --a------ C:\WINNT\system32\dsquery.dll
2006-11-24 19:10 156,944 --a------ C:\WINNT\system32\ciadmin.dll
2006-11-24 19:10 150,800 --a------ C:\WINNT\system32\accwiz.exe
2006-11-24 19:10 147,728 --a------ C:\WINNT\system32\dmadmin.exe
2006-11-24 19:10 146,192 --a------ C:\WINNT\system32\dskquoui.dll
2006-11-24 19:10 145,680 --a------ C:\WINNT\system32\DSSBASE.DLL
2006-11-24 19:10 143,632 --a------ C:\WINNT\system32\ASYCFILT.DLL
2006-11-24 19:10 14,096 --a------ C:\WINNT\system32\diskperf.exe
2006-11-24 19:10 14,096 --a------ C:\WINNT\system32\atkctrs.dll
2006-11-24 19:10 135,440 --a------ C:\WINNT\system32\certcli.dll
2006-11-24 19:10 133,904 --a------ C:\WINNT\system32\adsldpc.dll
2006-11-24 19:10 130,832 --a------ C:\WINNT\system32\CLUSTER.EXE
2006-11-24 19:10 13,072 --a------ C:\WINNT\system32\dmintf.dll
2006-11-24 19:10 13,072 --a------ C:\WINNT\system32\CHKNTFS.EXE
2006-11-24 19:10 127,760 --a------ C:\WINNT\system32\capesnpn.dll
2006-11-24 19:10 125,712 --a------ C:\WINNT\system32\adsldp.dll
2006-11-24 19:10 122,368 --a------ C:\WINNT\system32\dmdskres.dll
2006-11-24 19:10 120,592 --a------ C:\WINNT\system32\appmgmts.dll
2006-11-24 19:10 12,048 --a------ C:\WINNT\system32\dmserver.dll
2006-11-24 19:10 113,936 --a------ C:\WINNT\system32\DCOMCNFG.EXE
2006-11-24 19:10 112,400 --a------ C:\WINNT\system32\adsnw.dll
2006-11-24 19:10 110,864 --a------ C:\WINNT\system32\dsuiext.dll
2006-11-24 19:10 101,136 --a------ C:\WINNT\system32\cscdll.dll
2006-11-24 19:10 10,512 --a------ C:\WINNT\system32\dmremote.exe
2006-11-24 19:01 <DIR> d-------- C:\Program Files\Kerio
2006-11-24 18:59 <DIR> d-a------ C:\WUTemp
2006-11-24 18:52 <DIR> d-------- C:\Documents and Settings\ade\Application Data\Mozilla
2006-11-24 18:51 <DIR> d-ah----- C:\Program Files\WindowsUpdate
2006-11-24 18:51 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-11-24 18:43 <DIR> d-------- C:\WINNT\SoftwareDistribution
2006-11-24 18:07 90,112 --a------ C:\WINNT\system32\AVASTSS.scr
2006-11-24 18:07 87,424 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2006-11-24 18:07 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2006-11-24 18:07 666,240 --a------ C:\WINNT\system32\aswBoot.exe
2006-11-24 18:07 36,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2006-11-24 18:07 24,560 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2006-11-24 18:07 16,352 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2006-11-24 18:07 <DIR> d-------- C:\Program Files\Alwil Software
2006-11-22 22:22 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2006-11-22 20:19 <DIR> d-------- C:\Secrurity
2006-11-21 19:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\ZILLAbar
2006-11-21 19:18 <DIR> d-------- C:\Program Files\Common Files\iS3
2006-11-21 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2006-11-21 18:56 <DIR> d-------- C:\WINNT\BDOSCAN8
2006-11-20 23:52 70,688 --a------ C:\WINNT\system32\drivers\alcaudsl.sys
2006-11-20 23:52 53,600 --a------ C:\WINNT\system32\drivers\alcan5wn.sys
2006-11-20 23:52 5,606 --a------ C:\WINNT\system32\stci.dll
2006-11-20 23:52 5,280 --a------ C:\WINNT\system32\drivers\alcawh.sys
2006-11-20 23:52 3,968 --a------ C:\WINNT\system32\drivers\alcacr.sys
2006-11-20 23:52 <DIR> d-------- C:\Program Files\Thomson
2006-11-20 23:49 <DIR> d-a------ C:\WINNT\system32\appmgmt
2006-11-06 21:14 63,488 --a------ C:\WINNT\system32\CNDPTPC.dll
2006-11-06 21:14 117,760 --a------ C:\WINNT\system32\CNDPTPU.dll
2006-11-06 21:12 <DIR> d-------- C:\Program Files\Common Files\Canon
2006-11-06 21:12 <DIR> d-------- C:\Program Files\Canon

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-28 18:52 -------- d-a------ C:\Program Files\Common Files
2006-11-25 21:56 -------- d-------- C:\Program Files\Windows Media Player
2006-11-25 03:04 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-25 03:04 -------- d-------- C:\Program Files\Outlook Express
2006-11-25 03:04 -------- d-------- C:\Program Files\Internet Explorer
2006-11-25 03:04 -------- d-------- C:\Program Files\Common Files\System
2006-11-24 19:25 -------- d-------- C:\Program Files\Windows NT
2006-11-24 19:23 -------- d-------- C:\Program Files\NetMeeting
2006-11-24 18:39 -------- d-------- C:\Program Files\TalkTalk Online Security
2006-11-24 17:01 -------- d--h----- C:\Program Files\QMgr
2006-11-20 23:52 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-20 23:49 -------- d-------- C:\Program Files\TalkTalk
2006-11-20 22:54 -------- d-------- C:\Program Files\Common Files\Real
2006-11-17 19:18 -------- d-------- C:\Program Files\Winamp
2006-11-10 21:35 7594 --a------ C:\Program Files\CurrentCfg.tpr
2006-11-10 21:35 5075 --a------ C:\Program Files\mpeg join TMPGEnc.ini
2006-10-13 17:12 -------- d-------- C:\Program Files\Yahoo!
2006-10-02 19:02 3393599 --a------ C:\Program Files\SRS_Audio_Sandbox.zip
2006-09-29 17:07 207330 --a------ C:\Program Files\MXpie Patch v3.2.exe
2006-09-29 17:07 -------- d-------- C:\Program Files\MXpie Patch
2006-09-25 17:41 57344 --a------ C:\WINNT\uneng.exe
2006-09-25 17:41 49152 --a------ C:\WINNT\system32\cdrtc.dll
2006-09-25 17:41 45056 --a------ C:\WINNT\system32\cdral.dll
2006-09-25 17:39 13951112 --a------ C:\Program Files\MPSetup.exe
2006-09-12 11:48 1713536 --a------ C:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 11:48 1690880 --a------ C:\WINNT\system32\NTOSKRNL.EXE
2006-09-06 04:58 1110528 --a------ C:\WINNT\system32\msxml3.dll
2006-09-01 05:49 64784 --a------ C:\WINNT\system32\NWAPI32.DLL
2006-09-01 05:49 140048 --a------ C:\WINNT\system32\NWPROVAU.DLL
2006-08-28 08:44 530192 --a------ C:\WINNT\system32\comctl32.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"C-Media Mixer"="C:\\Program Files\\PCI Audio Applications\\Mixer.exe /startup"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"EPSON Stylus C42 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C42 Series\" /O6 \"USB001\" /M \"Stylus C42\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LoadQM"="loadqm.exe"
"msnappau"="\"C:\\Program Files\\MSN Apps\\Updater\\01.03.0000.1005\\en-gb\\msnappau.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINNT\\System32\\NeroCheck.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1136147225\\ee\\AOLHostManager.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{74D1919C-06FC-1033-0708-02061902002c}"="\"C:\\Program Files\\Common Files\\{74D1919C-06FC-1033-0708-02061902002c}\\Update.exe\" mc-110-12-0000144"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061125-200324-972
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
backup-20061125-200324-434
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
backup-20061125-200324-301
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
backup-20061125-200324-783
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
backup-20061125-200324-357
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
backup-20061125-200323-903
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
backup-20061125-200323-658
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
backup-20061125-200323-719
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
backup-20061125-200323-850
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
backup-20061125-200323-234
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20061125-200323-301
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
backup-20061125-200323-956
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20061125-200323-445
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20061125-200323-751
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
backup-20061125-200323-173
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
backup-20061125-200323-121
O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing)
backup-20061125-200323-601
O3 - Toolbar: (no name) - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - (no file)
backup-20061125-200323-385
O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
backup-20061125-200323-314
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
backup-20061125-200323-566
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
backup-20061125-200323-267
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
backup-20061125-200323-983
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
backup-20061125-200323-978
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
backup-20061125-200323-640
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
backup-20061125-200323-531
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
backup-20061125-200323-815
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
backup-20061125-200323-520
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
backup-20061125-200323-519
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
backup-20061125-200323-409
O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
backup-20061125-200323-743
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
backup-20061125-200323-559
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
backup-20061125-200323-464
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
backup-20061125-200323-460
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
backup-20061125-200323-894
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
backup-20061125-200323-260
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
backup-20061125-200323-398
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
backup-20061125-200323-217
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
backup-20061125-200323-226
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
backup-20061125-200323-189
O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
backup-20061125-200323-491
O1 - Hosts: 64.124.166.37 www.kaazalite.com
backup-20061125-200323-940
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
backup-20061125-200323-165
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
backup-20061125-200323-902
O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com
backup-20061125-200323-961
O1 - Hosts: 64.124.166.37 kaazalite.com
backup-20061125-200323-931
O1 - Hosts: 64.124.166.37 www.kazalite.com
backup-20061125-200323-567
O1 - Hosts: 64.124.166.37 kazalite.com
backup-20061125-200323-795
O1 - Hosts: 64.124.166.37 www.kazzalite.com
backup-20061125-200323-127
O1 - Hosts: 64.124.166.37 kazaalite.com
backup-20061125-200323-313
O1 - Hosts: 64.124.166.37 www.k-lite.com
backup-20061125-200323-788
O1 - Hosts: 64.124.166.37 k-lite.com
backup-20061125-200323-312
O1 - Hosts: 64.124.166.37 www.klite.com
backup-20061125-200323-393
O1 - Hosts: 66.38.215.115 www.suprnova.com
backup-20061125-200323-668
O1 - Hosts: 64.124.166.37 klite.com
backup-20061125-200323-355
O1 - Hosts: 66.38.215.115 suprnova.com
backup-20061125-200323-518
O1 - Hosts: 66.38.215.115 www.emule.com
backup-20061125-200323-524
O1 - Hosts: 66.38.215.115 www.edonkey.com
backup-20061125-200323-995
O1 - Hosts: 66.38.215.115 emule.com
backup-20061125-200323-844
O1 - Hosts: 66.38.215.115 kaaza.com
backup-20061125-200323-107
O1 - Hosts: 66.38.215.115 kahza.com
backup-20061125-200323-769
O1 - Hosts: 66.38.215.115 edonkey.com
backup-20061125-200323-908
O1 - Hosts: 66.38.215.115 www.kaaza.com
backup-20061125-200323-776
O1 - Hosts: 66.38.215.115 www.kahza.com
backup-20061125-200323-812
O1 - Hosts: 66.38.215.115 kaza.com
backup-20061125-200323-207
O1 - Hosts: 66.38.215.115 www.kaza.com
backup-20061125-200323-381
O1 - Hosts: 205.238.40.1 winmx.com
backup-20061125-200323-298
O1 - Hosts: 66.38.215.115 www.kazza.com
Completion time: Tue 2006-11-28 18:52:38.30
C:\ComboFix.txt ... 06-11-28 18:52

ade - Tue 28/11/2006 18:48:44.76 Service Pack 4
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\ade\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\hosts
C:\Program Files\Inetget2
C:\Program Files\Common Files\{34D1919C-06FC-1033-0708-02061902002c}
C:\Program Files\Common Files\{34D1919C-06FD-1033-0708-02061902002c}
C:\Program Files\Common Files\{74D1919C-06FD-1033-0708-02061902002c}

((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))

2006-11-27 21:52 <DIR> d-------- C:\Program Files\Poker.com
2006-11-27 20:55 <DIR> d-------- C:\Program Files\CasinoOnNet
2006-11-27 20:28 <DIR> d-------- C:\WINNT\PlayerStats
2006-11-27 20:28 <DIR> d-------- C:\Documents and Settings\ade\Application Data\djade
2006-11-26 23:23 <DIR> d-------- C:\Program Files\CleanUp!
2006-11-26 23:15 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2006-11-26 23:14 <DIR> d-------- C:\Program Files\Grisoft
2006-11-26 11:32 <DIR> d-------- C:\WINNT\system32\ActiveScan
2006-11-26 11:13 <DIR> d-------- C:\fixwareout
2006-11-25 21:56 225,280 --a------ C:\WINNT\system32\wmpdxm.dll
2006-11-25 21:56 20,480 --a------ C:\WINNT\system32\wmpui.dll
2006-11-25 21:56 20,480 --a------ C:\WINNT\system32\wmpcore.dll
2006-11-25 21:56 20,480 --a------ C:\WINNT\system32\wmpcd.dll
2006-11-25 21:56 2,940,928 --a------ C:\WINNT\system32\wmploc.dll
2006-11-25 21:56 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2006-11-25 19:53 <DIR> d-------- C:\SDFix
2006-11-25 11:13 <DIR> d-------- C:\Program Files\HijackThis
2006-11-25 03:04 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB911562-x86-ENU$
2006-11-25 03:01 <DIR> d-------- C:\WINNT\mui
2006-11-24 20:02 840,976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-11-24 19:43 <DIR> d-------- C:\WINNT\system32\BITS
2006-11-24 19:40 <DIR> d-------- C:\Program Files\AutoPatcher 2K
2006-11-24 19:36 127,208 --a------ C:\WINNT\system32\mucltui.dll
2006-11-24 19:35 18,200 --a------ C:\WINNT\system32\wups2.dll
2006-11-24 19:34 465,176 --a------ C:\WINNT\system32\wuapi.dll
2006-11-24 19:34 41,240 --a------ C:\WINNT\system32\wups.dll
2006-11-24 19:34 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2006-11-24 19:34 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2006-11-24 19:34 127,256 --a------ C:\WINNT\system32\wucltui.dll
2006-11-24 19:31 <DIR> d-------- C:\WINNT\ime
2006-11-24 19:24 <DIR> d-------- C:\WINNT\system32\ie_de
2006-11-24 19:24 <DIR> d-------- C:\WINNT\system32\CertSrv
2006-11-24 19:24 <DIR> d-------- C:\WINNT\ServicePackFiles
2006-11-24 19:22 3,856 --------- C:\WINNT\system32\SVCPACK1.DLL
2006-11-24 19:19 977,680 --a------ C:\WINNT\system32\vfpodbc.dll
2006-11-24 19:19 92,432 --a------ C:\WINNT\system32\xactsrv.dll
2006-11-24 19:19 83,888 --a------ C:\WINNT\system32\vga.dll
2006-11-24 19:19 8,464 --a------ C:\WINNT\system32\wshirda.dll
2006-11-24 19:19 79,120 --a------ C:\WINNT\system32\winscard.dll
2006-11-24 19:19 74,512 --a------ C:\WINNT\system32\wmicore.dll
2006-11-24 19:19 69,904 --a------ C:\WINNT\system32\ws2_32.dll
2006-11-24 19:19 59,152 --a------ C:\WINNT\system32\winfax.dll
2006-11-24 19:19 57,616 --a------ C:\WINNT\system32\wlnotify.dll
2006-11-24 19:19 57,104 --a------ C:\WINNT\system32\w32tm.exe
2006-11-24 19:19 51,472 --a------ C:\WINNT\system32\w32time.dll
2006-11-24 19:19 49,776 --------- C:\WINNT\system32\drivers\usbhub20.sys
2006-11-24 19:19 42,768 --a------ C:\WINNT\system32\webhits.dll
2006-11-24 19:19 403,216 --a------ C:\WINNT\system32\USER32.DLL
2006-11-24 19:19 4,368 --a------ C:\WINNT\system32\winver.exe
2006-11-24 19:19 39,696 --a------ C:\WINNT\system32\wsnmp32.dll
2006-11-24 19:19 39,184 --a------ C:\WINNT\system32\winsta.dll
2006-11-24 19:19 389,904 --a------ C:\WINNT\system32\USERENV.DLL
2006-11-24 19:19 315,664 --a------ C:\WINNT\system32\usp10.dll
2006-11-24 19:19 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2006-11-24 19:19 29,968 --a------ C:\WINNT\system32\wpnpinst.exe
2006-11-24 19:19 28,400 --a------ C:\WINNT\system32\wupdinfo.dll
2006-11-24 19:19 270,608 --a------ C:\WINNT\winhlp32.exe
2006-11-24 19:19 26,384 --a------ C:\WINNT\system32\utildll.dll
2006-11-24 19:19 240,912 --a------ C:\WINNT\system32\wow32.dll
2006-11-24 19:19 24,848 --a------ C:\WINNT\system32\spdwnw2k.exe
2006-11-24 19:19 239,376 --a------ C:\WINNT\system32\winsmon.dll
2006-11-24 19:19 22,800 --a------ C:\WINNT\system32\utilman.exe
2006-11-24 19:19 22,752 --a------ C:\WINNT\system32\spupdsvc.exe
2006-11-24 19:19 21,776 --a------ C:\WINNT\system32\wsock32.dll
2006-11-24 19:19 21,776 --------- C:\WINNT\system32\spupdw2k.exe
2006-11-24 19:19 193,296 --a------ C:\WINNT\winrep.exe
2006-11-24 19:19 19,728 --------- C:\WINNT\system32\drivers\usbehci.sys
2006-11-24 19:19 181,008 --a------ C:\WINNT\system32\WINLOGON.EXE
2006-11-24 19:19 172,664 --a------ C:\WINNT\system32\XENROLL.DLL
2006-11-24 19:19 17,680 --a------ C:\WINNT\system32\wshtcpip.dll
2006-11-24 19:19 166,160 --a------ C:\WINNT\system32\WINTRUST.DLL
2006-11-24 19:19 162,064 --a------ C:\WINNT\system32\WLDAP32.DLL
2006-11-24 19:19 16,144 --a------ C:\WINNT\system32\version.dll
2006-11-24 19:19 155,920 --a------ C:\WINNT\system32\wavemsp.dll
2006-11-24 19:19 138,288 --------- C:\WINNT\system32\drivers\usbport.sys
2006-11-24 19:19 11,536 --a------ C:\WINNT\system32\usbmon.dll
2006-11-24 19:19 10,000 --a------ C:\WINNT\system32\wshatm.dll
2006-11-24 19:18 971,024 --a------ C:\WINNT\system32\sfcfiles.dll
2006-11-24 19:18 97,040 --a------ C:\WINNT\system32\rtm.dll
2006-11-24 19:18 95,024 --a------ C:\WINNT\system32\sfc.dll
2006-11-24 19:18 90,384 --a------ C:\WINNT\system32\trkwks.dll
2006-11-24 19:18 87,312 --a------ C:\WINNT\system32\TASKMGR.EXE
2006-11-24 19:18 85,776 --a------ C:\WINNT\system32\smlogsvc.exe
2006-11-24 19:18 81,168 --a------ C:\WINNT\system32\stobject.dll
2006-11-24 19:18 80,144 --a------ C:\WINNT\system32\telnet.exe
2006-11-24 19:18 77,584 --a------ C:\WINNT\system32\scripto.dll
2006-11-24 19:18 77,072 --a------ C:\WINNT\system32\rsvpsp.dll
2006-11-24 19:18 73,488 --a------ C:\WINNT\regedit.exe
2006-11-24 19:18 7,440 --a------ C:\WINNT\system32\svcpack.dll
2006-11-24 19:18 7,440 --a------ C:\WINNT\system32\sensapi.dll
2006-11-24 19:18 69,392 --a------ C:\WINNT\system32\shim.dll
2006-11-24 19:18 68,368 --a------ C:\WINNT\system32\unimdmat.dll
2006-11-24 19:18 68,368 --a------ C:\WINNT\system32\regsvc.exe
2006-11-24 19:18 65,601 --a------ C:\WINNT\system32\servdeps.dll
2006-11-24 19:18 63,248 --a------ C:\WINNT\system32\RASSCRPT.DLL
2006-11-24 19:18 62,736 --a------ C:\WINNT\system32\sstext3d.scr
2006-11-24 19:18 61,712 --a------ C:\WINNT\system32\stisvc.exe
2006-11-24 19:18 60,688 --a------ C:\WINNT\system32\RASCHAP.DLL
2006-11-24 19:18 6,928 --a------ C:\WINNT\system32\skdll.dll
2006-11-24 19:18 55,056 --a------ C:\WINNT\system32\tlntsess.exe
2006-11-24 19:18 524,560 --a------ C:\WINNT\system32\sqlsrv32.dll
2006-11-24 19:18 49,424 --a------ C:\WINNT\system32\sqlwoa.dll
2006-11-24 19:18 48,912 --a------ C:\WINNT\system32\secur32.dll
2006-11-24 19:18 48,200 --------- C:\WINNT\system32\scrdx86.dll
2006-11-24 19:18 48,200 --------- C:\WINNT\system32\scrdenrl.dll
2006-11-24 19:18 47,888 --a------ C:\WINNT\system32\ssbezier.scr
2006-11-24 19:18 45,840 --a------ C:\WINNT\system32\skeys.exe
2006-11-24 19:18 44,816 --a------ C:\WINNT\system32\rsm.exe
2006-11-24 19:18 431,888 --a------ C:\WINNT\system32\riched20.dll
2006-11-24 19:18 419,600 --a------ C:\WINNT\system32\ssmaze.scr
2006-11-24 19:18 41,744 --a------ C:\WINNT\system32\tcpmon.dll
2006-11-24 19:18 41,744 --a------ C:\WINNT\system32\sti.dll
2006-11-24 19:18 41,744 --a------ C:\WINNT\system32\ssflwbox.scr
2006-11-24 19:18 40,720 --a------ C:\WINNT\system32\RESUTILS.DLL
2006-11-24 19:18 38,672 --a------ C:\WINNT\system32\ssmarque.scr
2006-11-24 19:18 38,160 --a------ C:\WINNT\system32\sens.dll
2006-11-24 19:18 375,568 --a------ C:\WINNT\system32\tapi3.dll
2006-11-24 19:18 36,624 --a------ C:\WINNT\system32\ssmyst.scr
2006-11-24 19:18 36,624 --a------ C:\WINNT\system32\RNR20.DLL
2006-11-24 19:18 36,112 --a------ C:\WINNT\system32\regapi.dll
2006-11-24 19:18 35,600 --a------ C:\WINNT\system32\storprop.dll
2006-11-24 19:18 33,552 --a------ C:\WINNT\system32\shmgrate.exe
2006-11-24 19:18 33,040 --a------ C:\WINNT\system32\ssstars.scr
2006-11-24 19:18 31,504 --a------ C:\WINNT\system32\traffic.dll
2006-11-24 19:18 285,456 --a------ C:\WINNT\system32\smlogcfg.dll
2006-11-24 19:18 28,432 --a------ C:\WINNT\system32\scrnsave.scr
2006-11-24 19:18 27,920 --a------ C:\WINNT\system32\umandlg.dll
2006-11-24 19:18 254,736 --a------ C:\WINNT\system32\scesrv.dll
2006-11-24 19:18 25,360 --a------ C:\WINNT\system32\rsfsaps.dll
2006-11-24 19:18 25,360 --a------ C:\WINNT\system32\rapilib.dll
2006-11-24 19:18 246,544 --a------ C:\WINNT\system32\strmdll.dll
2006-11-24 19:18 24,848 --a------ C:\WINNT\system32\sqlwid.dll
2006-11-24 19:18 24,336 --a------ C:\WINNT\system32\rpcns4.dll
2006-11-24 19:18 22,800 --a------ C:\WINNT\system32\routeext.dll
2006-11-24 19:18 214,288 --a------ C:\WINNT\system32\snmpsnap.dll
2006-11-24 19:18 21,264 --a------ C:\WINNT\system32\stimon.exe
2006-11-24 19:18 20,752 --a------ C:\WINNT\system32\sclgntfy.dll
2006-11-24 19:18 198,928 --a------ C:\WINNT\system32\rasppp.dll
2006-11-24 19:18 187,664 --a------ C:\WINNT\system32\thumbvw.dll
2006-11-24 19:18 187,024 --a------ C:\WINNT\system32\spcmdcon.sys
2006-11-24 19:18 186,128 --a------ C:\WINNT\system32\tlntsvr.exe
2006-11-24 19:18 176,912 --a------ C:\WINNT\system32\rsvp.exe
2006-11-24 19:18 17,680 --a------ C:\WINNT\system32\tftp.exe
2006-11-24 19:18 17,680 --a------ C:\WINNT\system32\SNMPAPI.DLL
2006-11-24 19:18 17,168 --a------ C:\WINNT\system32\seclogon.dll
2006-11-24 19:18 17,168 --a------ C:\WINNT\system32\secedit.exe
2006-11-24 19:18 154,896 --a------ C:\WINNT\system32\rasmontr.dll
2006-11-24 19:18 15,120 --a------ C:\WINNT\system32\sisbkup.dll
2006-11-24 19:18 14,608 --a------ C:\WINNT\system32\uniplat.dll
2006-11-24 19:18 14,608 --a------ C:\WINNT\system32\RASSAPI.DLL
2006-11-24 19:18 14,096 --a------ C:\WINNT\system32\rsh.exe
2006-11-24 19:18 139,536 --a------ C:\WINNT\system32\regedt32.exe
2006-11-24 19:18 138,000 --a------ C:\WINNT\system32\ss3dfo.scr
2006-11-24 19:18 132,368 --a------ C:\WINNT\system32\RSABASE.DLL
2006-11-24 19:18 13,072 --a------ C:\WINNT\system32\tcpmib.dll
2006-11-24 19:18 126,736 --a------ C:\WINNT\system32\TAPI32.DLL
2006-11-24 19:18 119,056 --a------ C:\WINNT\system32\sqlstr.dll
2006-11-24 19:18 114,448 --a------ C:\WINNT\system32\scecli.dll
2006-11-24 19:18 11,024 --a------ C:\WINNT\system32\REGSVR32.EXE
2006-11-24 19:18 108,304 --a------ C:\WINNT\system32\rsnotify.exe
2006-11-24 19:18 107,792 --a------ C:\WINNT\system32\sndrec32.exe
2006-11-24 19:18 105,232 --a------ C:\WINNT\system32\rend.dll
2006-11-24 19:18 102,160 --a------ C:\WINNT\system32\sspipes.scr
2006-11-24 19:18 100,624 --a------ C:\WINNT\system32\rastls.dll
2006-11-24 19:18 10,000 --a------ C:\WINNT\system32\runas.exe
2006-11-24 19:18 1,427,728 --a------ C:\WINNT\system32\query.dll
2006-11-24 19:17 90,112 --a------ C:\WINNT\system32\odbcint.dll
2006-11-24 19:17 9,216 --------- C:\WINNT\system32\wuauserv.dll
2006-11-24 19:17 89,600 --a------ C:\WINNT\system32\nlhtml.dll
2006-11-24 19:17 85,776 --a------ C:\WINNT\system32\ntsdexts.dll
2006-11-24 19:17 79,632 --a------ C:\WINNT\system32\ntdskcc.dll
2006-11-24 19:17 70,928 --a------ C:\WINNT\system32\olethk32.dll
2006-11-24 19:17 692,496 --a------ C:\WINNT\system32\OPENGL32.DLL
2006-11-24 19:17 67,344 --a------ C:\WINNT\system32\ntdsetup.dll
2006-11-24 19:17 57,616 --a------ C:\WINNT\system32\ntdsapi.dll
2006-11-24 19:17 57,104 --a------ C:\WINNT\system32\ocmanage.dll
2006-11-24 19:17 53,520 --a------ C:\WINNT\system32\odbcji32.dll
2006-11-24 19:17 53,520 --a------ C:\WINNT\system32\ntmsapi.dll
2006-11-24 19:17 53,008 --a------ C:\WINNT\system32\packager.exe
2006-11-24 19:17 52,496 --------- C:\WINNT\system32\wzcdlg.dll
2006-11-24 19:17 444,176 --a------ C:\WINNT\system32\oieng400.dll
2006-11-24 19:17 41,232 --a------ C:\WINNT\system32\odbcconf.exe
2006-11-24 19:17 41,232 --a------ C:\WINNT\system32\odbcconf.dll
2006-11-24 19:17 401,168 --a------ C:\WINNT\system32\ntmssvc.dll
2006-11-24 19:17 37,136 --a------ C:\WINNT\system32\ODBCAD32.exe
2006-11-24 19:17 362,496 --a------ C:\WINNT\system32\qmgr.dll
2006-11-24 19:17 35,648 --a------ C:\WINNT\system32\ntio411.sys
2006-11-24 19:17 35,408 --a------ C:\WINNT\system32\ntio412.sys
2006-11-24 19:17 34,576 --------- C:\WINNT\system32\wzcsetup.exe
2006-11-24 19:17 34,544 --a------ C:\WINNT\system32\ntio804.sys
2006-11-24 19:17 34,544 --a------ C:\WINNT\system32\ntio404.sys
2006-11-24 19:17 33,824 --a------ C:\WINNT\system32\NTIO.SYS
2006-11-24 19:17 32,016 --a------ C:\WINNT\system32\ntdsatq.dll
2006-11-24 19:17 29,968 --a------ C:\WINNT\system32\profmap.dll
2006-11-24 19:17 29,968 --a------ C:\WINNT\system32\ntdsbsrv.dll
2006-11-24 19:17 29,968 --------- C:\WINNT\system32\wzcsapi.dll
2006-11-24 19:17 29,456 --a------ C:\WINNT\system32\perfproc.dll
2006-11-24 19:17 28,432 --a------ C:\WINNT\system32\ntdsbcli.dll
2006-11-24 19:17 278,800 --a------ C:\WINNT\system32\odbcjt32.dll
2006-11-24 19:17 24,848 --a------ C:\WINNT\system32\perfdisk.dll
2006-11-24 19:17 24,848 --a------ C:\WINNT\system32\odbcbcp.dll
2006-11-24 19:17 24,848 --a------ C:\WINNT\system32\ODBC32GT.dll
2006-11-24 19:17 221,456 --a------ C:\WINNT\system32\osk.exe
2006-11-24 19:17 214,800 --a------ C:\WINNT\system32\objsel.dll
2006-11-24 19:17 212,992 --a------ C:\WINNT\system32\odbc32.dll
2006-11-24 19:17 200,976 --a------ C:\WINNT\system32\odbccu32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odtext32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odpdx32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odfox32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\odexl32.dll
2006-11-24 19:17 20,752 --a------ C:\WINNT\system32\oddbse32.dll
2006-11-24 19:17 196,880 --a------ C:\WINNT\system32\odbccr32.dll
2006-11-24 19:17 195,856 --------- C:\WINNT\system32\wzcsvc.dll
2006-11-24 19:17 18,192 --------- C:\WINNT\system32\sp4iis.exe
2006-11-24 19:17 173,328 --a------ C:\WINNT\system32\ntmsdba.dll
2006-11-24 19:17 165,136 --a------ C:\WINNT\system32\ntdsutil.exe
2006-11-24 19:17 164,112 --a------ C:\WINNT\system32\OLEPRO32.DLL
2006-11-24 19:17 155,920 --a------ C:\WINNT\system32\ODBCTRAC.dll
2006-11-24 19:17 151,824 --a------ C:\WINNT\system32\pdh.dll
2006-11-24 19:17 134,928 --a------ C:\WINNT\system32\rsaenh.dll
2006-11-24 19:17 13,584 --a------ C:\WINNT\system32\powrprof.dll
2006-11-24 19:17 13,072 --------- C:\WINNT\system32\spiisupd.exe
2006-11-24 19:17 124,184 --a------ C:\WINNT\system32\wuauclt.exe
2006-11-24 19:17 115,472 --a------ C:\WINNT\system32\PSBASE.DLL
2006-11-24 19:17 113,936 --a------ C:\WINNT\system32\newdev.dll
2006-11-24 19:17 110,080 --a------ C:\WINNT\system32\offfilt.dll
2006-11-24 19:17 11,536 --------- C:\WINNT\system32\sptsupd.exe
2006-11-24 19:17 106,256 --a------ C:\WINNT\system32\oleprn.dll
2006-11-24 19:17 102,672 --a------ C:\WINNT\system32\ODBCCP32.dll
2006-11-24 19:17 102,672 --a------ C:\WINNT\system32\NTMARTA.DLL
2006-11-24 19:17 1,343,768 --a------ C:\WINNT\system32\wuaueng.dll
2006-11-24 19:17 1,040,656 --a------ C:\WINNT\system32\ntdsa.dll
2006-11-24 19:16 884,736 --a------ C:\WINNT\system32\msimsg.dll
2006-11-24 19:16 831,760 --a------ C:\WINNT\system32\mswdat10.dll
2006-11-24 19:16 78,848 --a------ C:\WINNT\system32\msiexec.exe
2006-11-24 19:16 76,560 --a------ C:\WINNT\system32\msw3prt.dll
2006-11-24 19:16 71,952 --a------ C:\WINNT\system32\netui0.dll
2006-11-24 19:16 7,440 --a------ C:\WINNT\system32\msswchx.exe
2006-11-24 19:16 64,272 --a------ C:\WINNT\system32\mswsock.dll
2006-11-24 19:16 614,672 --a------ C:\WINNT\system32\mswstr10.dll
2006-11-24 19:16 6,928 --------- C:\WINNT\system32\perfvd.exe
2006-11-24 19:16 57,104 --a------ C:\WINNT\system32\mydocs.dll
2006-11-24 19:16 553,232 --a------ C:\WINNT\system32\msrepl40.dll
2006-11-24 19:16 55,056 --------- C:\WINNT\system32\authz.dll
2006-11-24 19:16 547,600 --a------ C:\WINNT\system32\netcfgx.dll
2006-11-24 19:16 53,520 --a------ C:\WINNT\system32\msjter40.dll
2006-11-24 19:16 514,320 --a------ C:\WINNT\system32\msxml.dll
2006-11-24 19:16 477,456 --a------ C:\WINNT\system32\netshell.dll
2006-11-24 19:16 47,104 --a------ C:\WINNT\system32\MSPRIVS.DLL
2006-11-24 19:16 45,840 --------- C:\WINNT\system32\msmqprop.exe
2006-11-24 19:16 422,160 --a------ C:\WINNT\system32\msrd2x40.dll
2006-11-24 19:16 4,880 --a------ C:\WINNT\system32\NDDEAPIR.EXE
2006-11-24 19:16 371,984 --a------ C:\WINNT\system32\NETLOGON.DLL
2006-11-24 19:16 35,088 --a------ C:\WINNT\system32\MSSIGN32.DLL
2006-11-24 19:16 348,432 --a------ C:\WINNT\system32\msxbde40.dll
2006-11-24 19:16 348,432 --a------ C:\WINNT\system32\mspbde40.dll
2006-11-24 19:16 348,432 --a------ C:\WINNT\system32\msjetoledb40.dll
2006-11-24 19:16 34,816 --------- C:\WINNT\system32\msiregmv.exe
2006-11-24 19:16 33,616 --------- C:\WINNT\system32\drivers\fips.sys
2006-11-24 19:16 315,664 --a------ C:\WINNT\system32\msrd3x40.dll
2006-11-24 19:16 286,773 --a------ C:\WINNT\system32\msvcrt.dll
2006-11-24 19:16 271,360 --a------ C:\WINNT\system32\msihnd.dll
2006-11-24 19:16 26,896 --a------ C:\WINNT\system32\NETSTAT.EXE
2006-11-24 19:16 26,896 --a------ C:\WINNT\system32\mtxdm.dll
2006-11-24 19:16 26,624 --------- C:\WINNT\system32\msxmlr.dll
2006-11-24 19:16 258,320 --a------ C:\WINNT\system32\mstext40.dll
2006-11-24 19:16 241,936 --a------ C:\WINNT\system32\msjtes40.dll
2006-11-24 19:16 24,848 --a------ C:\WINNT\system32\narrator.exe
2006-11-24 19:16 24,336 --------- C:\WINNT\system32\ftpqfe.exe
2006-11-24 19:16 216,848 --a------ C:\WINNT\system32\mstask.dll
2006-11-24 19:16 213,264 --a------ C:\WINNT\system32\msltus40.dll
2006-11-24 19:16 20,208 --------- C:\WINNT\system32\drivers\msircomm.sys
2006-11-24 19:16 2,890,240 --a------ C:\WINNT\system32\msi.dll
2006-11-24 19:16 173,840 --a------ C:\WINNT\system32\netplwiz.dll
2006-11-24 19:16 16,144 --a------ C:\WINNT\system32\NDDEAPI.DLL
2006-11-24 19:16 155,920 --a------ C:\WINNT\system32\msorcl32.dll
2006-11-24 19:16 151,824 --a------ C:\WINNT\system32\msjint40.dll
2006-11-24 19:16 15,360 --a------ C:\WINNT\system32\msisip.dll
2006-11-24 19:16 147,216 --a------ C:\WINNT\system32\dssenh.dll
2006-11-24 19:16 14,608 --a------ C:\WINNT\system32\msswch.dll
2006-11-24 19:16 131,344 --a------ C:\WINNT\system32\netid.dll
2006-11-24 19:16 124,176 --a------ C:\WINNT\system32\net1.exe
2006-11-24 19:16 123,152 --a------ C:\WINNT\system32\mtxoci.dll
2006-11-24 19:16 119,568 --a------ C:\WINNT\system32\mstask.exe
2006-11-24 19:16 116,496 --a------ C:\WINNT\system32\msvfw32.dll
2006-11-24 19:16 110,352 --a------ C:\WINNT\system32\mycomput.dll
2006-11-24 19:16 11,984 --------- C:\WINNT\system32\drivers\ndisuio.sys
2006-11-24 19:16 11,024 --a------ C:\WINNT\system32\msrle32.dll
2006-11-24 19:16 108,816 --a------ C:\WINNT\system32\NETDDE.EXE
2006-11-24 19:16 10,288 --------- C:\WINNT\system32\drivers\irenum.sys
2006-11-24 19:16 1,507,600 --a------ C:\WINNT\system32\msjet40.dll
2006-11-24 19:16 1,385,744 --a------ C:\WINNT\system32\MSVBVM60.DLL
2006-11-24 19:15 99,088 --a------ C:\WINNT\system32\modemui.dll
2006-11-24 19:15 96,016 --a------ C:\WINNT\system32\msdtclog.dll
2006-11-24 19:15 76,048 --a------ C:\WINNT\system32\mdhcp.dll
2006-11-24 19:15 69,904 --a------ C:\WINNT\system32\mprddm.dll
2006-11-24 19:15 56,080 --a------ C:\WINNT\system32\mprui.dll
2006-11-24 19:15 512,272 --a------ C:\WINNT\system32\msexch40.dll
2006-11-24 19:15 47,376 --a------ C:\WINNT\system32\mprdim.dll
2006-11-24 19:15 43,792 --a------ C:\WINNT\system32\magnify.exe
2006-11-24 19:15 4,126 --a------ C:\WINNT\system32\msdxmlc.dll
2006-11-24 19:15 334,096 --a------ C:\WINNT\system32\MSGINA.DLL
2006-11-24 19:15 319,760 --a------ C:\WINNT\system32\msexcl40.dll
2006-11-24 19:15 24,848 --a------ C:\WINNT\system32\msdart32.dll
2006-11-24 19:15 236,304 --a------ C:\WINNT\system32\msclus.dll
2006-11-24 19:15 19,728 --a------ C:\WINNT\system32\mimefilt.dll
2006-11-24 19:15 169,232 --a------ C:\WINNT\system32\mobsync.dll
2006-11-24 19:15 153,872 --a------ C:\WINNT\system32\msdtcui.dll
2006-11-24 19:15 13,824 --a------ C:\WINNT\system32\mscpxl32.dLL
2006-11-24 19:15 111,376 --a------ C:\WINNT\system32\mobsync.exe
2006-11-24 19:15 108,816 --a------ C:\WINNT\system32\msafd.dll
2006-11-24 19:15 102,160 --a------ C:\WINNT\system32\mdminst.dll
2006-11-24 19:15 10,000 --a------ C:\WINNT\system32\lz32.dll
2006-11-24 19:15 1,015,859 --a------ C:\WINNT\system32\mfc42.dll
2006-11-24 19:15 1,011,764 --a------ C:\WINNT\system32\mfc42u.dll
2006-11-24 19:14 66,320 --a------ C:\WINNT\system32\LOADPERF.DLL
2006-11-24 19:14 48,400 --a------ C:\WINNT\system32\loghours.dll
2006-11-24 19:14 25,872 --a------ C:\WINNT\system32\LODCTR.EXE
2006-11-24 19:14 246,032 --a------ C:\WINNT\system32\localsec.dll
2006-11-24 19:14 20,240 --a------ C:\WINNT\system32\lpk.dll
2006-11-24 19:14 130,832 --a------ C:\WINNT\system32\logon.scr
2006-11-24 19:12 92,032 --a------ C:\WINNT\system32\KRNL386.EXE
2006-11-24 19:12 73,488 --a------ C:\WINNT\system32\irmon.dll
2006-11-24 19:12 72,464 --a------ C:\WINNT\system32\isign32.dll
2006-11-24 19:12 6,928 --a------ C:\WINNT\system32\KBDCA.DLL
2006-11-24 19:12 57,296 --a------ C:\WINNT\system32\drivers\irda.sys
2006-11-24 19:12 49,936 --a------ C:\WINNT\system32\ixsso.dll
2006-11-24 19:12 441,616 --a------ C:\WINNT\system32\ipnathlp.dll
2006-11-24 19:12 42,809 --a------ C:\WINNT\system32\key01.sys
2006-11-24 19:12 42,537 --a------ C:\WINNT\system32\KEYBOARD.SYS
2006-11-24 19:12 4,368 --a------ C:\WINNT\system32\IPROP.DLL
2006-11-24 19:12 374,032 --a------ C:\WINNT\system32\JET500.DLL
2006-11-24 19:12 159,504 --a------ C:\WINNT\system32\iprtrmgr.dll
2006-11-24 19:12 143,872 --a------ C:\WINNT\system32\itircl.dll
2006-11-24 19:12 128,000 --a------ C:\WINNT\system32\itss.dll
2006-11-24 19:11 97,040 --a------ C:\WINNT\system32\iasrad.dll
2006-11-24 19:11 96,528 --a------ C:\WINNT\system32\imm32.dll
2006-11-24 19:11 94,992 --a------ C:\WINNT\system32\FAXSVC.EXE
2006-11-24 19:11 92,944 --a------ C:\WINNT\system32\faxadmin.dll
2006-11-24 19:11 80,144 --a------ C:\WINNT\system32\faxcom.dll
2006-11-24 19:11 77,584 --------- C:\WINNT\system32\gpresult.exe
2006-11-24 19:11 76,560 --a------ C:\WINNT\system32\hotplug.dll
2006-11-24 19:11 75,536 --a------ C:\WINNT\system32\iasads.dll
2006-11-24 19:11 72,704 --a------ C:\WINNT\system32\hlink.dll
2006-11-24 19:11 66,832 --a------ C:\WINNT\system32\inetpp.dll
2006-11-24 19:11 60,176 --a------ C:\WINNT\system32\iassvcs.dll
2006-11-24 19:11 60,176 --a------ C:\WINNT\system32\iasnap.dll
2006-11-24 19:11 6,416 --------- C:\WINNT\system32\hccoin.dll
2006-11-24 19:11 55,568 --a------ C:\WINNT\system32\esentutl.exe
2006-11-24 19:11 50,448 --a------ C:\WINNT\system32\fdeploy.dll
2006-11-24 19:11 498,205 --a------ C:\WINNT\system32\dxmasf.dll
2006-11-24 19:11 47,888 --a------ C:\WINNT\system32\EVENTLOG.DLL
2006-11-24 19:11 380,957 --a------ C:\WINNT\system32\expsrv.dll
2006-11-24 19:11 38,912 --a------ C:\WINNT\system32\hhsetup.dll
2006-11-24 19:11 305,424 --a------ C:\WINNT\system32\gpedit.dll
2006-11-24 19:11 294,672 --a------ C:\WINNT\system32\filemgmt.dll
2006-11-24 19:11 29,456 --a------ C:\WINNT\system32\INETMIB1.DLL
2006-11-24 19:11 28,944 --a------ C:\WINNT\system32\iasacct.dll
2006-11-24 19:11 269,584 --a------ C:\WINNT\system32\iassdo.dll
2006-11-24 19:11 265,488 --a------ C:\WINNT\system32\dxmrtp.dll
2006-11-24 19:11 25,872 --a------ C:\WINNT\system32\findstr.exe
2006-11-24 19:11 246,032 --a------ C:\WINNT\system32\icm32.dll
2006-11-24 19:11 243,472 --a------ C:\WINNT\explorer.exe
2006-11-24 19:11 21,776 --a------ C:\WINNT\system32\HTICONS.DLL
2006-11-24 19:11 206,096 --a------ C:\WINNT\system32\infosoft.dll
2006-11-24 19:11 200,976 --a------ C:\WINNT\system32\FONTEXT.DLL
2006-11-24 19:11 20,752 --a------ C:\WINNT\system32\iasperf.dll
2006-11-24 19:11 187,152 --a------ C:\WINNT\system32\eudcedit.exe
2006-11-24 19:11 185,616 --a------ C:\WINNT\system32\faxt30.dll
2006-11-24 19:11 18,192 --a------ C:\WINNT\system32\hid.dll
2006-11-24 19:11 163,088 --a------ C:\WINNT\system32\h323msp.dll
2006-11-24 19:11 157,968 --a------ C:\WINNT\system32\els.dll
2006-11-24 19:11 15,120 --a------ C:\WINNT\system32\faxdrv.dll
2006-11-24 19:11 138,000 --a------ C:\WINNT\system32\INITPKI.DLL
2006-11-24 19:11 122,128 --a------ C:\WINNT\system32\idq.dll
2006-11-24 19:11 118,544 --a------ C:\WINNT\system32\gptext.dll
2006-11-24 19:11 100,624 --a------ C:\WINNT\system32\iassam.dll
2006-11-24 19:11 10,752 --a------ C:\WINNT\hh.exe
2006-11-24 19:11 1,842,672 -ra------ C:\WINNT\system32\dtcsetup.exe
2006-11-24 19:11 1,135,376 --a------ C:\WINNT\system32\esent.dll
2006-11-24 19:10 97,552 --a------ C:\WINNT\system32\comrepl.dll
2006-11-24 19:10 97,040 --a------ C:\WINNT\system32\clbcatex.dll
2006-11-24 19:10 92,944 --a------ C:\WINNT\system32\dskquota.dll
2006-11-24 19:10 90,384 --a------ C:\WINNT\system32\CRYPTDLG.DLL
2006-11-24 19:10 82,704 --a------ C:\WINNT\system32\cmnquery.dll
2006-11-24 19:10 8,976 --a------ C:\WINNT\system32\autolfn.exe
2006-11-24 19:10 78,608 --a------ C:\WINNT\system32\avifil32.dll
2006-11-24 19:10 78,096 --a------ C:\WINNT\system32\aclui.dll
2006-11-24 19:10 76,048 --a------ C:\WINNT\system32\cryptsvc.dll
2006-11-24 19:10 75,544 --a------ C:\WINNT\system32\cdm.dll
2006-11-24 19:10 74,810 --a------ C:\WINNT\system32\atl.dll
2006-11-24 19:10 74,512 --a------ C:\WINNT\system32\dsauth.dll
2006-11-24 19:10 7,440 --a------ C:\WINNT\system32\control.exe
2006-11-24 19:10 68,880 --a------ C:\WINNT\system32\browser.dll
2006-11-24 19:10 625,936 --a------ C:\WINNT\system32\comuid.dll
2006-11-24 19:10 62,736 --a------ C:\WINNT\system32\adsmsext.dll
2006-11-24 19:10 62,224 --a------ C:\WINNT\system32\dfrgfat.exe
2006-11-24 19:10 61,712 --a------ C:\WINNT\system32\cliconfg.dll
2006-11-24 19:10 595,728 --a------ C:\WINNT\system32\catsrvut.dll
2006-11-24 19:10 568,592 --a------ C:\WINNT\system32\autofmt.exe
2006-11-24 19:10 55,568 --a------ C:\WINNT\system32\CLUSAPI.DLL
2006-11-24 19:10 50,620 --a------ C:\WINNT\system32\command.com
2006-11-24 19:10 5,904 --a------ C:\WINNT\system32\dllhst3g.exe
2006-11-24 19:10 479,504 --a------ C:\WINNT\system32\CRYPT32.DLL
2006-11-24 19:10 45,328 --a------ C:\WINNT\system32\cmstp.exe
2006-11-24 19:10 443,664 --a------ C:\WINNT\system32\CRYPTUI.DLL
2006-11-24 19:10 44,304 --a------ C:\WINNT\system32\cryptdll.dll
2006-11-24 19:10 43,280 --a------ C:\WINNT\system32\dmutil.dll
2006-11-24 19:10 43,280 --a------ C:\WINNT\system32\CRYPTNET.DLL
2006-11-24 19:10 422,160 --a------ C:\WINNT\system32\certmgr.dll
2006-11-24 19:10 42,768 --a------ C:\WINNT\system32\dfrgsnap.dll
2006-11-24 19:10 42,256 --a------ C:\WINNT\system32\BASESRV.DLL
2006-11-24 19:10 41,744 --a------ C:\WINNT\system32\dsfolder.dll
2006-11-24 19:10 41,744 --a------ C:\WINNT\system32\colbact.dll
2006-11-24 19:10 402,704 --a------ C:\WINNT\system32\cdonts.dll
2006-11-24 19:10 37,136 --a------ C:\WINNT\system32\cliconfg.exe
2006-11-24 19:10 36,112 --a------ C:\WINNT\system32\cipher.exe
2006-11-24 19:10 33,040 --a------ C:\WINNT\system32\dbnmpntw.dll
2006-11-24 19:10 33,040 --a------ C:\WINNT\system32\dbmsspxn.dll
2006-11-24 19:10 33,040 --a------ C:\WINNT\system32\dbmsadsn.dll
2006-11-24 19:10 316,176 --a------ C:\WINNT\system32\dmconfig.dll
2006-11-24 19:10 31,504 --a------ C:\WINNT\system32\atmlib.dll
2006-11-24 19:10 306,448 --a------ C:\WINNT\system32\dhcpmon.dll
2006-11-24 19:10 3,856 --a------ C:\WINNT\system32\COMCAT.DLL
2006-11-24 19:10 299,792 --a------ C:\WINNT\system32\dsprop.dll
2006-11-24 19:10 291,888 --a------ C:\WINNT\system32\atmfd.dll
2006-11-24 19:10 28,944 --a------ C:\WINNT\system32\dssec.dll
2006-11-24 19:10 28,944 --a------ C:\WINNT\system32\dbmsvinn.dLL
2006-11-24 19:10 28,944 --a------ C:\WINNT\system32\dbmsrpcn.dll
2006-11-24 19:10 27,097 --a------ C:\WINNT\system32\country.sys
2006-11-24 19:10 25,872 --a------ C:\WINNT\system32\conime.exe
2006-11-24 19:10 242,960 --a------ C:\WINNT\system32\cscui.dll
2006-11-24 19:10 24,848 --a------ C:\WINNT\system32\ds32gt.dll
2006-11-24 19:10 236,304 --a------ C:\WINNT\system32\CMD.EXE
2006-11-24 19:10 23,824 --a------ C:\WINNT\system32\at.exe
2006-11-24 19:10 226,576 --a------ C:\WINNT\system32\avtapi.dll
2006-11-24 19:10 224,016 --a------ C:\WINNT\system32\appmgr.dll
2006-11-24 19:10 221,968 --a------ C:\WINNT\system32\devmgr.dll
2006-11-24 19:10 22,800 --a------ C:\WINNT\system32\dfsshlex.dll
2006-11-24 19:10 22,288 --a------ C:\WINNT\system32\cmutil.dll
2006-11-24 19:10 219,920 --a------ C:\WINNT\system32\confmsp.dll
2006-11-24 19:10 201,488 --a------ C:\WINNT\system32\adsnt.dll
2006-11-24 19:10 20,752 --a------ C:\WINNT\system32\batmeter.dll
2006-11-24 19:10 2,532,112 --a------ C:\WINNT\system32\cdosys.dll
2006-11-24 19:10 193,808 --a------ C:\WINNT\system32\cmdial32.dll
2006-11-24 19:10 182,032 --a------ C:\WINNT\system32\activeds.dll
2006-11-24 19:10 174,864 --a------ C:\WINNT\system32\dmdlgs.dll
2006-11-24 19:10 165,648 --a------ C:\WINNT\system32\catsrv.dll
2006-11-24 19:10 164,112 --a------ C:\WINNT\system32\adsnds.dll
2006-11-24 19:10 163,600 --a------ C:\WINNT\system32\dmdskmgr.dll
2006-11-24 19:10 163,088 --a------ C:\WINNT\system32\dbghelp.dll
2006-11-24 19:10 16,144 --a------ C:\WINNT\system32\diskcopy.dll
2006-11-24 19:10 159,807 --a------ C:\WINNT\system32\cmprops.dll
2006-11-24 19:10 157,456 --a------ C:\WINNT\system32\dsquery.dll
2006-11-24 19:10 156,944 --a------ C:\WINNT\system32\ciadmin.dll
2006-11-24 19:10 150,800 --a------ C:\WINNT\system32\accwiz.exe
2006-11-24 19:10 147,728 --a------ C:\WINNT\system32\dmadmin.exe
2006-11-24 19:10 146,192 --a------ C:\WINNT\system32\dskquoui.dll
2006-11-24 19:10 145,680 --a------ C:\WINNT\system32\DSSBASE.DLL
2006-11-24 19:10 143,632 --a------ C:\WINNT\system32\ASYCFILT.DLL
2006-11-24 19:10 14,096 --a------ C:\WINNT\system32\diskperf.exe
2006-11-24 19:10 14,096 --a------ C:\WINNT\system32\atkctrs.dll
2006-11-24 19:10 135,440 --a------ C:\WINNT\system32\certcli.dll
2006-11-24 19:10 133,904 --a------ C:\WINNT\system32\adsldpc.dll
2006-11-24 19:10 130,832 --a------ C:\WINNT\system32\CLUSTER.EXE
2006-11-24 19:10 13,072 --a------ C:\WINNT\system32\dmintf.dll
2006-11-24 19:10 13,072 --a------ C:\WINNT\system32\CHKNTFS.EXE
2006-11-24 19:10 127,760 --a------ C:\WINNT\system32\capesnpn.dll
2006-11-24 19:10 125,712 --a------ C:\WINNT\system32\adsldp.dll
2006-11-24 19:10 122,368 --a------ C:\WINNT\system32\dmdskres.dll
2006-11-24 19:10 120,592 --a------ C:\WINNT\system32\appmgmts.dll
2006-11-24 19:10 12,048 --a------ C:\WINNT\system32\dmserver.dll
2006-11-24 19:10 113,936 --a------ C:\WINNT\system32\DCOMCNFG.EXE
2006-11-24 19:10 112,400 --a------ C:\WINNT\system32\adsnw.dll
2006-11-24 19:10 110,864 --a------ C:\WINNT\system32\dsuiext.dll
2006-11-24 19:10 101,136 --a------ C:\WINNT\system32\cscdll.dll
2006-11-24 19:10 10,512 --a------ C:\WINNT\system32\dmremote.exe
2006-11-24 19:01 <DIR> d-------- C:\Program Files\Kerio
2006-11-24 18:59 <DIR> d-a------ C:\WUTemp
2006-11-24 18:52 <DIR> d-------- C:\Documents and Settings\ade\Application Data\Mozilla
2006-11-24 18:51 <DIR> d-ah----- C:\Program Files\WindowsUpdate
2006-11-24 18:51 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-11-24 18:43 <DIR> d-------- C:\WINNT\SoftwareDistribution
2006-11-24 18:07 90,112 --a------ C:\WINNT\system32\AVASTSS.scr
2006-11-24 18:07 87,424 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2006-11-24 18:07 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2006-11-24 18:07 666,240 --a------ C:\WINNT\system32\aswBoot.exe
2006-11-24 18:07 36,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2006-11-24 18:07 24,560 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2006-11-24 18:07 16,352 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2006-11-24 18:07 <DIR> d-------- C:\Program Files\Alwil Software
2006-11-22 22:22 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2006-11-22 20:19 <DIR> d-------- C:\Secrurity
2006-11-21 19:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\ZILLAbar
2006-11-21 19:18 <DIR> d-------- C:\Program Files\Common Files\iS3
2006-11-21 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2006-11-21 18:56 <DIR> d-------- C:\WINNT\BDOSCAN8
2006-11-20 23:52 70,688 --a------ C:\WINNT\system32\drivers\alcaudsl.sys
2006-11-20 23:52 53,600 --a------ C:\WINNT\system32\drivers\alcan5wn.sys
2006-11-20 23:52 5,606 --a------ C:\WINNT\system32\stci.dll
2006-11-20 23:52 5,280 --a------ C:\WINNT\system32\drivers\alcawh.sys
2006-11-20 23:52 3,968 --a------ C:\WINNT\system32\drivers\alcacr.sys
2006-11-20 23:52 <DIR> d-------- C:\Program Files\Thomson
2006-11-20 23:49 <DIR> d-a------ C:\WINNT\system32\appmgmt
2006-11-06 21:14 63,488 --a------ C:\WINNT\system32\CNDPTPC.dll
2006-11-06 21:14 117,760 --a------ C:\WINNT\system32\CNDPTPU.dll
2006-11-06 21:12 <DIR> d-------- C:\Program Files\Common Files\Canon
2006-11-06 21:12 <DIR> d-------- C:\Program Files\Canon

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-28 18:52 -------- d-a------ C:\Program Files\Common Files
2006-11-25 21:56 -------- d-------- C:\Program Files\Windows Media Player
2006-11-25 03:04 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-25 03:04 -------- d-------- C:\Program Files\Outlook Express
2006-11-25 03:04 -------- d-------- C:\Program Files\Internet Explorer
2006-11-25 03:04 -------- d-------- C:\Program Files\Common Files\System
2006-11-24 19:25 -------- d-------- C:\Program Files\Windows NT
2006-11-24 19:23 -------- d-------- C:\Program Files\NetMeeting
2006-11-24 18:39 -------- d-------- C:\Program Files\TalkTalk Online Security
2006-11-24 17:01 -------- d--h----- C:\Program Files\QMgr
2006-11-20 23:52 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-20 23:49 -------- d-------- C:\Program Files\TalkTalk
2006-11-20 22:54 -------- d-------- C:\Program Files\Common Files\Real
2006-11-17 19:18 -------- d-------- C:\Program Files\Winamp
2006-11-10 21:35 7594 --a------ C:\Program Files\CurrentCfg.tpr
2006-11-10 21:35 5075 --a------ C:\Program Files\mpeg join TMPGEnc.ini
2006-10-13 17:12 -------- d-------- C:\Program Files\Yahoo!
2006-10-02 19:02 3393599 --a------ C:\Program Files\SRS_Audio_Sandbox.zip
2006-09-29 17:07 207330 --a------ C:\Program Files\MXpie Patch v3.2.exe
2006-09-29 17:07 -------- d-------- C:\Program Files\MXpie Patch
2006-09-25 17:41 57344 --a------ C:\WINNT\uneng.exe
2006-09-25 17:41 49152 --a------ C:\WINNT\system32\cdrtc.dll
2006-09-25 17:41 45056 --a------ C:\WINNT\system32\cdral.dll
2006-09-25 17:39 13951112 --a------ C:\Program Files\MPSetup.exe
2006-09-12 11:48 1713536 --a------ C:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 11:48 1690880 --a------ C:\WINNT\system32\NTOSKRNL.EXE
2006-09-06 04:58 1110528 --a------ C:\WINNT\system32\msxml3.dll
2006-09-01 05:49 64784 --a------ C:\WINNT\system32\NWAPI32.DLL
2006-09-01 05:49 140048 --a------ C:\WINNT\system32\NWPROVAU.DLL
2006-08-28 08:44 530192 --a------ C:\WINNT\system32\comctl32.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"C-Media Mixer"="C:\\Program Files\\PCI Audio Applications\\Mixer.exe /startup"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"EPSON Stylus C42 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C42 Series\" /O6 \"USB001\" /M \"Stylus C42\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LoadQM"="loadqm.exe"
"msnappau"="\"C:\\Program Files\\MSN Apps\\Updater\\01.03.0000.1005\\en-gb\\msnappau.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINNT\\System32\\NeroCheck.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1136147225\\ee\\AOLHostManager.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{74D1919C-06FC-1033-0708-02061902002c}"="\"C:\\Program Files\\Common Files\\{74D1919C-06FC-1033-0708-02061902002c}\\Update.exe\" mc-110-12-0000144"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061125-200324-972
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
backup-20061125-200324-434
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
backup-20061125-200324-301
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
backup-20061125-200324-783
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
backup-20061125-200324-357
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
backup-20061125-200323-903
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
backup-20061125-200323-658
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
backup-20061125-200323-719
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
backup-20061125-200323-850
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
backup-20061125-200323-234
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20061125-200323-301
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
backup-20061125-200323-956
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20061125-200323-445
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20061125-200323-751
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
backup-20061125-200323-173
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll
backup-20061125-200323-121
O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing)
backup-20061125-200323-601
O3 - Toolbar: (no name) - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - (no file)
backup-20061125-200323-385
O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
backup-20061125-200323-314
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
backup-20061125-200323-566
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
backup-20061125-200323-267
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
backup-20061125-200323-983
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
backup-20061125-200323-978
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
backup-20061125-200323-640
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
backup-20061125-200323-531
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
backup-20061125-200323-815
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
backup-20061125-200323-520
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
backup-20061125-200323-519
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
backup-20061125-200323-409
O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
backup-20061125-200323-743
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
backup-20061125-200323-559
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
backup-20061125-200323-464
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
backup-20061125-200323-460
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
backup-20061125-200323-894
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
backup-20061125-200323-260
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
backup-20061125-200323-398
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
backup-20061125-200323-217
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
backup-20061125-200323-226
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
backup-20061125-200323-189
O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
backup-20061125-200323-491
O1 - Hosts: 64.124.166.37 www.kaazalite.com
backup-20061125-200323-940
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
backup-20061125-200323-165
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
backup-20061125-200323-902
O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com
backup-20061125-200323-961
O1 - Hosts: 64.124.166.37 kaazalite.com
backup-20061125-200323-931
O1 - Hosts: 64.124.166.37 www.kazalite.com
backup-20061125-200323-567
O1 - Hosts: 64.124.166.37 kazalite.com
backup-20061125-200323-795
O1 - Hosts: 64.124.166.37 www.kazzalite.com
backup-20061125-200323-127
O1 - Hosts: 64.124.166.37 kazaalite.com
backup-20061125-200323-313
O1 - Hosts: 64.124.166.37 www.k-lite.com
backup-20061125-200323-788
O1 - Hosts: 64.124.166.37 k-lite.com
backup-20061125-200323-312
O1 - Hosts: 64.124.166.37 www.klite.com
backup-20061125-200323-393
O1 - Hosts: 66.38.215.115 www.suprnova.com
backup-20061125-200323-668
O1 - Hosts: 64.124.166.37 klite.com
backup-20061125-200323-355
O1 - Hosts: 66.38.215.115 suprnova.com
backup-20061125-200323-518
O1 - Hosts: 66.38.215.115 www.emule.com
backup-20061125-200323-524
O1 - Hosts: 66.38.215.115 www.edonkey.com
backup-20061125-200323-995
O1 - Hosts: 66.38.215.115 emule.com
backup-20061125-200323-844
O1 - Hosts: 66.38.215.115 kaaza.com
backup-20061125-200323-107
O1 - Hosts: 66.38.215.115 kahza.com
backup-20061125-200323-769
O1 - Hosts: 66.38.215.115 edonkey.com
backup-20061125-200323-908
O1 - Hosts: 66.38.215.115 www.kaaza.com
backup-20061125-200323-776
O1 - Hosts: 66.38.215.115 www.kahza.com
backup-20061125-200323-812
O1 - Hosts: 66.38.215.115 kaza.com
backup-20061125-200323-207
O1 - Hosts: 66.38.215.115 www.kaza.com
backup-20061125-200323-381
O1 - Hosts: 205.238.40.1 winmx.com
backup-20061125-200323-298
O1 - Hosts: 66.38.215.115 www.kazza.com
Completion time: Tue 2006-11-28 18:52:38.30
C:\ComboFix.txt ... 06-11-28 18:52

Thanks Again - Adrian

tetonbob · 11-28-2006, 12:38 PM

Hi Adrian -

Some other parts of these nasties have been revealed, and other questions raised. We're nearly done, but I have another tool for you to run, and need some more information.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with this yet!

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{74D1919C-06FC-1033-0708-02061902002c}"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Create an uninstall list:

With HiJackThis still open

Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Please return with results from:

HJT
Uninstall list

djade80 · 11-29-2006, 11:22 AM

Hi there,

I have downloaded the BFU files and Alcra files fine.

when I copy & paste your Quote, I can not get it to save as "delete.reg"

I am using windows NT. Do I copy and paste to a text doc, but then how do I run the file.

many thanks

Adrian

tetonbob · 11-29-2006, 05:28 PM

From your log, you are using Windows2000, which is NT based, yes, but not Windows NT.

You should be able to simply save that data in a notepad txt file, save it as "delete.reg" inclusive of the quotes and it should then look like the image I posted. You would then simply double click on it to merge it into the registry.

Let's make it easier on you though...

I have attached a file to this post - Adrian.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

11-22-2006, 02:08 PM	#1 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	Trojan / Virus vbsys2.dll itunesff.exe Hi Guys, While browsing this week I have picked up Malware. I have Secrurity on my computer but it got through. Although Windows work ok, the Internet is playing up. Here is my hijackthis log Logfile of HijackThis v1.97.7 Scan saved at 20:31:30, on 22/11/2006 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe C:\Program Files\TalkTalk Online Security\Anti-Virus\FSGK32.EXE C:\Program Files\TalkTalk Online Security\backweb\81720\program\fsbwsys.exe C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE C:\Program Files\TalkTalk Online Security\Common\FSMB32.EXE C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\TalkTalk Online Security\Common\FCH32.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\TalkTalk Online Security\Common\FAMEH32.EXE C:\WINNT\Explorer.exe C:\Program Files\TalkTalk Online Security\Anti-Virus\fsrw.exe C:\Program Files\TalkTalk Online Security\FWES\Program\fsdfwd.exe C:\Program Files\TalkTalk Online Security\Anti-Virus\fssm32.exe C:\Program Files\PCI Audio Applications\Mixer.exe C:\WINNT\SOUNDMAN.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\WINNT\loadqm.exe C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe C:\WINNT\System32\internat.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\Program Files\TalkTalk Online Security\Anti-Virus\fsav32.exe C:\PROGRA~1\TALKTA~1\ANTI-S~1\fsaw.exe C:\Program Files\TalkTalk Online Security\FSGUI\fsguidll.exe C:\Secrurity\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/ O1 - Hosts: 205.238.40.1 winmx.com O1 - Hosts: 66.38.215.115 www.kazza.com O1 - Hosts: 66.38.215.115 kaza.com O1 - Hosts: 66.38.215.115 www.kaza.com O1 - Hosts: 66.38.215.115 kaaza.com O1 - Hosts: 66.38.215.115 www.kaaza.com O1 - Hosts: 66.38.215.115 kahza.com O1 - Hosts: 66.38.215.115 www.kahza.com O1 - Hosts: 66.38.215.115 edonkey.com O1 - Hosts: 66.38.215.115 www.edonkey.com O1 - Hosts: 66.38.215.115 emule.com O1 - Hosts: 66.38.215.115 www.emule.com O1 - Hosts: 66.38.215.115 suprnova.com O1 - Hosts: 66.38.215.115 www.suprnova.com O1 - Hosts: 64.124.166.37 klite.com O1 - Hosts: 64.124.166.37 www.klite.com O1 - Hosts: 64.124.166.37 k-lite.com O1 - Hosts: 64.124.166.37 www.k-lite.com O1 - Hosts: 64.124.166.37 kazaalite.com O1 - Hosts: 64.124.166.37 www.kazzalite.com O1 - Hosts: 64.124.166.37 kazalite.com O1 - Hosts: 64.124.166.37 www.kazalite.com O1 - Hosts: 64.124.166.37 kaazalite.com O1 - Hosts: 64.124.166.37 www.kaazalite.com O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: SuperBar - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe" O4 - HKLM\..\Run: [ypqfqdgb] C:\WINNT\ypqfqdgb.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TalkTalk Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\TalkTalk Online Security\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [dmjtj.exe] C:\WINNT\System32\dmjtj.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: TalkTalk Online Security.lnk = C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe O8 - Extra context menu item: &Block this popup - C:\Program Files\TalkTalk Online Security\Anti-Spyware\blockpopups.htm O9 - Extra button: IE Shield (HKLM) O9 - Extra 'Tools' menuitem: IE Shield... (HKLM) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/ O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {33331111-1131-1111-1111-611111193428} - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB Thanks Adrian

11-24-2006, 10:57 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	You are using an outdated version of Hijack This. Please delete your current version and download HijackThis. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\ Please post a new log with the updated version. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

11-25-2006, 03:18 AM	#4 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	new Hijackthis log Hi thanks for your reply. Since the initial problems and first log I have done various sweeps of the computer and here is my new log. I have also changed Browsers as Internet Explorer was playing up. I am now using Firefox Adrian Logfile of HijackThis v1.99.1 Scan saved at 11:16:30, on 25/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINNT\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\PCI Audio Applications\Mixer.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINNT\SOUNDMAN.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe C:\WINNT\system32\csrs.exe C:\di21.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\WINNT\system32\internat.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\Program Files\Common Files\{74D1919C-06FC-1033-0708-02061902002c}\Update.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/ O1 - Hosts: 205.238.40.1 winmx.com O1 - Hosts: 66.38.215.115 www.kazza.com O1 - Hosts: 66.38.215.115 kaza.com O1 - Hosts: 66.38.215.115 www.kaza.com O1 - Hosts: 66.38.215.115 kaaza.com O1 - Hosts: 66.38.215.115 www.kaaza.com O1 - Hosts: 66.38.215.115 kahza.com O1 - Hosts: 66.38.215.115 www.kahza.com O1 - Hosts: 66.38.215.115 edonkey.com O1 - Hosts: 66.38.215.115 www.edonkey.com O1 - Hosts: 66.38.215.115 emule.com O1 - Hosts: 66.38.215.115 www.emule.com O1 - Hosts: 66.38.215.115 suprnova.com O1 - Hosts: 66.38.215.115 www.suprnova.com O1 - Hosts: 64.124.166.37 klite.com O1 - Hosts: 64.124.166.37 www.klite.com O1 - Hosts: 64.124.166.37 k-lite.com O1 - Hosts: 64.124.166.37 www.k-lite.com O1 - Hosts: 64.124.166.37 kazaalite.com O1 - Hosts: 64.124.166.37 www.kazzalite.com O1 - Hosts: 64.124.166.37 kazalite.com O1 - Hosts: 64.124.166.37 www.kazalite.com O1 - Hosts: 64.124.166.37 kaazalite.com O1 - Hosts: 64.124.166.37 www.kaazalite.com O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: (no name) - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe O4 - HKLM\..\Run: [Services] C:\di21.exe O4 - HKLM\..\Run: [dmeqs.exe] C:\WINNT\system32\dmeqs.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/ O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {33331111-1131-1111-1111-611111193428} - O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621 O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975 O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{D4110E99-88F6-4A1C-A7A7-C16171602426}: NameServer = 62.24.128.17 62.24.128.18 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

11-25-2006, 07:55 AM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	You have a couple of different infections. We'll take this in stages. First: Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O1 - Hosts: 205.238.40.1 winmx.com O1 - Hosts: 66.38.215.115 www.kazza.com O1 - Hosts: 66.38.215.115 kaza.com O1 - Hosts: 66.38.215.115 www.kaza.com O1 - Hosts: 66.38.215.115 kaaza.com O1 - Hosts: 66.38.215.115 www.kaaza.com O1 - Hosts: 66.38.215.115 kahza.com O1 - Hosts: 66.38.215.115 www.kahza.com O1 - Hosts: 66.38.215.115 edonkey.com O1 - Hosts: 66.38.215.115 www.edonkey.com O1 - Hosts: 66.38.215.115 emule.com O1 - Hosts: 66.38.215.115 www.emule.com O1 - Hosts: 66.38.215.115 suprnova.com O1 - Hosts: 66.38.215.115 www.suprnova.com O1 - Hosts: 64.124.166.37 klite.com O1 - Hosts: 64.124.166.37 www.klite.com O1 - Hosts: 64.124.166.37 k-lite.com O1 - Hosts: 64.124.166.37 www.k-lite.com O1 - Hosts: 64.124.166.37 kazaalite.com O1 - Hosts: 64.124.166.37 www.kazzalite.com O1 - Hosts: 64.124.166.37 kazalite.com O1 - Hosts: 64.124.166.37 www.kazalite.com O1 - Hosts: 64.124.166.37 kaazalite.com O1 - Hosts: 64.124.166.37 www.kaazalite.com O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll O2 - BHO: (no name) - {FF655836-13BD-4D87-BC90-A8D89E5ED72B} - C:\WINNT\System32\kbdsir.dll (file missing) O3 - Toolbar: (no name) - {E73E40FB-9506-4A4A-870B-DC3B064B73C6} - (no file) O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34D19~1\888Bar.dll O4 - HKLM\..\Run: [dmeqs.exe] C:\WINNT\system32\dmeqs.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/ O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {33331111-1131-1111-1111-611111193428} - O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab Close HijackThis now. --------------------------------------------------------------------------------------------- Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Delete these if present: c:\ex.cab C:\WINNT\system32\dmeqs.exe Next, Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

11-25-2006, 01:58 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Windows froze, but it's ok now? We have more work to do, but I want to be sure of this. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

11-22-2006, 03:32 PM	#2 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	I forgot to mention earlier that when using Internet Exporer my Tolbars have vanished. Here is my Kaspersky log ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, November 22, 2006 11:30:05 PM Operating System: Microsoft Windows 2000 Professional, (Build 2195) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 22/11/2006 Kaspersky Anti-Virus database records: 230296 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 49603 Number of viruses found: 0 Number of infected objects: 0 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:48:07 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\ade\Application Data\ispnews\ispn.ini Object is locked skipped C:\Documents and Settings\ade\Application Data\ispnews\ispnc.items Object is locked skipped C:\Documents and Settings\ade\Application Data\ispnews\ispnr.items Object is locked skipped C:\Documents and Settings\ade\Cookies\index.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\ade\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\History\History.IE5\MSHist012006112220061123\index.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\ade\NTUSER.DAT Object is locked skipped C:\Documents and Settings\ade\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped C:\Program Files\Common Files\AOL\ACS\UK\forms.fdb Object is locked skipped C:\Program Files\Common Files\AOL\ACS\UK\static Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\cache.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chandir.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chandir.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chn.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\chn.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\D0000000.FCS Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\fsbwupst.log Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\inuse.txt Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\L0000012.FCS Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\main.log Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_die.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_die.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_dnd.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_dnd.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_ext.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_ext.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_rcv.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\prs_rcv.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\storydb.dat Object is locked skipped C:\Program Files\TalkTalk Online Security\backweb\81720\Users\Default\Data\storydb.idx Object is locked skipped C:\Program Files\TalkTalk Online Security\Common\admin.pub Object is locked skipped C:\Program Files\TalkTalk Online Security\Common\policy.bpf Object is locked skipped C:\Program Files\TalkTalk Online Security\Common\policy.ipf Object is locked skipped C:\WINNT\CSC\00000001 Object is locked skipped C:\WINNT\Debug\ipsecpa.log Object is locked skipped C:\WINNT\Debug\oakley.log Object is locked skipped C:\WINNT\Debug\PASSWD.LOG Object is locked skipped C:\WINNT\SchedLgU.Txt Object is locked skipped C:\WINNT\Sti_Trace.log Object is locked skipped C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped C:\WINNT\system32\config\default Object is locked skipped C:\WINNT\system32\config\default.LOG Object is locked skipped C:\WINNT\system32\config\SAM Object is locked skipped C:\WINNT\system32\config\SAM.LOG Object is locked skipped C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped C:\WINNT\system32\config\SECURITY Object is locked skipped C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped C:\WINNT\system32\config\software Object is locked skipped C:\WINNT\system32\config\software.LOG Object is locked skipped C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped C:\WINNT\system32\config\system Object is locked skipped C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped C:\WINNT\system32\dmeep.exe Object is locked skipped C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped Scan process completed.

11-25-2006, 12:41 PM	#6 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	Hi there, I followed your instructions above, a couple of files did not exist as you said, and only thing to note was window frooze just after SDfix finished. New Logs below : Logfile of HijackThis v1.99.1 Scan saved at 20:38:07, on 25/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\PCI Audio Applications\Mixer.exe C:\WINNT\SOUNDMAN.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\WINNT\system32\internat.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\Secrurity\HijackThis v1.99.0.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975 O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe SDFix: Version 1.43 ------------------- Scan run on: Date:Sat 25/11/2006 Time:20:24:45.70 Microsoft Windows 2000 [Version 5.00.2195] Running from C:\SDFix Stage One - Safe Mode Checking Services... Name: ----- Path: ---- Repairing Registry... Restoring Default Hosts File... Stage One Complete Rebooting... Stage Two - Normal Mode Checking For Malware: -------------------- C:\DOCUME~1\ade\LOCALS~1\Temp\setup.exe C:\WINNT\system32\csrs.exe C:\WINNT\system32\winmx.exe Backing Up and Removing any Files Found... Final Check: Services: --------- Files: ------ Backups folder: - C:\SDFix\backups\backups.zip AuthorizedApplication Key Export: Checking For Hidden Files: FINISHED

11-25-2006, 04:01 PM	#8 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	Windows but fine now after the reboot. My current antivirus still records a Trojan win32.qhost.gf trying to gain access. Look forward to your reply

11-25-2006, 04:18 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/file...Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved. Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ) into this topic. ---------------------------------------------------------------------------------------------------------- Also, please do this: Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJack This log. and the report from FixWareout __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

11-26-2006, 03:42 AM	#10 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	Hi there, I have done the fixwareout and report is below. when I went to do the Panda active scan, and during the downloading of the ActiveX Controls my Antivirus found WIN32:CTX in /as5free/motor.cab\psha and I had to abort download. reports logs are below. Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xevol ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM "dmiml.exe"=- ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINNT\SYSTEM32\CSRZG.EXE 51,764 2006-11-20 C:\WINNT\SYSTEM32\DMCPL.EXE 266,240 2002-05-03 C:\WINNT\SYSTEM32\DMIML.EXE 60,461 2003-06-19 Other suspects. Directory of C:\WINNT\system32 {D91B0F98-6D65-4E53-B704-C236BB81E512}.exe »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. Logfile of HijackThis v1.99.1 Scan saved at 11:42:51, on 26/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINNT\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\PCI Audio Applications\Mixer.exe C:\WINNT\SOUNDMAN.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINNT\system32\internat.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Secrurity\HijackThis v1.99.0.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{D4110E99-88F6-4A1C-A7A7-C16171602426}: NameServer = 62.24.252.135 62.24.252.134 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe Look forward to your reply Adrian

11-26-2006, 07:52 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Hello, Adrian. Good work on providing the info from your AV scanner. We've rooted out the bad guys now. Delete these files: C:\WINNT\SYSTEM32\CSRZG.EXE C:\WINNT\SYSTEM32\DMCPL.EXE C:\WINNT\SYSTEM32\DMIML.EXE C:\WINNT\SYSTEM32\{D91B0F98-6D65-4E53-B704-C236BB81E512}.exe If they resist deletion, boot to safe mode and delete from there. ----------------------------------------------------------------------------------- Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program. It may ask you to log-off/reboot at the end, if it does please do so. --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Please continue with the online scan at Panda. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database. You will need to disable Avast during the downlaod and install of the ActiveX controls, as indicated in the original instructions. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

11-26-2006, 05:08 PM	#12 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	Hi there, I deleted the files as stated. Ran CleanUP & AVG scanner, report below. during scanner found ranky.gb and IRCBot.xv also found csrs.exe which on Actions as required, said was embedded in an archive zip file. Quarantine whole achive ? I answered Yes. Switched off Avest antivirus and downloaded Pandascan Active controls, but then didnt seem to do anything, scan than is. --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 00:37:44 27/11/2006 + Scan result: C:\SDFix\backups\backups.zip/backups/csrs.exe -> Backdoor.IRCBot.xv : Cleaned with backup (quarantined). C:\di21.exe -> Proxy.Ranky.gb : Cleaned with backup (quarantined). ::Report end New Hijackthis Log Logfile of HijackThis v1.99.1 Scan saved at 01:08:14, on 27/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\PCI Audio Applications\Mixer.exe C:\WINNT\SOUNDMAN.EXE C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\WINNT\system32\internat.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\program files\common files\aol\1136147225\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1136147225\ee\AOLServiceHost.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINNT\msagent\AgentSvr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Secrurity\HijackThis v1.99.0.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136147225\ee\AOLHostManager.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164393831621 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164396961975 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\intralaunch.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{D4110E99-88F6-4A1C-A7A7-C16171602426}: NameServer = 62.24.222.134 62.24.222.135 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe Thanks again, Adrian

11-26-2006, 06:21 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	That's looking much better, but I'd like to get one online scan in. They can often see what other tools may miss. Please try this one: Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- How is your system behaving, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

11-27-2006, 05:05 AM	#14 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	Thanks for this I will carry out the actions when I get home to my pc, at work now. the pc is better, although I noticed after I start , and windows opens up a 'Mixer' window tries to open , the closes. I have all my web browsers behaving now, and it looks as though a lot of cxxp has been cleared out. Thanks

11-27-2006, 11:01 AM	#15 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	have actioned the kaspersky report and result as follows ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, November 27, 2006 6:57:33 PM Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 27/11/2006 Kaspersky Anti-Virus database records: 246029 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 47148 Number of viruses found: 3 Number of infected objects: 4 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:33:27 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\ade\Cookies\index.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\ade\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\History\History.IE5\MSHist012006112720061128\index.dat Object is locked skipped C:\Documents and Settings\ade\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\ade\NTUSER.DAT Object is locked skipped C:\Documents and Settings\ade\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\ade\UserData\index.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Common Files\AOL\ACS\UK\forms.fdb Object is locked skipped C:\Program Files\Common Files\AOL\ACS\UK\static Object is locked skipped C:\Program Files\Common Files\{74D1919C-06FC-1033-0708-02061902002c}\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped C:\Program Files\Common Files\{74D1919C-06FD-1033-0708-02061902002c}\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped C:\Program Files\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped C:\stl32.exe Infected: Trojan-Proxy.Win32.Agent.by skipped C:\WINNT\CSC\00000001 Object is locked skipped C:\WINNT\Debug\ipsecpa.log Object is locked skipped C:\WINNT\Debug\oakley.log Object is locked skipped C:\WINNT\Debug\PASSWD.LOG Object is locked skipped C:\WINNT\SchedLgU.Txt Object is locked skipped C:\WINNT\security\logs\scepol.log Object is locked skipped C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINNT\Sti_Trace.log Object is locked skipped C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped C:\WINNT\system32\config\default Object is locked skipped C:\WINNT\system32\config\default.LOG Object is locked skipped C:\WINNT\system32\config\SAM Object is locked skipped C:\WINNT\system32\config\SAM.LOG Object is locked skipped C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped C:\WINNT\system32\config\SECURITY Object is locked skipped C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped C:\WINNT\system32\config\software Object is locked skipped C:\WINNT\system32\config\software.LOG Object is locked skipped C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped C:\WINNT\system32\config\system Object is locked skipped C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped C:\WINNT\system32\mc-110-12-0000144.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped C:\WINNT\system32\Perflib_Perfdata_24c.dat Object is locked skipped C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped C:\WINNT\WindowsUpdate.log Object is locked skipped Scan process completed. Still a couple of bits there I see. Look forward to your reply. Cheers Adrian

11-27-2006, 03:29 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	Some remnants of mulitple infections....odd to me that AVG AS did not pull a couple of those out. Please do this: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\Program Files\Common Files\{74D1919C-06FC-1033-0708-02061902002c} C:\stl32.exe C:\WINNT\system32\mc-110-12-0000144.exe If they resist deletion, boot to safe mode and delete from there. --------------------------------------------------------------------------------------------- Download combofix.exe to your desktop. Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

11-29-2006, 11:22 AM	#19 (permalink)
djade80 Registered User Join Date: Nov 2006 Posts: 13 OS: NT	Hi there, I have downloaded the BFU files and Alcra files fine. when I copy & paste your Quote, I can not get it to save as "delete.reg" I am using windows NT. Do I copy and paste to a text doc, but then how do I run the file. many thanks Adrian

11-29-2006, 05:28 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,560 OS: 2000 Pro; XP Pro; XP Home	From your log, you are using Windows2000, which is NT based, yes, but not Windows NT. You should be able to simply save that data in a notepad txt file, save it as "delete.reg" inclusive of the quotes and it should then look like the image I posted. You would then simply double click on it to merge it into the registry. Let's make it easier on you though... I have attached a file to this post - Adrian.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message. Last edited by tetonbob; 10-17-2007 at 07:46 PM.