CTF Loader Pop up

fincup · 01-23-2007, 01:30 AM

Greetings and thank you in advance for taking the time to evaluate this for me. I'm currently having a problem with a CTF pop-up window in which a bogus (I'm assuming) windows security alert is given stating that the "registry is corrupted". This usually pops up upon start-up and then again several minutes later. If I close the box it will eventually pop up again. Other than that, my machine seems to have become very susceptible to various spyware/adware/viruses (Avenue A, Inc., Double Click, MediaPlex, Zedo, Zlob.VAXcodec,Downloader.Busky,Downloader.Purityscan.cd, TrojanhorseGENERIC...to name a few) which, after being fixed with Adaware, Spybot, and AVG, continue to recur. I have run all three of these anti-malware programs several times in the past few days (in safe mode also), but the problem isn't being corrected completely. I didn't have the Windows SP installed when this started occurring, but I have done so since (SP1). Hopefully this is enough information for you. Here is what the scan revealed:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:50 AM, on 1/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyworld.co.kr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39962B19-8271-6BBD-8E5D-00ACC3CC13EC} - C:\WINDOWS\System32\gniludj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\ Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
O4 - HKLM\..\Run: [mqlluwj.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\user\Local Settings\Application Data\mqlluwj.dll",ppykzsc
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: www.cyworld.co.kr
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169237783377
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {CB601488-69CA-4FDB-8041-6557A4EE5684} (musicONManager Class) - http://musicon.co.kr/ack/musicONCtrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itraining4x.webex.com/client...ng/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Again...thanks for your time and energy

**nickster_uk** · 01-23-2007, 01:56 AM

Moving thread to HJT :)

tetonbob · 01-24-2007, 12:08 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

---------------------------------------------------------------------------------------------

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware

From the main screen, click on update, then click the Start
update button.
After the update finishes (the status bar at the bottom will display "Update
successful")
select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Exit AVG Anti-Spyware. DO NOT scan yet.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {39962B19-8271-6BBD-8E5D-00ACC3CC13EC} - C:\WINDOWS\System32\gniludj.dll (file missing)
O4 - HKLM\..\Run: [mqlluwj.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\user\Local Settings\Application Data\mqlluwj.dll",ppykzsc

Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete these files if they exist:

C:\WINDOWS\System32\gniludj.dll
C:\Documents and Settings\user\Local Settings\Application Data\mqlluwj.dll

Double-click smitfraudfix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Download combofix.exe to your desktop.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Panda log
C:\ComboFix.txt
Hijackthis log

fincup · 01-25-2007, 04:15 PM

Tbob,

Many thanks for your efforts. I've already noticed a great change after following your instructions. That pop up hasn't appeared at all in the past three hours. Great relief.

Here are the required log reports:

1)

SmitFraudFix v2.135

Scan done at 10:38:04.95, Thu 01/25/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ctpmon.exe Deleted
C:\WINDOWS\system32\RegistryCleanerSetup.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

2)

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:59:24 AM 1/25/2007

+ Scan result:

Nothing found.

::Report end

3) Panda Log

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected
C:\Documents and Settings\user\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected
C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe
Virus:W32/Detnat.A Disinfected C:\Program Files\NetWaiting\netwaiting.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070120-014724.backup
Potentially unwanted tool:Application/Processor Not disinfected
C:\WINDOWS\system32\Process.exe

4)

"user" - 07-01-25 14:42:37 Service Pack 1
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\user\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\Downloaded Program Files\Temp
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\DOBE~1
C:\qoobox\purity\Program Files\DOBE~1\DOBE~1

((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))

2007-01-25 12:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-25 12:12 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-25 10:38 1,816 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-25 10:00 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-25 10:00 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-25 10:00 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-25 10:00 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-25 10:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-25 10:00 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-23 06:24 <DIR> d-------- C:\WINDOWS\Prefetch
2007-01-22 23:01 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-01-22 22:52 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-01-22 22:52 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll
2007-01-22 22:52 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll
2007-01-22 22:52 921,475 --------- C:\WINDOWS\system32\ati3d2ag.dll
2007-01-22 22:52 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-01-22 22:52 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-01-22 22:52 891,711 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-01-22 22:52 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-01-22 22:52 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-01-22 22:52 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2007-01-22 22:52 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-01-22 22:52 857,600 --a------ C:\WINDOWS\system32\netplwiz.dll
2007-01-22 22:52 844,675 --------- C:\WINDOWS\system32\ati3d1ag.dll
2007-01-22 22:52 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-01-22 22:52 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2007-01-22 22:52 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2007-01-22 22:52 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-01-22 22:52 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-01-22 22:52 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-01-22 22:52 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-01-22 22:52 72,192 --a------ C:\WINDOWS\system32\telnet.exe
2007-01-22 22:52 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-01-22 22:52 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-01-22 22:52 686,080 --a------ C:\WINDOWS\system32\opengl32.dll
2007-01-22 22:52 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-01-22 22:52 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2007-01-22 22:52 66,048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-01-22 22:52 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-01-22 22:52 63,663 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-01-22 22:52 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-01-22 22:52 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2007-01-22 22:52 61,952 --a------ C:\WINDOWS\system32\sti.dll
2007-01-22 22:52 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2007-01-22 22:52 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2007-01-22 22:52 60,416 --a------ C:\WINDOWS\system32\wextract.exe
2007-01-22 22:52 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2007-01-22 22:52 6,912 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-01-22 22:52 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-01-22 22:52 584,192 --a------ C:\WINDOWS\system32\netcfgx.dll
2007-01-22 22:52 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll
2007-01-22 22:52 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2007-01-22 22:52 569,344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-01-22 22:52 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-01-22 22:52 56,591 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-01-22 22:52 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-01-22 22:52 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-01-22 22:52 53,248 --a------ C:\WINDOWS\system32\packager.exe
2007-01-22 22:52 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-01-22 22:52 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-01-22 22:52 511,488 --a------ C:\WINDOWS\system32\qedit.dll
2007-01-22 22:52 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2007-01-22 22:52 504,832 --------- C:\WINDOWS\system32\msftedit.dll
2007-01-22 22:52 5,504 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-01-22 22:52 5,120 --------- C:\WINDOWS\system32\hccoin.dll
2007-01-22 22:52 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-01-22 22:52 49,152 --a------ C:\WINDOWS\system32\npptools.dll
2007-01-22 22:52 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll
2007-01-22 22:52 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2007-01-22 22:52 48,128 --a------ C:\WINDOWS\system32\reg.exe
2007-01-22 22:52 479,261 --a------ C:\WINDOWS\system32\vbscript.dll
2007-01-22 22:52 47,616 --a------ C:\WINDOWS\system32\utilman.exe
2007-01-22 22:52 450,176 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-01-22 22:52 446,464 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-01-22 22:52 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2007-01-22 22:52 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-01-22 22:52 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2007-01-22 22:52 423,424 --a------ C:\WINDOWS\system32\riched20.dll
2007-01-22 22:52 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll
2007-01-22 22:52 42,496 --a------ C:\WINDOWS\system32\ncobjapi.dll
2007-01-22 22:52 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2007-01-22 22:52 403,456 --------- C:\WINDOWS\system32\winbrand.dll
2007-01-22 22:52 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-01-22 22:52 399,360 --a------ C:\WINDOWS\system32\netlogon.dll
2007-01-22 22:52 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll
2007-01-22 22:52 39,424 --a------ C:\WINDOWS\system32\net.exe
2007-01-22 22:52 385,024 --a------ C:\WINDOWS\system32\sqlsrv32.dll
2007-01-22 22:52 384,000 --a------ C:\WINDOWS\system32\themeui.dll
2007-01-22 22:52 38,912 --a------ C:\WINDOWS\system32\wsnmp32.dll
2007-01-22 22:52 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2007-01-22 22:52 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2007-01-22 22:52 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2007-01-22 22:52 364,544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-01-22 22:52 36,463 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2007-01-22 22:52 36,352 --a------ C:\WINDOWS\system32\sens.dll
2007-01-22 22:52 357,376 --a------ C:\WINDOWS\system32\qdvd.dll
2007-01-22 22:52 34,735 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-01-22 22:52 34,304 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-01-22 22:52 339,456 --a------ C:\WINDOWS\system32\usp10.dll
2007-01-22 22:52 334,848 --a------ C:\WINDOWS\system32\smlogcfg.dll
2007-01-22 22:52 33,808 --a------ C:\WINDOWS\system32\ntio.sys
2007-01-22 22:52 33,280 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-01-22 22:52 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-01-22 22:52 326,656 --a------ C:\WINDOWS\system32\netsetup.exe
2007-01-22 22:52 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-01-22 22:52 32,256 --a------ C:\WINDOWS\system32\umandlg.dll
2007-01-22 22:52 316,416 --a------ C:\WINDOWS\system32\wiaservc.dll
2007-01-22 22:52 311,327 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-01-22 22:52 31,744 --a------ C:\WINDOWS\system32\pid.dll
2007-01-22 22:52 30,671 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2007-01-22 22:52 3,584 --------- C:\WINDOWS\system32\dsprpres.dll
2007-01-22 22:52 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-01-22 22:52 3,338 --a------ C:\WINDOWS\system32\redir.exe
2007-01-22 22:52 297,984 --a------ C:\WINDOWS\system32\scesrv.dll
2007-01-22 22:52 296,448 --a------ C:\WINDOWS\system32\wmstream.dll
2007-01-22 22:52 29,455 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-01-22 22:52 27,136 --a------ C:\WINDOWS\system32\ssdpapi.dll
2007-01-22 22:52 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-01-22 22:52 264,704 --a------ C:\WINDOWS\system32\wzcsvc.dll
2007-01-22 22:52 26,367 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-01-22 22:52 258,048 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-22 22:52 254,976 --a------ C:\WINDOWS\system32\pdh.dll
2007-01-22 22:52 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-01-22 22:52 247,808 --a------ C:\WINDOWS\system32\wow32.dll
2007-01-22 22:52 24,576 --a------ C:\WINDOWS\system32\odbcbcp.dll
2007-01-22 22:52 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-01-22 22:52 24,064 --a------ C:\WINDOWS\system32\skeys.exe
2007-01-22 22:52 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2007-01-22 22:52 231,424 --a------ C:\WINDOWS\system32\upnpui.dll
2007-01-22 22:52 23,552 --a------ C:\WINDOWS\system32\wzcsapi.dll
2007-01-22 22:52 22,528 --a------ C:\WINDOWS\system32\slayerxp.dll
2007-01-22 22:52 22,528 --a------ C:\WINDOWS\system32\shfolder.dll
2007-01-22 22:52 22,016 --a------ C:\WINDOWS\system32\udhisapi.dll
2007-01-22 22:52 218,112 --------- C:\WINDOWS\system32\sbe.dll
2007-01-22 22:52 212,480 --a------ C:\WINDOWS\system32\osk.exe
2007-01-22 22:52 21,343 --------- C:\WINDOWS\system32\drivers\atinttxx.sys
2007-01-22 22:52 203,264 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-01-22 22:52 202,496 --------- C:\WINDOWS\system32\ati2dvag.dll
2007-01-22 22:52 200,704 --a------ C:\WINDOWS\system32\odbc32.dll
2007-01-22 22:52 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2007-01-22 22:52 20,992 --a------ C:\WINDOWS\system32\setup.exe
2007-01-22 22:52 193,536 --a------ C:\WINDOWS\system32\rasppp.dll
2007-01-22 22:52 19,456 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-01-22 22:52 19,328 --------- C:\WINDOWS\system32\drivers\usbehci.sys
2007-01-22 22:52 187,904 --------- C:\WINDOWS\system32\xpsp1res.dll
2007-01-22 22:52 184,832 --a------ C:\WINDOWS\system32\qcap.dll
2007-01-22 22:52 18,944 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-01-22 22:52 18,944 --------- C:\WINDOWS\system32\faxpatch.exe
2007-01-22 22:52 174,592 --a------ C:\WINDOWS\system32\scecli.dll
2007-01-22 22:52 172,664 --a------ C:\WINDOWS\system32\xenroll.dll
2007-01-22 22:52 172,032 --------- C:\WINDOWS\system32\mssap.dll
2007-01-22 22:52 171,520 --a------ C:\WINDOWS\system32\winmm.dll
2007-01-22 22:52 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-01-22 22:52 17,408 --a------ C:\WINDOWS\system32\wtsapi32.dll
2007-01-22 22:52 17,408 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-01-22 22:52 17,408 --a------ C:\WINDOWS\system32\psapi.dll
2007-01-22 22:52 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-01-22 22:52 168,448 --a------ C:\WINDOWS\system32\wldap32.dll
2007-01-22 22:52 165,888 --a------ C:\WINDOWS\system32\ntmsdba.dll
2007-01-22 22:52 165,376 --a------ C:\WINDOWS\system32\w32time.dll
2007-01-22 22:52 165,376 --a------ C:\WINDOWS\system32\tapi32.dll
2007-01-22 22:52 164,864 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-22 22:52 16,896 --a------ C:\WINDOWS\system32\snmpapi.dll
2007-01-22 22:52 16,384 --a------ C:\WINDOWS\system32\watchdog.sys
2007-01-22 22:52 16,384 --a------ C:\WINDOWS\system32\ups.exe
2007-01-22 22:52 16,384 --a------ C:\WINDOWS\system32\ping.exe
2007-01-22 22:52 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll
2007-01-22 22:52 16,384 --a------ C:\WINDOWS\system32\nddenb32.dll
2007-01-22 22:52 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-01-22 22:52 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2007-01-22 22:52 155,648 --------- C:\WINDOWS\system32\encdec.dll
2007-01-22 22:52 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2007-01-22 22:52 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-01-22 22:52 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll
2007-01-22 22:52 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2007-01-22 22:52 134,144 --a------ C:\WINDOWS\regedit.exe
2007-01-22 22:52 133,632 --a------ C:\WINDOWS\system32\rsaenh.dll
2007-01-22 22:52 133,120 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-01-22 22:52 130,560 --a------ C:\WINDOWS\system32\sti_ci.dll
2007-01-22 22:52 13,824 --a------ C:\WINDOWS\system32\rassapi.dll
2007-01-22 22:52 13,312 --a------ C:\WINDOWS\system32\ssstars.scr
2007-01-22 22:52 13,056 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2007-01-22 22:52 128,512 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-01-22 22:52 124,928 --a------ C:\WINDOWS\system32\webvw.dll
2007-01-22 22:52 122,880 --a------ C:\WINDOWS\system32\odbcconf.dll
2007-01-22 22:52 120,320 --a------ C:\WINDOWS\system32\upnp.dll
2007-01-22 22:52 12,800 --a------ C:\WINDOWS\system32\runonce.exe
2007-01-22 22:52 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-01-22 22:52 12,288 --a------ C:\WINDOWS\system32\odbcp32r.dll
2007-01-22 22:52 12,288 --------- C:\WINDOWS\system32\encapi.dll
2007-01-22 22:52 12,047 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-01-22 22:52 119,808 --a------ C:\WINDOWS\system32\wiadss.dll
2007-01-22 22:52 118,784 --a------ C:\WINDOWS\system32\wmsdmoe.dll
2007-01-22 22:52 117,760 --a------ C:\WINDOWS\system32\stobject.dll
2007-01-22 22:52 115,200 --a------ C:\WINDOWS\system32\net1.exe
2007-01-22 22:52 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2007-01-22 22:52 110,080 --------- C:\WINDOWS\system32\sbeio.dll
2007-01-22 22:52 11,904 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2007-01-22 22:52 11,776 --a------ C:\WINDOWS\system32\sigtab.dll
2007-01-22 22:52 11,615 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-01-22 22:52 109,568 --a------ C:\WINDOWS\system32\offfilt.dll
2007-01-22 22:52 106,496 --a------ C:\WINDOWS\system32\url.dll
2007-01-22 22:52 105,984 --a------ C:\WINDOWS\system32\netdde.exe
2007-01-22 22:52 10,752 --a------ C:\WINDOWS\system32\tracert.exe
2007-01-22 22:52 1,677,312 --------- C:\WINDOWS\system32\wmvcore2.dll
2007-01-22 22:52 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll
2007-01-22 22:52 1,350,144 --a------ C:\WINDOWS\system32\query.dll
2007-01-22 22:52 1,158,656 --a------ C:\WINDOWS\system32\quartz.dll
2007-01-22 22:52 1,157,632 --a------ C:\WINDOWS\system32\sfcfiles.dll
2007-01-22 22:51 91,648 --------- C:\WINDOWS\system32\iuctl.dll
2007-01-22 22:51 91,136 --a------ C:\WINDOWS\system32\MSOERT2.DLL
2007-01-22 22:51 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2007-01-22 22:51 88,576 --a------ C:\WINDOWS\system32\mqsec.dll
2007-01-22 22:51 73,728 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-01-22 22:51 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll
2007-01-22 22:51 7,040 --a------ C:\WINDOWS\system32\kd1394.dll
2007-01-22 22:51 699,392 --a------ C:\WINDOWS\system32\msxml2.dll
2007-01-22 22:51 67,584 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-01-22 22:51 67,584 --a------ C:\WINDOWS\system32\msctfp.dll
2007-01-22 22:51 67,584 --a------ C:\WINDOWS\system32\fdeploy.dll
2007-01-22 22:51 67,456 --a------ C:\WINDOWS\system32\drivers\mqac.sys
2007-01-22 22:51 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-01-22 22:51 608,768 --a------ C:\WINDOWS\system32\mqqm.dll
2007-01-22 22:51 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2007-01-22 22:51 57,856 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-01-22 22:51 57,856 --a------ C:\WINDOWS\system32\nwwks.dll
2007-01-22 22:51 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-01-22 22:51 56,320 --a------ C:\WINDOWS\system32\mshtmler.dll
2007-01-22 22:51 552,991 --a------ C:\WINDOWS\system32\msrepl40.dll
2007-01-22 22:51 545,792 --a------ C:\WINDOWS\system32\wsecedit.dll
2007-01-22 22:51 512,031 --a------ C:\WINDOWS\system32\msexch40.dll
2007-01-22 22:51 51,712 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-01-22 22:51 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2007-01-22 22:51 49,664 --a------ C:\WINDOWS\system32\ixsso.dll
2007-01-22 22:51 478,720 --a------ C:\WINDOWS\system32\mqsnap.dll
2007-01-22 22:51 467,456 --a------ C:\WINDOWS\system32\mqutil.dll
2007-01-22 22:51 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2007-01-22 22:51 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-01-22 22:51 401,462 --a------ C:\WINDOWS\system32\msvcp60.dll
2007-01-22 22:51 4,608 --a------ C:\WINDOWS\system32\msimg32.dll
2007-01-22 22:51 4,126 --a------ C:\WINDOWS\system32\msdxmlc.dll
2007-01-22 22:51 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2007-01-22 22:51 381,440 --a------ C:\WINDOWS\system32\lmrt.dll
2007-01-22 22:51 368,710 --a------ C:\WINDOWS\system32\msisam11.dll
2007-01-22 22:51 348,195 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2007-01-22 22:51 348,191 --a------ C:\WINDOWS\system32\mspbde40.dll
2007-01-22 22:51 344,095 --a------ C:\WINDOWS\system32\msxbde40.dll
2007-01-22 22:51 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-01-22 22:51 323,072 --a------ C:\WINDOWS\system32\msvcrt.dll
2007-01-22 22:51 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-01-22 22:51 319,760 --a------ C:\WINDOWS\system32\msnsspc.dll
2007-01-22 22:51 319,519 --a------ C:\WINDOWS\system32\msexcl40.dll
2007-01-22 22:51 318,464 --a------ C:\WINDOWS\system32\ippromon.dll
2007-01-22 22:51 29,696 --------- C:\WINDOWS\system32\asr_pfu.exe
2007-01-22 22:51 277,504 --a------ C:\WINDOWS\system32\appmgr.dll
2007-01-22 22:51 27,648 --a------ C:\WINDOWS\system32\pidgen.dll
2007-01-22 22:51 266,752 --a------ C:\WINDOWS\system32\msctf.dll
2007-01-22 22:51 253,983 --a------ C:\WINDOWS\system32\mstext40.dll
2007-01-22 22:51 250,368 --a------ C:\WINDOWS\system32\mstask.dll
2007-01-22 22:51 241,725 --a------ C:\WINDOWS\system32\msuni11.dll
2007-01-22 22:51 241,695 --a------ C:\WINDOWS\system32\msjtes40.dll
2007-01-22 22:51 233,472 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2007-01-22 22:51 231,936 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-01-22 22:51 230,400 --a------ C:\WINDOWS\system32\msieftp.dll
2007-01-22 22:51 229,376 --a------ C:\WINDOWS\system32\MSOEACCT.DLL
2007-01-22 22:51 22,528 --a------ C:\WINDOWS\system32\mslbui.dll
2007-01-22 22:51 219,648 --a------ C:\WINDOWS\system32\logon.scr
2007-01-22 22:51 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2007-01-22 22:51 210,944 --a------ C:\WINDOWS\system32\moricons.dll
2007-01-22 22:51 196,096 --a------ C:\WINDOWS\system32\mobsync.dll
2007-01-22 22:51 192,512 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-01-22 22:51 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll
2007-01-22 22:51 183,808 --a------ C:\WINDOWS\system32\gptext.dll
2007-01-22 22:51 182,784 --a------ C:\WINDOWS\system32\msutb.dll
2007-01-22 22:51 17,792 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-01-22 22:51 165,888 --a------ C:\WINDOWS\system32\mqrt.dll
2007-01-22 22:51 164,352 --a------ C:\WINDOWS\system32\mqtrig.dll
2007-01-22 22:51 163,840 --a------ C:\WINDOWS\system32\mindex.dll
2007-01-22 22:51 156,672 --a------ C:\WINDOWS\system32\appmgmts.dll
2007-01-22 22:51 156,544 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2007-01-22 22:51 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2007-01-22 22:51 14,848 --a------ C:\WINDOWS\system32\mqise.dll
2007-01-22 22:51 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll
2007-01-22 22:51 130,048 --a------ C:\WINDOWS\system32\mqad.dll
2007-01-22 22:51 126,976 --a------ C:\WINDOWS\system32\msdart.dll
2007-01-22 22:51 12,288 --a------ C:\WINDOWS\system32\mscpx32r.dll
2007-01-22 22:51 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-01-22 22:51 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-01-22 22:51 113,664 --a------ C:\WINDOWS\system32\schtasks.exe
2007-01-22 22:51 113,664 --a------ C:\WINDOWS\system32\msvfw32.dll
2007-01-22 22:51 113,152 --a------ C:\WINDOWS\system32\gpresult.exe
2007-01-22 22:51 103,936 --a------ C:\WINDOWS\system32\rsnotify.exe
2007-01-22 22:51 10,752 --------- C:\WINDOWS\system32\spiisupd.exe
2007-01-22 22:51 10,240 --a------ C:\WINDOWS\system32\msrle32.dll
2007-01-22 22:51 10,240 --a------ C:\WINDOWS\system32\localui.dll
2007-01-22 22:51 1,503,262 --a------ C:\WINDOWS\system32\msjet40.dll
2007-01-22 22:51 1,220,608 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-01-22 22:51 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2007-01-22 22:50 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-01-22 22:50 94,720 --a------ C:\WINDOWS\system32\dmusic.dll
2007-01-22 22:50 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-01-22 22:50 91,136 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-22 22:50 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-01-22 22:50 9,216 --a------ C:\WINDOWS\system32\dumprep.exe
2007-01-22 22:50 802,304 --------- C:\WINDOWS\system32\dxmrtp.dll
2007-01-22 22:50 8,832 --a------ C:\WINDOWS\system32\framebuf.dll
2007-01-22 22:50 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-01-22 22:50 786,432 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-01-22 22:50 77,312 --a------ C:\WINDOWS\system32\dmscript.dll
2007-01-22 22:50 76,288 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-01-22 22:50 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-01-22 22:50 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-01-22 22:50 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-01-22 22:50 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-01-22 22:50 70,656 --a------ C:\WINDOWS\system32\defrag.exe
2007-01-22 22:50 70,144 --a------ C:\WINDOWS\system32\cryptdlg.dll
2007-01-22 22:50 66,560 --a------ C:\WINDOWS\system32\faultrep.dll
2007-01-22 22:50 64,512 --a------ C:\WINDOWS\system32\ciodm.dll
2007-01-22 22:50 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-01-22 22:50 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-01-22 22:50 61,440 --a------ C:\WINDOWS\system32\dbnetlib.dll
2007-01-22 22:50 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-01-22 22:50 596,480 --a------ C:\WINDOWS\system32\INETCOMM.DLL
2007-01-22 22:50 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-01-22 22:50 59,392 --a------ C:\WINDOWS\system32\iesetup.dll
2007-01-22 22:50 58,368 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-01-22 22:50 57,344 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-01-22 22:50 56,320 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2007-01-22 22:50 55,296 --a------ C:\WINDOWS\system32\digest.dll
2007-01-22 22:50 54,272 --a------ C:\WINDOWS\system32\clusapi.dll
2007-01-22 22:50 53,248 --a------ C:\WINDOWS\system32\cryptsvc.dll
2007-01-22 22:50 498,205 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-01-22 22:50 49,664 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-01-22 22:50 49,152 --a------ C:\WINDOWS\system32\eventlog.dll
2007-01-22 22:50 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-01-22 22:50 489,984 --a------ C:\WINDOWS\system32\dbghelp.dll
2007-01-22 22:50 471,040 --a------ C:\WINDOWS\system32\cryptui.dll
2007-01-22 22:50 45,568 --a------ C:\WINDOWS\system32\docprop2.dll
2007-01-22 22:50 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-01-22 22:50 41,472 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-01-22 22:50 380,445 --a------ C:\WINDOWS\system32\expsrv.dll
2007-01-22 22:50 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-01-22 22:50 36,922 --a------ C:\WINDOWS\system32\imeshare.dll
2007-01-22 22:50 35,328 --a------ C:\WINDOWS\system32\dfrgsnap.dll
2007-01-22 22:50 324,608 --a------ C:\WINDOWS\system32\cmdial32.dll
2007-01-22 22:50 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-01-22 22:50 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-01-22 22:50 31,744 --a------ C:\WINDOWS\system32\dmloader.dll
2007-01-22 22:50 307,712 --a------ C:\WINDOWS\system32\cscui.dll
2007-01-22 22:50 30,208 --a------ C:\WINDOWS\system32\imgutil.dll
2007-01-22 22:50 294,912 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-22 22:50 29,696 --a------ C:\WINDOWS\system32\dpnhpast.dll
2007-01-22 22:50 28,672 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-22 22:50 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll
2007-01-22 22:50 263,680 --a------ C:\WINDOWS\system32\duser.dll
2007-01-22 22:50 263,168 --a------ C:\WINDOWS\system32\devmgr.dll
2007-01-22 22:50 26,112 --a------ C:\WINDOWS\system32\dmband.dll
2007-01-22 22:50 253,440 --a------ C:\WINDOWS\system32\ddraw.dll
2007-01-22 22:50 25,600 --a------ C:\WINDOWS\system32\dfsshlex.dll
2007-01-22 22:50 240,640 --a------ C:\WINDOWS\system32\hnetcfg.dll
2007-01-22 22:50 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2007-01-22 22:50 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2007-01-22 22:50 24,576 --a------ C:\WINDOWS\system32\conime.exe
2007-01-22 22:50 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-01-22 22:50 238,592 --a------ C:\WINDOWS\system32\compatui.dll
2007-01-22 22:50 237,056 --a------ C:\WINDOWS\system32\icm32.dll
2007-01-22 22:50 227,840 --a------ C:\WINDOWS\system32\dsquery.dll
2007-01-22 22:50 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-01-22 22:50 206,336 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-01-22 22:50 204,288 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-22 22:50 20,480 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2007-01-22 22:50 19,456 --a------ C:\WINDOWS\system32\fontview.exe
2007-01-22 22:50 19,456 --a------ C:\WINDOWS\system32\ersvc.dll
2007-01-22 22:50 186,880 --a------ C:\WINDOWS\system32\certcli.dll
2007-01-22 22:50 180,224 --a------ C:\WINDOWS\system32\dwwin.exe
2007-01-22 22:50 178,688 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-01-22 22:50 172,544 --a------ C:\WINDOWS\system32\dmime.dll
2007-01-22 22:50 168,960 --a------ C:\WINDOWS\system32\dinput8.dll
2007-01-22 22:50 165,376 --a------ C:\WINDOWS\system32\els.dll
2007-01-22 22:50 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-01-22 22:50 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2007-01-22 22:50 158,720 --a------ C:\WINDOWS\system32\credui.dll
2007-01-22 22:50 156,672 --a------ C:\WINDOWS\system32\dpnet.dll
2007-01-22 22:50 151,552 --a------ C:\WINDOWS\system32\dinput.dll
2007-01-22 22:50 14,366 --------- C:\WINDOWS\system32\asfsipc.dll
2007-01-22 22:50 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-01-22 22:50 135,680 --a------ C:\WINDOWS\system32\dsprop.dll
2007-01-22 22:50 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-01-22 22:50 126,976 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-22 22:50 124,928 --a------ C:\WINDOWS\system32\dssenh.dll
2007-01-22 22:50 123,904 --a------ C:\WINDOWS\system32\imapi.exe
2007-01-22 22:50 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-01-22 22:50 114,176 --a------ C:\WINDOWS\system32\input.dll
2007-01-22 22:50 113,152 --a------ C:\WINDOWS\system32\idq.dll
2007-01-22 22:50 113,152 --a------ C:\WINDOWS\system32\dfrgui.dll
2007-01-22 22:50 110,080 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-01-22 22:50 103,936 --a------ C:\WINDOWS\system32\imm32.dll
2007-01-22 22:50 103,424 --a------ C:\WINDOWS\system32\dgnet.dll
2007-01-22 22:50 1,180,672 --a------ C:\WINDOWS\system32\d3d8.dll
2007-01-22 22:50 1,004,032 --a------ C:\WINDOWS\explorer.exe
2007-01-22 21:52 <DIR> d-------- C:\Program Files\HijackThis
2007-01-21 03:54 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-01-21 03:54 <DIR> d-------- C:\6fe63139e2c691a2aab9e8963db05375
2007-01-21 01:14 <DIR> d-------- C:\Program Files\ACW
2007-01-20 18:37 <DIR> d-------- C:\Program Files\Panicware
2007-01-20 17:18 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-01-20 17:11 <DIR> d-------- C:\Program Files\Ultimate Cleaner
2007-01-20 16:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-01-20 16:53 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-20 14:18 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-01-20 14:16 <DIR> d-------- C:\WINDOWS\provisioning
2007-01-20 14:16 <DIR> d-------- C:\WINDOWS\peernet
2007-01-20 14:07 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-20 14:06 97,792 --a------ C:\WINDOWS\system32\mqtgsvc.exe
2007-01-20 14:06 755,200 --a------ C:\WINDOWS\system32\ir50_32.dll
2007-01-20 14:06 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-01-20 14:06 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-01-20 14:06 61,440 --a------ C:\WINDOWS\system32\openfiles.exe
2007-01-20 14:06 55,808 --a------ C:\WINDOWS\system32\mqlogmgr.dll
2007-01-20 14:06 55,296 --a------ C:\WINDOWS\system32\logman.exe
2007-01-20 14:06 488,960 --a------ C:\WINDOWS\system32\gpedit.dll
2007-01-20 14:06 47,616 --a------ C:\WINDOWS\system32\eventcreate.exe
2007-01-20 14:06 45,056 --a------ C:\WINDOWS\system32\cipher.exe
2007-01-20 14:06 44,544 --a------ C:\WINDOWS\system32\mqupgrd.dll
2007-01-20 14:06 44,032 --a------ C:\WINDOWS\system32\mqdscli.dll
2007-01-20 14:06 4,608 --a------ C:\WINDOWS\system32\mqsvc.exe
2007-01-20 14:06 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2007-01-20 14:06 338,432 --a------ C:\WINDOWS\system32\ir41_qcx.dll
2007-01-20 14:06 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-01-20 14:06 27,136 --a------ C:\WINDOWS\system32\asr_fmt.exe
2007-01-20 14:06 24,576 --a------ C:\WINDOWS\system32\efsadu.dll
2007-01-20 14:06 23,040 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-01-20 14:06 214,016 --a------ C:\WINDOWS\system32\mqoa.dll
2007-01-20 14:06 200,192 --a------ C:\WINDOWS\system32\ir50_qc.dll
2007-01-20 14:06 183,808 --a------ C:\WINDOWS\system32\ir50_qcx.dll
2007-01-20 14:06 17,408 --a------ C:\WINDOWS\system32\mqbkup.exe
2007-01-20 14:06 16,896 --a------ C:\WINDOWS\system32\secedit.exe
2007-01-20 14:06 120,320 --a------ C:\WINDOWS\system32\ir41_qc.dll
2007-01-20 14:06 115,200 --a------ C:\WINDOWS\system32\mqrtdep.dll
2007-01-20 14:06 1,135,616 --a------ C:\WINDOWS\system32\ntbackup.exe
2007-01-20 14:05 995,384 --a------ C:\WINDOWS\system32\mfc42u.dll
2007-01-20 14:05 995,383 --a------ C:\WINDOWS\system32\mfc42.dll
2007-01-20 14:05 99,840 --a------ C:\WINDOWS\system32\iexpress.exe
2007-01-20 14:05 99,840 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-01-20 14:05 98,304 --a------ C:\WINDOWS\system32\actxprxy.dll
2007-01-20 14:05 92,160 --a------ C:\WINDOWS\system32\krnl386.exe
2007-01-20 14:05 91,648 --a------ C:\WINDOWS\system32\loadperf.dll
2007-01-20 14:05 9,728 --a------ C:\WINDOWS\system32\gpkrsrc.dll
2007-01-20 14:05 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-01-20 14:05 84,992 --a------ C:\WINDOWS\system32\dskquota.dll
2007-01-20 14:05 80,384 --a------ C:\WINDOWS\system32\mciavi32.dll
2007-01-20 14:05 80,384 --a------ C:\WINDOWS\system32\cabview.dll
2007-01-20 14:05 80,128 --a------ C:\WINDOWS\system32\msapsspc.dll
2007-01-20 14:05 8,704 --a------ C:\WINDOWS\system32\lprhelp.dll
2007-01-20 14:05 8,192 --a------ C:\WINDOWS\system32\igmpagnt.dll
2007-01-20 14:05 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-01-20 14:05 792,064 --a------ C:\WINDOWS\system32\comres.dll
2007-01-20 14:05 791,040 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-01-20 14:05 79,360 --a------ C:\WINDOWS\system32\mprapi.dll
2007-01-20 14:05 79,360 --a------ C:\WINDOWS\system32\makecab.exe
2007-01-20 14:05 79,360 --a------ C:\WINDOWS\system32\diantz.exe
2007-01-20 14:05 774,144 --a------ C:\WINDOWS\system32\mmc.exe
2007-01-20 14:05 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2007-01-20 14:05 77,824 --a------ C:\WINDOWS\system32\asycfilt.dll
2007-01-20 14:05 7,680 --a------ C:\WINDOWS\system32\dciman32.dll
2007-01-20 14:05 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2007-01-20 14:05 68,928 --a------ C:\WINDOWS\system32\mmsystem.dll
2007-01-20 14:05 68,928 --a------ C:\WINDOWS\system\mmsystem.dll
2007-01-20 14:05 68,096 --a------ C:\WINDOWS\system32\inetpp.dll
2007-01-20 14:05 67,584 --a------ C:\WINDOWS\system32\magnify.exe
2007-01-20 14:05 67,072 --a------ C:\WINDOWS\system32\msacm32.dll
2007-01-20 14:05 66,560 --a------ C:\WINDOWS\system32\mmcbase.dll
2007-01-20 14:05 66,560 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-01-20 14:05 63,488 --a------ C:\WINDOWS\system32\amstream.dll
2007-01-20 14:05 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-01-20 14:05 61,440 --a------ C:\WINDOWS\system32\cleanmgr.exe
2007-01-20 14:05 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-01-20 14:05 595,456 --a------ C:\WINDOWS\system32\dx7vb.dll
2007-01-20 14:05 577,024 --a------ C:\WINDOWS\system32\mlang.dll
2007-01-20 14:05 57,344 --a------ C:\WINDOWS\system32\admparse.dll
2007-01-20 14:05 56,320 --a------ C:\WINDOWS\system32\miglibnt.dll
2007-01-20 14:05 558,592 --a------ C:\WINDOWS\system32\autofmt.exe
2007-01-20 14:05 55,808 --a------ C:\WINDOWS\system32\mpr.dll
2007-01-20 14:05 544,256 --a------ C:\WINDOWS\system32\crypt32.dll
2007-01-20 14:05 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-01-20 14:05 54,784 --a------ C:\WINDOWS\system32\cmstp.exe
2007-01-20 14:05 53,840 --a------ C:\WINDOWS\system32\dosx.exe
2007-01-20 14:05 53,248 --a------ C:\WINDOWS\system32\cryptnet.dll
2007-01-20 14:05 51,712 --a------ C:\WINDOWS\system32\msasn1.dll
2007-01-20 14:05 51,712 --a------ C:\WINDOWS\system32\devenum.dll
2007-01-20 14:05 51,712 --a------ C:\WINDOWS\system32\dataclen.dll
2007-01-20 14:05 50,688 --a------ C:\WINDOWS\system32\dmutil.dll
2007-01-20 14:05 5,120 --a------ C:\WINDOWS\system32\cisvc.exe
2007-01-20 14:05 48,640 --a------ C:\WINDOWS\system32\cryptext.dll
2007-01-20 14:05 47,616 --a------ C:\WINDOWS\system32\INETRES.DLL
2007-01-20 14:05 47,104 --a------ C:\WINDOWS\system32\dssec.dll
2007-01-20 14:05 46,592 --a------ C:\WINDOWS\twain_32.dll
2007-01-20 14:05 46,592 --a------ C:\WINDOWS\system32\mmcshext.dll
2007-01-20 14:05 45,632 --a------ C:\WINDOWS\system32\cliconfg.exe
2007-01-20 14:05 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2007-01-20 14:05 45,568 --a------ C:\WINDOWS\system32\cnbjmon.dll
2007-01-20 14:05 45,056 --a------ C:\WINDOWS\system32\camocx.dll
2007-01-20 14:05 44,032 --a------ C:\WINDOWS\system32\dnsrslvr.dll
2007-01-20 14:05 44,032 --a------ C:\WINDOWS\system32\basesrv.dll
2007-01-20 14:05 436,736 --a------ C:\WINDOWS\system32\certmgr.dll
2007-01-20 14:05 40,960 --a------ C:\WINDOWS\system32\extrac32.exe
2007-01-20 14:05 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-01-20 14:05 4,096 --a------ C:\WINDOWS\system32\actmovie.exe
2007-01-20 14:05 39,936 --a------ C:\WINDOWS\system32\htui.dll
2007-01-20 14:05 38,400 --a------ C:\WINDOWS\system32\dpnlobby.dll
2007-01-20 14:05 37,888 --a------ C:\WINDOWS\system32\grpconv.exe
2007-01-20 14:05 361,472 --a------ C:\WINDOWS\system32\fontext.dll
2007-01-20 14:05 36,864 --a------ C:\WINDOWS\system32\mscpxl32.dll
2007-01-20 14:05 36,352 --a------ C:\WINDOWS\system32\cmutil.dll
2007-01-20 14:05 35,840 --a------ C:\WINDOWS\system32\cmmon32.exe
2007-01-20 14:05 338,944 --a------ C:\WINDOWS\system32\dsound.dll
2007-01-20 14:05 33,280 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-01-20 14:05 323,072 --a------ C:\WINDOWS\system32\filemgmt.dll
2007-01-20 14:05 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-01-20 14:05 315,904 --a------ C:\WINDOWS\system32\hnetwiz.dll
2007-01-20 14:05 30,720 --a------ C:\WINDOWS\system32\clipsrv.exe
2007-01-20 14:05 3,584 --a------ C:\WINDOWS\system32\msafd.dll
2007-01-20 14:05 3,072 --a------ C:\WINDOWS\system32\icmp.dll
2007-01-20 14:05 29,184 --a------ C:\WINDOWS\system32\cryptdll.dll
2007-01-20 14:05 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-01-20 14:05 272,768 --a------ C:\WINDOWS\system32\atmfd.dll
2007-01-20 14:05 27,136 --a------ C:\WINDOWS\system32\ddeshare.exe
2007-01-20 14:05 27,136 --a------ C:\WINDOWS\system32\batmeter.dll
2007-01-20 14:05 27,136 --a------ C:\WINDOWS\system32\atmlib.dll
2007-01-20 14:05 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-01-20 14:05 260,608 --a------ C:\WINDOWS\system32\gdi32.dll
2007-01-20 14:05 26,112 --a------ C:\WINDOWS\system32\dpnaddr.dll
2007-01-20 14:05 26,112 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-01-20 14:05 25,088 --a------ C:\WINDOWS\system32\findstr.exe
2007-01-20 14:05 24,064 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-01-20 14:05 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-01-20 14:05 23,040 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-20 14:05 222,208 --a------ C:\WINDOWS\system32\compstui.dll
2007-01-20 14:05 22,528 --a------ C:\WINDOWS\system32\hid.dll
2007-01-20 14:05 22,016 --a------ C:\WINDOWS\system32\mciwave.dll
2007-01-20 14:05 22,016 --a------ C:\WINDOWS\system32\ipxroute.exe
2007-01-20 14:05 22,016 --a------ C:\WINDOWS\system32\davclnt.dll
2007-01-20 14:05 212,992 --a------ C:\WINDOWS\system32\dplayx.dll
2007-01-20 14:05 21,504 --a------ C:\WINDOWS\system32\dmserver.dll
2007-01-20 14:05 204,800 --a------ C:\WINDOWS\system32\dmadmin.exe
2007-01-20 14:05 202,752 --a------ C:\WINDOWS\system32\localsec.dll
2007-01-20 14:05 20,992 --a------ C:\WINDOWS\system32\mfcsubs.dll
2007-01-20 14:05 20,992 --a------ C:\WINDOWS\system32\mciseq.dll
2007-01-20 14:05 20,992 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-01-20 14:05 2,025,984 --a------ C:\WINDOWS\system32\cdosys.dll
2007-01-20 14:05 184,320 --a------ C:\WINDOWS\system32\dmdskmgr.dll
2007-01-20 14:05 181,760 --a------ C:\WINDOWS\system32\activeds.dll
2007-01-20 14:05 18,944 --a------ C:\WINDOWS\system32\lpk.dll
2007-01-20 14:05 18,944 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-01-20 14:05 18,432 --a------ C:\WINDOWS\system32\feclient.dll
2007-01-20 14:05 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2007-01-20 14:05 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2007-01-20 14:05 17,920 --a------ C:\WINDOWS\system32\midimap.dll
2007-01-20 14:05 165,888 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-01-20 14:05 16,896 --a------ C:\WINDOWS\system32\dswave.dll
2007-01-20 14:05 16,896 --a------ C:\WINDOWS\system32\cfgmgr32.dll
2007-01-20 14:05 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-01-20 14:05 15,872 --a------ C:\WINDOWS\system32\dvdupgrd.exe
2007-01-20 14:05 15,872 --a------ C:\WINDOWS\system32\alrsvc.dll
2007-01-20 14:05 146,432 --a------ C:\WINDOWS\system32\keymgr.dll
2007-01-20 14:05 145,920 --a------ C:\WINDOWS\system32\diskpart.exe
2007-01-20 14:05 145,408 --a------ C:\WINDOWS\system32\modemui.dll
2007-01-20 14:05 144,896 --a------ C:\WINDOWS\system32\initpki.dll
2007-01-20 14:05 14,877 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-20 14:05 14,848 --a------ C:\WINDOWS\system32\bidispl.dll
2007-01-20 14:05 14,336 --a------ C:\WINDOWS\system32\inetppui.dll
2007-01-20 14:05 14,336 --a------ C:\WINDOWS\system32\dmremote.exe
2007-01-20 14:05 137,216 --a------ C:\WINDOWS\system32\hotplug.dll
2007-01-20 14:05 135,680 --a------ C:\WINDOWS\system32\mobsync.exe
2007-01-20 14:05 127,552 --a------ C:\WINDOWS\system32\cliconfg.dll
2007-01-20 14:05 125,952 --a------ C:\WINDOWS\system32\ifmon.dll
2007-01-20 14:05 12,800 --a------ C:\WINDOWS\system32\mcastmib.dll
2007-01-20 14:05 12,288 --a------ C:\WINDOWS\system32\cmcfg32.dll
2007-01-20 14:05 116,736 --a------ C:\WINDOWS\system32\glu32.dll
2007-01-20 14:05 116,224 --a------ C:\WINDOWS\system32\iasrad.dll
2007-01-20 14:05 113,152 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-01-20 14:05 110,592 --a------ C:\WINDOWS\system32\iccvid.dll
2007-01-20 14:05 11,776 --a------ C:\WINDOWS\system32\lsass.exe
2007-01-20 14:05 11,776 --a------ C:\WINDOWS\system32\drprov.dll
2007-01-20 14:05 11,264 --a------ C:\WINDOWS\system32\msdmo.dll
2007-01-20 14:05 108,544 --a------ C:\WINDOWS\system32\mdminst.dll
2007-01-20 14:05 107,008 --a------ C:\WINDOWS\system32\aclui.dll
2007-01-20 14:05 106,496 --a------ C:\WINDOWS\system32\dsuiext.dll
2007-01-20 14:05 102,450 --a------ C:\WINDOWS\system32\cscript.exe
2007-01-20 14:05 10,240 --a------ C:\WINDOWS\system32\atmadm.exe
2007-01-20 14:05 1,293,824 --a------ C:\WINDOWS\system32\dsound3d.dll
2007-01-20 14:05 1,185,792 --a------ C:\WINDOWS\system32\dx8vb.dll
2007-01-20 14:04 971,264 --a------ C:\WINDOWS\system32\msgina.dll
2007-01-20 14:04 96,256 --a------ C:\WINDOWS\system32\rcbdyctl.dll
2007-01-20 14:04 938,496 --a------ C:\WINDOWS\system32\syssetup.dll
2007-01-20 14:04 932,864 --a------ C:\WINDOWS\system32\setupapi.dll
2007-01-20 14:04 93,184 --a------ C:\WINDOWS\system32\winscard.dll
2007-01-20 14:04 93,184 --a------ C:\WINDOWS\system32\scardsvr.exe
2007-01-20 14:04 90,240 --a------ C:\WINDOWS\system32\drivers\scsiport.sys
2007-01-20 14:04 90,112 --a------ C:\WINDOWS\system32\odbcint.dll
2007-01-20 14:04 9,728 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-01-20 14:04 89,600 --a------ C:\WINDOWS\system32\slbiop.dll
2007-01-20 14:04 88,064 --a------ C:\WINDOWS\system32\mydocs.dll
2007-01-20 14:04 87,552 --a------ C:\WINDOWS\system32\occache.dll
2007-01-20 14:04 87,552 --a------ C:\WINDOWS\system32\drivers\ndiswan.sys
2007-01-20 14:04 86,912 --a------ C:\WINDOWS\system32\drivers\atapi.sys
2007-01-20 14:04 84,864 --a------ C:\WINDOWS\system32\drivers\nwlnkipx.sys
2007-01-20 14:04 831,562 --a------ C:\WINDOWS\system32\mswdat10.dll
2007-01-20 14:04 83,712 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-01-20 14:04 829,952 --a------ C:\WINDOWS\system32\tapi3.dll
2007-01-20 14:04 82,944 --a------ C:\WINDOWS\system32\rasauto.dll
2007-01-20 14:04 80,896 --a------ C:\WINDOWS\system32\ntprint.dll
2007-01-20 14:04 8,456 --a------ C:\WINDOWS\system32\tsddd.dll
2007-01-20 14:04 8,064 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-01-20 14:04 79,872 --a------ C:\WINDOWS\system32\srvsvc.dll
2007-01-20 14:04 79,744 --a------ C:\WINDOWS\system32\drivers\ksecdd.sys
2007-01-20 14:04 79,488 --a------ C:\WINDOWS\system32\drivers\ipnat.sys
2007-01-20 14:04 780,928 --a------ C:\WINDOWS\system32\drivers\dmboot.sys
2007-01-20 14:04 77,440 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-01-20 14:04 762,368 --a------ C:\WINDOWS\system32\winntbbu.dll
2007-01-20 14:04 76,032 --a------ C:\WINDOWS\system32\drivers\parport.sys
2007-01-20 14:04 75,264 --a------ C:\WINDOWS\system32\tp4mon.exe
2007-01-20 14:04 74,752 --a------ C:\WINDOWS\system32\netui0.dll
2007-01-20 14:04 74,368 --a------ C:\WINDOWS\system32\drivers\ipsec.sys
2007-01-20 14:04 734,208 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-01-20 14:04 71,680 --a------ C:\WINDOWS\system32\nslookup.exe
2007-01-20 14:04 70,912 --a------ C:\WINDOWS\system32\drivers\videoprt.sys
2007-01-20 14:04 70,656 --a------ C:\WINDOWS\system32\wiascr.dll
2007-01-20 14:04 7,040 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-01-20 14:04 69,632 --a------ C:\WINDOWS\system32\shrpubw.exe
2007-01-20 14:04 69,248 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-01-20 14:04 69,120 --a------ C:\WINDOWS\system32\unimdmat.dll
2007-01-20 14:04 681,984 --a------ C:\WINDOWS\system32\lsasrv.dll
2007-01-20 14:04 68,992 --a------ C:\WINDOWS\system32\drivers\dxg.sys
2007-01-20 14:04 68,864 --a------ C:\WINDOWS\system32\drivers\bridge.sys
2007-01-20 14:04 67,072 --a------ C:\WINDOWS\system32\usbui.dll
2007-01-20 14:04 667,136 --a------ C:\WINDOWS\system32\userenv.dll
2007-01-20 14:04 66,560 --a------ C:\WINDOWS\system32\scarddlg.dll
2007-01-20 14:04 66,048 --a------ C:\WINDOWS\system32\notepad.exe
2007-01-20 14:04 66,048 --a------ C:\WINDOWS\system32\msw3prt.dll
2007-01-20 14:04 66,048 --a------ C:\WINDOWS\system32\drivers\psched.sys
2007-01-20 14:04 66,048 --a------ C:\WINDOWS\notepad.exe
2007-01-20 14:04 654,336 --a------ C:\WINDOWS\system32\ntdll.dll
2007-01-20 14:04 65,585 --a------ C:\WINDOWS\system32\wshext.dll
2007-01-20 14:04 65,024 --a------ C:\WINDOWS\system32\msvcrt40.dll
2007-01-20 14:04 64,512 --a------ C:\WINDOWS\system32\ntdsapi.dll
2007-01-20 14:04 64,000 --a------ C:\WINDOWS\system32\drivers\udfs.sys
2007-01-20 14:04 631,808 --a------ C:\WINDOWS\system32\rasdlg.dll
2007-01-20 14:04 62,976 --a------ C:\WINDOWS\system32\drivers\pci.sys
2007-01-20 14:04 62,464 --a------ C:\WINDOWS\system32\drivers\serial.sys
2007-01-20 14:04 62,208 --a------ C:\WINDOWS\system32\drivers\mf.sys
2007-01-20 14:04 614,474 --a------ C:\WINDOWS\system32\mswstr10.dll
2007-01-20 14:04 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2007-01-20 14:04 61,952 --a------ C:\WINDOWS\system32\osuninst.dll
2007-01-20 14:04 6,656 --a------ C:\WINDOWS\system32\ntlsapi.dll
2007-01-20 14:04 59,648 --a------ C:\WINDOWS\system32\drivers\cdfs.sys
2007-01-20 14:04 578,560 --a------ C:\WINDOWS\system32\autoconv.exe
2007-01-20 14:04 57,984 --a------ C:\WINDOWS\system32\drivers\nic1394.sys
2007-01-20 14:04 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-01-20 14:04 57,344 --a------ C:\WINDOWS\system32\drivers\arp1394.sys
2007-01-20 14:04 57,216 --a------ C:\WINDOWS\system32\drivers\atmarpc.sys
2007-01-20 14:04 569,344 --a------ C:\WINDOWS\system32\oleaut32.dll
2007-01-20 14:04 568,832 --a------ C:\WINDOWS\system32\wiashext.dll
2007-01-20 14:04 565,760 --a------ C:\WINDOWS\system32\autochk.exe
2007-01-20 14:04 561,920 --a------ C:\WINDOWS\system32\drivers\ntfs.sys
2007-01-20 14:04 561,664 --a------ C:\WINDOWS\system32\comctl32.dll
2007-01-20 14:04 561,152 --a------ C:\WINDOWS\system32\user32.dll
2007-01-20 14:04 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-01-20 14:04 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-01-20 14:04 558,080 --a------ C:\WINDOWS\system32\advapi32.dll
2007-01-20 14:04 55,808 --a------ C:\WINDOWS\system32\rasman.dll
2007-01-20 14:04 548,864 --a------ C:\WINDOWS\system32\shdoclc.dll
2007-01-20 14:04 54,784 --a------ C:\WINDOWS\system32\samlib.dll
2007-01-20 14:04 54,784 --a------ C:\WINDOWS\system32\resutils.dll
2007-01-20 14:04 54,272 --a------ C:\WINDOWS\system32\rastapi.dll
2007-01-20 14:04 54,272 --a------ C:\WINDOWS\system32\rasphone.exe
2007-01-20 14:04 53,888 --a------ C:\WINDOWS\system32\drivers\atmlane.sys
2007-01-20 14:04 53,322 --a------ C:\WINDOWS\system32\msjter40.dll
2007-01-20 14:04 53,279 --a------ C:\WINDOWS\system32\odbcji32.dll
2007-01-20 14:04 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2007-01-20 14:04 53,248 --a------ C:\WINDOWS\system32\sendmail.dll
2007-01-20 14:04 522,240 --a------ C:\WINDOWS\system32\printui.dll
2007-01-20 14:04 516,608 --a------ C:\WINDOWS\system32\winlogon.exe
2007-01-20 14:04 51,968 --a------ C:\WINDOWS\system32\drivers\usbhub.sys
2007-01-20 14:04 51,712 --a------ C:\WINDOWS\system32\synceng.dll
2007-01-20 14:04 51,712 --a------ C:\WINDOWS\system32\regsvc.dll
2007-01-20 14:04 51,200 --a------ C:\WINDOWS\system32\narrator.exe
2007-01-20 14:04 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-01-20 14:04 50,688 --a------ C:\WINDOWS\system32\msvcirt.dll
2007-01-20 14:04 50,048 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2007-01-20 14:04 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-01-20 14:04 5,632 --a------ C:\WINDOWS\system32\wmi.dll
2007-01-20 14:04 5,632 --a------ C:\WINDOWS\system32\security.dll
2007-01-20 14:04 5,120 --a------ C:\WINDOWS\system32\msidle.dll
2007-01-20 14:04 5,120 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-01-20 14:04 495,376 --a------ C:\WINDOWS\system32\msxml.dll
2007-01-20 14:04 49,152 --a------ C:\WINDOWS\system32\drivers\volsnap.sys
2007-01-20 14:04 48,384 --a------ C:\WINDOWS\system32\drivers\rasl2tp.sys
2007-01-20 14:04 47,488 --a------ C:\WINDOWS\system32\drivers\cdrom.sys
2007-01-20 14:04 47,104 --------- C:\WINDOWS\system32\mspmspsv.dll
2007-01-20 14:04 460,288 --a------ C:\WINDOWS\system32\ntmsmgr.dll
2007-01-20 14:04 46,592 --a------ C:\WINDOWS\system32\wdigest.dll
2007-01-20 14:04 46,336 --a------ C:\WINDOWS\system32\drivers\classpnp.sys
2007-01-20 14:04 46,208 --a------ C:\WINDOWS\system32\drivers\raspptp.sys
2007-01-20 14:04 46,080 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-01-20 14:04 45,568 --a------ C:\WINDOWS\system32\smss.exe
2007-01-20 14:04 45,056 --a------ C:\WINDOWS\system32\proquota.exe
2007-01-20 14:04 45,056 --a------ C:\WINDOWS\system32\msprivs.dll
2007-01-20 14:04 449,536 --a------ C:\WINDOWS\system32\wiadefui.dll
2007-01-20 14:04 44,416 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-01-20 14:04 44,032 --a------ C:\WINDOWS\system32\MSIDENT.DLL
2007-01-20 14:04 433,152 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2007-01-20 14:04 43,008 --a------ C:\WINDOWS\system32\ssmypics.scr
2007-01-20 14:04 414,720 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2007-01-20 14:04 411,136 --a------ C:\WINDOWS\system32\samsrv.dll
2007-01-20 14:04 40,960 --a------ C:\WINDOWS\system32\tcpmonui.dll
2007-01-20 14:04 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2007-01-20 14:04 40,448 --a------ C:\WINDOWS\system32\tcpmon.dll
2007-01-20 14:04 40,448 --a------ C:\WINDOWS\system32\ftp.exe
2007-01-20 14:04 4,992 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-01-20 14:04 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-01-20 14:04 4,096 --a------ C:\WINDOWS\system32\winver.exe
2007-01-20 14:04 4,096 --a------ C:\WINDOWS\system32\sfc.dll
2007-01-20 14:04 4,096 --a------ C:\WINDOWS\system32\nddeapir.exe
2007-01-20 14:04 395,776 --a------ C:\WINDOWS\system32\ntvdm.exe
2007-01-20 14:04 39,936 --a------ C:\WINDOWS\system32\rtutils.dll
2007-01-20 14:04 39,808 --a------ C:\WINDOWS\system32\drivers\imapi.sys
2007-01-20 14:04 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-01-20 14:04 387,584 --a------ C:\WINDOWS\system32\regwizc.dll
2007-01-20 14:04 38,912 --a------ C:\WINDOWS\system32\drivers\raspppoe.sys
2007-01-20 14:04 38,272 --a------ C:\WINDOWS\system32\drivers\nmnt.sys
2007-01-20 14:04 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-01-20 14:04 375,808 --a------ C:\WINDOWS\system32\cmd.exe
2007-01-20 14:04 37,888 --a------ C:\WINDOWS\system32\pstorec.dll
2007-01-20 14:04 37,504 --a------ C:\WINDOWS\system32\drivers\p3.sys
2007-01-20 14:04 37,504 --a------ C:\WINDOWS\system32\drivers\mountmgr.sys
2007-01-20 14:04 37,376 --a------ C:\WINDOWS\system32\perfctrs.dll
2007-01-20 14:04 36,352 --a------ C:\WINDOWS\system32\rshx32.dll
2007-01-20 14:04 35,632 --a------ C:\WINDOWS\system32\ntio411.sys
2007-01-20 14:04 35,392 --a------ C:\WINDOWS\system32\ntio412.sys
2007-01-20 14:04 346,624 --a------ C:\WINDOWS\system32\tourstart.exe
2007-01-20 14:04 343,552 --a------ C:\WINDOWS\system32\termmgr.dll
2007-01-20 14:04 340,480 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-01-20 14:04 34,560 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2007-01-20 14:04 34,528 --a------ C:\WINDOWS\system32\ntio804.sys
2007-01-20 14:04 34,528 --a------ C:\WINDOWS\system32\ntio404.sys
2007-01-20 14:04 34,304 --a------ C:\WINDOWS\system32\msgsvc.dll
2007-01-20 14:04 33,792 --a------ C:\WINDOWS\system32\drivers\msgpc.sys
2007-01-20 14:04 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
2007-01-20 14:04 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-01-20 14:04 33,280 --a------ C:\WINDOWS\system32\drivers\wanarp.sys
2007-01-20 14:04 33,152 --a------ C:\WINDOWS\system32\drivers\netbios.sys
2007-01-20 14:04 321,536 --a------ C:\WINDOWS\system32\drivers\srv.sys
2007-01-20 14:04 32,256 --a------ C:\WINDOWS\system32\perfproc.dll
2007-01-20 14:04 32,000 --a------ C:\WINDOWS\system32\drivers\amdk6.sys
2007-01-20 14:04 315,466 --a------ C:\WINDOWS\system32\msrd3x40.dll
2007-01-20 14:04 31,744 --a------ C:\WINDOWS\system32\rundll32.exe
2007-01-20 14:04 31,488 --a------ C:\WINDOWS\system32\drivers\crusoe.sys
2007-01-20 14:04 31,232 --a------ C:\WINDOWS\system32\wpabaln.exe
2007-01-20 14:04 302,080 --a------ C:\WINDOWS\system32\untfs.dll
2007-01-20 14:04 30,992 --a------ C:\WINDOWS\system32\vbajet32.dll
2007-01-20 14:04 30,720 --a------ C:\WINDOWS\system32\netstat.exe
2007-01-20 14:04 30,592 --a------ C:\WINDOWS\system32\drivers\processr.sys
2007-01-20 14:04 3,840 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-01-20 14:04 295,936 --a------ C:\WINDOWS\system32\localspl.dll
2007-01-20 14:04 29,696 --a------ C:\WINDOWS\system32\rtipxmib.dll
2007-01-20 14:04 29,568 --a------ C:\WINDOWS\system32\drivers\npfs.sys
2007-01-20 14:04 29,184 --a------ C:\WINDOWS\system32\wpnpinst.exe
2007-01-20 14:04 29,184 --a------ C:\WINDOWS\system32\csrsrv.dll
2007-01-20 14:04 28,800 --a------ C:\WINDOWS\system32\drivers\modem.sys
2007-01-20 14:04 28,721 --a------ C:\WINDOWS\system32\wshcon.dll
2007-01-20 14:04 28,672 --a------ C:\WINDOWS\system32\sethc.exe
2007-01-20 14:04 28,672 --a------ C:\WINDOWS\system32\profmap.dll
2007-01-20 14:04 28,160 --a------ C:\WINDOWS\system32\xcopy.exe
2007-01-20 14:04 278,016 --a------ C:\WINDOWS\system32\winsrv.dll
2007-01-20 14:04 276,480 --a------ C:\WINDOWS\system32\slbcsp.dll
2007-01-20 14:04 275,456 --a------ C:\WINDOWS\system32\vssvc.exe
2007-01-20 14:04 271,360 --a------ C:\WINDOWS\system32\objsel.dll
2007-01-20 14:04 270,365 --a------ C:\WINDOWS\system32\odbcjt32.dll
2007-01-20 14:04 27,648 --a------ C:\WINDOWS\system32\drivers\rndismp.sys
2007-01-20 14:04 27,136 --a------ C:\WINDOWS\system32\sendcmsg.dll
2007-01-20 14:04 27,136 --a------ C:\WINDOWS\system32\mspatcha.dll
2007-01-20 14:04 268,800 --a------ C:\WINDOWS\system32\ulib.dll
2007-01-20 14:04 266,752 --a------ C:\WINDOWS\system32\qdv.dll
2007-01-20 14:04 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2007-01-20 14:04 26,240 --a------ C:\WINDOWS\system32\drivers\fdc.sys
2007-01-20 14:04 258,048 --a------ C:\WINDOWS\system32\comdlg32.dll
2007-01-20 14:04 25,600 --a------ C:\WINDOWS\system32\pstorsvc.dll
2007-01-20 14:04 24,448 --a------ C:\WINDOWS\system32\drivers\sonydcam.sys
2007-01-20 14:04 24,064 --a------ C:\WINDOWS\system32\vdmdbg.dll
2007-01-20 14:04 24,064 --a------ C:\WINDOWS\system32\mshta.exe
2007-01-20 14:04 230,400 --a------ C:\WINDOWS\system32\netui1.dll
2007-01-20 14:04 23,680 --a------ C:\WINDOWS\system32\drivers\pciidex.sys
2007-01-20 14:04 23,680 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2007-01-20 14:04 23,552 --a------ C:\WINDOWS\system32\perfdisk.dll
2007-01-20 14:04 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2007-01-20 14:04 23,040 --a------ C:\WINDOWS\system32\shscrap.dll
2007-01-20 14:04 23,040 --a------ C:\WINDOWS\system32\perfos.dll
2007-01-20 14:04 228,352 --a------ C:\WINDOWS\system32\mswsock.dll
2007-01-20 14:04 22,016 --a------ C:\WINDOWS\system32\userinit.exe
2007-01-20 14:04 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-01-20 14:04 217,088 --a------ C:\WINDOWS\system32\rasapi32.dll
2007-01-20 14:04 21,504 --a------ C:\WINDOWS\system32\wsock32.dll
2007-01-20 14:04 205,824 --a------ C:\WINDOWS\system32\progman.exe
2007-01-20 14:04 205,120 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2007-01-20 14:04 20,992 --a------ C:\WINDOWS\system32\seclogon.dll
2007-01-20 14:04 20,554 --a------ C:\WINDOWS\system32\odtext32.dll
2007-01-20 14:04 20,554 --a------ C:\WINDOWS\system32\oddbse32.dll
2007-01-20 14:04 20,553 --a------ C:\WINDOWS\system32\odpdx32.dll
2007-01-20 14:04 20,553 --a------ C:\WINDOWS\system32\odfox32.dll
2007-01-20 14:04 20,553 --a------ C:\WINDOWS\system32\odexl32.dll
2007-01-20 14:04 20,480 --a------ C:\WINDOWS\system32\stimon.exe
2007-01-20 14:04 20,480 --a------ C:\WINDOWS\system32\msorc32r.dll
2007-01-20 14:04 20,232 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-01-20 14:04 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-01-20 14:04 19,968 --a------ C:\WINDOWS\system32\rcp.exe
2007-01-20 14:04 19,712 --a------ C:\WINDOWS\system32\drivers\vga.sys
2007-01-20 14:04 19,712 --a------ C:\WINDOWS\system32\drivers\flpydisk.sys
2007-01-20 14:04 19,584 --a------ C:\WINDOWS\system32\drivers\ipinip.sys
2007-01-20 14:04 19,456 --a------ C:\WINDOWS\system32\savedump.exe
2007-01-20 14:04 19,328 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2007-01-20 14:04 183,296 --a------ C:\WINDOWS\system32\syncui.dll
2007-01-20 14:04 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-01-20 14:04 180,800 --a------ C:\WINDOWS\system32\sqlunirl.dll
2007-01-20 14:04 18,944 --a------ C:\WINDOWS\system32\ws2help.dll
2007-01-20 14:04 18,560 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-01-20 14:04 18,432 --a------ C:\WINDOWS\system32\sclgntfy.dll
2007-01-20 14:04 18,432 --a------ C:\WINDOWS\system32\rsmps.dll
2007-01-20 14:04 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2007-01-20 14:04 18,048 --a------ C:\WINDOWS\system32\drivers\msfs.sys
2007-01-20 14:04 179,328 --a------ C:\WINDOWS\system32\drivers\acpi.sys
2007-01-20 14:04 173,312 --a------ C:\WINDOWS\system32\drivers\mrxdav.sys
2007-01-20 14:04 172,032 --a------ C:\WINDOWS\system32\snmpsnap.dll
2007-01-20 14:04 17,920 --a------ C:\WINDOWS\system32\shutdown.exe
2007-01-20 14:04 17,408 --a------ C:\WINDOWS\system32\wshtcpip.dll
2007-01-20 14:04 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-01-20 14:04 167,552 --a------ C:\WINDOWS\system32\drivers\ndis.sys
2007-01-20 14:04 166,912 --a------ C:\WINDOWS\system32\wintrust.dll
2007-01-20 14:04 166,912 --a------ C:\WINDOWS\system32\photowiz.dll
2007-01-20 14:04 166,656 --a------ C:\WINDOWS\system32\drivers\rdbss.sys
2007-01-20 14:04 16,384 --a------ C:\WINDOWS\system32\version.dll
2007-01-20 14:04 16,384 --a------ C:\WINDOWS\system32\msyuv.dll
2007-01-20 14:04 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-01-20 14:04 16,256 --a------ C:\WINDOWS\system32\drivers\tdi.sys
2007-01-20 14:04 159,360 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-01-20 14:04 157,056 --a------ C:\WINDOWS\system32\drivers\netbt.sys
2007-01-20 14:04 155,675 --a------ C:\WINDOWS\system32\scrobj.dll
2007-01-20 14:04 151,626 --a------ C:\WINDOWS\system32\msjint40.dll
2007-01-20 14:04 15,360 --a------ C:\WINDOWS\system32\nddeapi.dll
2007-01-20 14:04 15,232 --a------ C:\WINDOWS\system32\drivers\usbintel.sys
2007-01-20 14:04 147,483 --a------ C:\WINDOWS\system32\scrrun.dll
2007-01-20 14:04 146,304 --a------ C:\WINDOWS\system32\drivers\dmio.sys
2007-01-20 14:04 145,152 --a------ C:\WINDOWS\system32\drivers\fastfat.sys
2007-01-20 14:04 142,208 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-01-20 14:04 14,976 --a------ C:\WINDOWS\system32\drivers\serenum.sys
2007-01-20 14:04 14,848 --a------ C:\WINDOWS\system32\winrnr.dll
2007-01-20 14:04 14,848 --a------ C:\WINDOWS\system32\usbmon.dll
2007-01-20 14:04 14,848 --a------ C:\WINDOWS\system32\upnpcont.exe
2007-01-20 14:04 14,848 --a------ C:\WINDOWS\system32\powrprof.dll
2007-01-20 14:04 14,592 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-01-20 14:04 14,336 --a------ C:\WINDOWS\system32\perfmon.exe
2007-01-20 14:04 137,088 --a------ C:\WINDOWS\system32\drivers\update.sys
2007-01-20 14:04 136,704 --a------ C:\WINDOWS\system32\schannel.dll
2007-01-20 14:04 135,552 --a------ C:\WINDOWS\system32\drivers\usbport.sys
2007-01-20 14:04 134,656 --a------ C:\WINDOWS\system32\netid.dll
2007-01-20 14:04 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-01-20 14:04 133,632 --a------ C:\WINDOWS\system32\nwprovau.dll
2007-01-20 14:04 131,968 --a------ C:\WINDOWS\system32\drivers\afd.sys
2007-01-20 14:04 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-01-20 14:04 13,824 --a------ C:\WINDOWS\system32\uniplat.dll
2007-01-20 14:04 13,824 --a------ C:\WINDOWS\system32\drivers\tape.sys
2007-01-20 14:04 13,568 --a------ C:\WINDOWS\system32\drivers\asyncmac.sys
2007-01-20 14:04 13,312 --a------ C:\WINDOWS\system32\tcpmib.dll
2007-01-20 14:04 13,312 --a------ C:\WINDOWS\system32\rsh.exe
2007-01-20 14:04 13,184 --a------ C:\WINDOWS\system32\drivers\diskdump.sys
2007-01-20 14:04 13,184 --a------ C:\WINDOWS\system32\drivers\cmbatt.sys
2007-01-20 14:04 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-01-20 14:04 126,976 --a------ C:\WINDOWS\system32\imagehlp.dll
2007-01-20 14:04 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-01-20 14:04 120,832 --a------ C:\WINDOWS\system32\wkssvc.dll
2007-01-20 14:04 12,800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-20 14:04 12,800 --a------ C:\WINDOWS\system32\pjlmon.dll
2007-01-20 14:04 12,800 --a------ C:\WINDOWS\system32\mgmtapi.dll
2007-01-20 14:04 12,288 --a------ C:\WINDOWS\system32\lmhsvc.dll
2007-01-20 14:04 12,288 --a------ C:\WINDOWS\system32\drivers\ndisuio.sys
2007-01-20 14:04 118,834 --a------ C:\WINDOWS\system32\wscript.exe
2007-01-20 14:04 116,104 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-01-20 14:04 115,712 --a------ C:\WINDOWS\system32\drivers\pcmcia.sys
2007-01-20 14:04 111,616 --a------ C:\WINDOWS\system32\t2embed.dll
2007-01-20 14:04 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-01-20 14:04 11,776 --a------ C:\WINDOWS\system32\rexec.exe
2007-01-20 14:04 11,144 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-01-20 14:04 11,136 --a------ C:\WINDOWS\system32\drivers\usb8023.sys
2007-01-20 14:04 108,544 --a------ C:\WINDOWS\system32\msv1_0.dll
2007-01-20 14:04 106,496 --a------ C:\WINDOWS\system32\olepro32.dll
2007-01-20 14:04 104,448 --a------ C:\WINDOWS\system32\wiavideo.dll
2007-01-20 14:04 104,064 --a------ C:\WINDOWS\system32\drivers\mup.sys
2007-01-20 14:04 103,936 --a------ C:\WINDOWS\system32\sysocmgr.exe
2007-01-20 14:04 103,936 --a------ C:\WINDOWS\system32\mstlsapi.dll
2007-01-20 14:04 102,400 --a------ C:\WINDOWS\system32\win32spl.dll
2007-01-20 14:04 101,376 --a------ C:\WINDOWS\system32\services.exe
2007-01-20 14:04 10,752 --a------ C:\WINDOWS\system32\netrap.dll
2007-01-20 14:04 10,752 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-01-20 14:04 10,496 --a------ C:\WINDOWS\system32\drivers\sfloppy.sys
2007-01-20 14:04 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-01-20 14:04 10,240 --a------ C:\WINDOWS\system32\wshrm.dll
2007-01-20 14:04 1,799,552 --a------ C:\WINDOWS\system32\win32k.sys
2007-01-20 14:04 <DIR> d-------- C:\WINDOWS\EHome
2007-01-20 01:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-20 01:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-20 01:06 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-19 18:59 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-01-19 18:59 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-01-19 18:59 1,122,304 --a------ C:\WINDOWS\system32\VchReg.dll
2007-01-19 18:59 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-01-19 18:25 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-19 17:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-19 17:41 <DIR> d-------- C:\DOCUME~1\user\Application Data\Lavasoft
2007-01-19 12:34 <DIR> d-------- C:\Program Files\Registry Mechanic
2007-01-19 02:45 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-19 02:43 49,152 --a------ C:\cghs.exe
2007-01-17 11:17 4,037 --a------ C:\WINDOWS\system32\PcBoan_Boot.exe
2007-01-17 11:17 154,624 --a------ C:\WINDOWS\system32\pcboan_uninstall.exe
2007-01-17 11:16 <DIR> d-------- C:\Program Files\pcboan
2007-01-15 23:06 <DIR> d-------- C:\DOCUME~1\user\Application Data\AVG7
2007-01-15 23:05 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-15 23:05 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-15 23:05 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-15 23:05 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-15 23:05 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-15 23:05 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-15 23:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-15 22:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-15 22:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-01-02 21:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2006-12-30 11:04 <DIR> d-------- C:\Program Files\Cyworld Studio

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-25 14:08 -------- d-------- C:\Program Files\msn messenger
2007-01-25 14:06 -------- d-------- C:\Program Files\digital line detect
2007-01-22 23:03 -------- d-------- C:\Program Files\messenger
2007-01-22 23:00 -------- d-------- C:\Program Files\movie maker
2007-01-22 22:24 -------- d-------- C:\Program Files\windows nt
2007-01-20 15:07 -------- d---s---- C:\DOCUME~1\user\Application Data\microsoft
2007-01-20 01:11 -------- d-------- C:\Program Files\grisoft
2007-01-19 18:26 -------- d-------- C:\DOCUME~1\user\Application Data\mozilla
2007-01-17 10:55 188490 --a------ C:\WINDOWS\system32\atasnt40.dll
2007-01-15 22:26 -------- d-------- C:\Program Files\yahoo!
2007-01-10 14:02 -------- d-------- C:\Program Files\viewpoint
2006-12-30 22:29 -------- d-------- C:\Program Files\esignal
2006-12-30 22:28 -------- d-------- C:\Program Files\globaltec solutions, llp
2006-12-30 11:04 -------- d--h----- C:\Program Files\installshield installation information
2006-12-21 04:55 -------- d-------- C:\DOCUME~1\user\Application Data\webex
2006-12-20 02:48 51304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2006-12-16 03:06 -------- d-------- C:\Program Files\quicktime
2006-12-15 07:01 -------- dr-h----- C:\DOCUME~1\user\Application Data\yahoo!
2006-12-15 00:36 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-15 00:36 -------- d-------- C:\DOCUME~1\user\Application Data\adobe
2006-12-14 23:42 -------- d-------- C:\Program Files\winbudget
2006-12-14 23:42 -------- d-------- C:\Program Files\Common Files\autodesk shared
2006-12-14 23:42 -------- d-------- C:\Program Files\aim
2006-12-14 23:42 -------- d-------- C:\DOCUME~1\user\Application Data\aim
2006-12-14 06:02 503808 --a------ C:\WINDOWS\system32\skcppl.dll
2006-12-14 06:02 450560 --a------ C:\WINDOWS\system32\skcbgm.dll
2006-12-14 06:02 192512 --a------ C:\WINDOWS\system32\skcwmf.dll
2006-12-14 06:02 163840 --a------ C:\WINDOWS\system32\skcbgm.exe
2006-12-14 06:02 135168 --a------ C:\WINDOWS\system32\skcbgmf1.dll
2006-12-06 21:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 17:03 -------- d-------- C:\Program Files\autodesk
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TrackPointSrv"="tp4mon.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\ Smax4.exe\" /tray"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

Completion time: 07-01-25 14:45:47

5)

Logfile of HijackThis v1.99.1
Scan saved at 2:53:42 PM, on 1/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\ Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169237783377
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {CB601488-69CA-4FDB-8041-6557A4EE5684} (musicONManager Class) - http://musicon.co.kr/ack/musicONCtrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itraining4x.webex.com/client...ng/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

That's it, I think.
Looking forward to your next reply.
Again, thanks VERY much. I'll be sure to make a donation.

tetonbob · 01-25-2007, 05:31 PM

Good job!

Looks like we got most of it.

--------------------------------------------------------------------------------

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player

Delete this file:

C:\WINDOWS\system32\drivers\etc\hosts.20070120-014724.backup

And delete this folder:

C:\Program Files\Viewpoint

--------------------------------------------------------------------------------

Download IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Download Host.zip to your desktop.
From your Desktop right-click (hosts.zip) and select:
Extract All from the menu.
Click Next, click Next, select the option:
"Show Extracted files", click Finish
This will open the newly created hosts folder on your Desktop.
Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.

Download SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

--------------------------------------------------------------------------------

I'd like you to run one more online scan, to look for any other remnants. One may find what the other might not see.

Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save Report As button.
Select txt file from the dropdown menu, to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Post a new HJT log as well.

How's your system behaving, please?

fincup · 01-26-2007, 04:49 AM

Tbob,

Continued thanks!! All seems to be going well here. No pop-ups, no redirects, system moves quicker than ever.

Just a couple issues regarding things you instructed me on the last message...

My machine doesn't have or I couldn't find this file:

C:\WINDOWS\system32\drivers\etc\hosts.20070120-014724.backup

nor this folder:

C:\Program Files\Viewpoint

so I was unable to delete them as instructed. Hopefully they just weren't there to begin with. I'm pretty sure I was looking in the right place.

Also regarding the Kaspersky online scanner...There's a privacy statement that pops up which the user has to accept in order for the process to continue. However, when I click the accept button, nothing happens. I tried it several times, but no go.

I went ahead and did the HJT scan and here is that log:

Logfile of HijackThis v1.99.1
Scan saved at 3:33:12 AM, on 1/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\ Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169237783377
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {CB601488-69CA-4FDB-8041-6557A4EE5684} (musicONManager Class) - http://musicon.co.kr/ack/musicONCtrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itraining4x.webex.com/client...ng/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

That's the latest. Let me know what I should do next, if anything.

Can't thank you enough...

tetonbob · 01-26-2007, 08:45 AM

just to make sure....you're running that scan with Internet Explorer, right?

Your popup blocker may be preventing Kaspersky from opening it's new window. You were looking pretty clean, though. See if disabling the popup blocker lets you run Kaspersky, or if you can run this online scan instead:

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply.

fincup · 01-26-2007, 12:22 PM

Of course you were right. I was attempting to run Kaspersky in Firefox....duh. Anyway, I've got that log along with another updated HJT log for you. They are as follows:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 26, 2007 11:14:56 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/01/2007
Kaspersky Anti-Virus database records: 262386
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 49476
Number of viruses found: 2
Number of infected objects: 12 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:41:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\cert8.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\history.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\key3.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\parent.lock Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\search.sqlite Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007012620070127\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017198.exe Infected: Worm.Win32.Detnat.d skipped
C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017235.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP75\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{790AA45B-8FBD-4D14-A4CB-B184D8417C1A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 11:16:49 AM, on 1/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\YTBSDK.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\ Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169237783377
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab
O16 - DPF: {CB601488-69CA-4FDB-8041-6557A4EE5684} (musicONManager Class) - http://musicon.co.kr/ack/musicONCtrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itraining4x.webex.com/client...ng/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

Thank you!!

tetonbob · 01-26-2007, 08:12 PM

The finds by Kaspersky are either in System Restore, which we'll take care of shortly, or placed on your system by, or part of, SmitfraudFix.

We can delete those:

C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix
C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Here are a few very good free Antivirus products which are available:
- AOL Active Virus Shield (powered by Kaspersky Antivirus)
- Avast!
- AVG
- Avira PersonalEdition Classic
Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial

If you do not have a firewall, here are a few free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

fincup · 01-26-2007, 11:00 PM

tbob,

Looks like I'm all set. Things are running great thanks to you. You led me through this process very skillfully. Can't thank you enough. I'll be making a donation right away.

fincup

tetonbob · 01-26-2007, 11:05 PM

Happy Computing, and Safe Surfing to you!

01-23-2007, 01:30 AM	#1 (permalink)
fincup Registered User Join Date: Jan 2007 Posts: 5 OS: WindowsXP	CTF Loader Pop up Greetings and thank you in advance for taking the time to evaluate this for me. I'm currently having a problem with a CTF pop-up window in which a bogus (I'm assuming) windows security alert is given stating that the "registry is corrupted". This usually pops up upon start-up and then again several minutes later. If I close the box it will eventually pop up again. Other than that, my machine seems to have become very susceptible to various spyware/adware/viruses (Avenue A, Inc., Double Click, MediaPlex, Zedo, Zlob.VAXcodec,Downloader.Busky,Downloader.Purityscan.cd, TrojanhorseGENERIC...to name a few) which, after being fixed with Adaware, Spybot, and AVG, continue to recur. I have run all three of these anti-malware programs several times in the past few days (in safe mode also), but the problem isn't being corrected completely. I didn't have the Windows SP installed when this started occurring, but I have done so since (SP1). Hopefully this is enough information for you. Here is what the scan revealed: Logfile of HijackThis v1.99.1 Scan saved at 12:02:50 AM, on 1/23/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyworld.co.kr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {39962B19-8271-6BBD-8E5D-00ACC3CC13EC} - C:\WINDOWS\System32\gniludj.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\ Smax4.exe" /tray O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ctpmon] ctpmon.exe O4 - HKLM\..\Run: [mqlluwj.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\user\Local Settings\Application Data\mqlluwj.dll",ppykzsc O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O15 - Trusted Zone: www.cyworld.co.kr O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169237783377 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab O16 - DPF: {CB601488-69CA-4FDB-8041-6557A4EE5684} (musicONManager Class) - http://musicon.co.kr/ack/musicONCtrl.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itraining4x.webex.com/client...ng/ieatgpc.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing) O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe Again...thanks for your time and energy

01-23-2007, 01:56 AM	#2 (permalink)
nickster_uk Moderator, Microsoft Support, Happy to support TSF! Join Date: Feb 2005 Location: United Kingdom Posts: 7,043 OS: XP Pro SP3, Windows 7 Ultimate, Ubuntu v8.04 My System	Moving thread to HJT :) __________________ My system: ASUS P5K-E WiFi \| Intel Core 2 Duo E6600 Conroe 2.4GHz (OC 3.60GHz) \| 4GB Corsair DDR2 XMS2-6400C4 RAM (4-4-4-12) \| PowerColor ATI Radeon HD 3850 Pro Xtreme 512MB GDDR3 GPU \| Maxtor DiamondMax 22 500GB, Maxtor DiamondMax 23 500GB & 2xMaxtor DiamondMax 21 250GB SATA HDDs \| Thermaltake CL-P0114 Heatsink + 6 LED Case Fans \| Corsair HX620W Modular PSU \| Enermax Black Knight (CS-527) Case \| Pioneer DVR-216 SATA 20x20 DVD±RW In a world without walls or fences - who needs Windows and Gates?

01-24-2007, 12:08 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,647 OS: 2000 Pro; XP Pro; XP Home	Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. --------------------------------------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) to your Desktop. --------------------------------------------------------------------------------------------- I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix. Run AVG Anti-Spyware From the main screen, click on update, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Exit AVG Anti-Spyware. DO NOT scan yet. --------------------------------------------------------------------------------------------- Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O2 - BHO: (no name) - {39962B19-8271-6BBD-8E5D-00ACC3CC13EC} - C:\WINDOWS\System32\gniludj.dll (file missing) O4 - HKLM\..\Run: [mqlluwj.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\user\Local Settings\Application Data\mqlluwj.dll",ppykzsc Close HijackThis now. --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete these files if they exist: C:\WINDOWS\System32\gniludj.dll C:\Documents and Settings\user\Local Settings\Application Data\mqlluwj.dll Double-click smitfraudfix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. --------------------------------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" or something similar Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Double-click smitfraudfix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Download combofix.exe to your desktop. Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------------------------- Then post the following logs in your next reply... C:\rapport.txt (log from the tool) AVG Anti-Spyware log Panda log C:\ComboFix.txt Hijackthis log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-25-2007, 05:31 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,647 OS: 2000 Pro; XP Pro; XP Home	Good job! Looks like we got most of it. -------------------------------------------------------------------------------- I see you have Viewpoint installed... Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present. * Viewpoint * Viewpoint Manager * Viewpoint Media Player Delete this file: C:\WINDOWS\system32\drivers\etc\hosts.20070120-014724.backup And delete this folder: C:\Program Files\Viewpoint -------------------------------------------------------------------------------- Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Download SpywareBlaster 3.5.1 Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items -------------------------------------------------------------------------------- I'd like you to run one more online scan, to look for any other remnants. One may find what the other might not see. Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save Report As button. Select txt file from the dropdown menu, to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Post a new HJT log as well. How's your system behaving, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-26-2007, 08:45 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,647 OS: 2000 Pro; XP Pro; XP Home	just to make sure....you're running that scan with Internet Explorer, right? Your popup blocker may be preventing Kaspersky from opening it's new window. You were looking pretty clean, though. See if disabling the popup blocker lets you run Kaspersky, or if you can run this online scan instead: Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-26-2007, 04:49 AM	#6 (permalink)
fincup Registered User Join Date: Jan 2007 Posts: 5 OS: WindowsXP	Tbob, Continued thanks!! All seems to be going well here. No pop-ups, no redirects, system moves quicker than ever. Just a couple issues regarding things you instructed me on the last message... My machine doesn't have or I couldn't find this file: C:\WINDOWS\system32\drivers\etc\hosts.20070120-014724.backup nor this folder: C:\Program Files\Viewpoint so I was unable to delete them as instructed. Hopefully they just weren't there to begin with. I'm pretty sure I was looking in the right place. Also regarding the Kaspersky online scanner...There's a privacy statement that pops up which the user has to accept in order for the process to continue. However, when I click the accept button, nothing happens. I tried it several times, but no go. I went ahead and did the HJT scan and here is that log: Logfile of HijackThis v1.99.1 Scan saved at 3:33:12 AM, on 1/26/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\tp4mon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\ Smax4.exe" /tray O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169237783377 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab O16 - DPF: {CB601488-69CA-4FDB-8041-6557A4EE5684} (musicONManager Class) - http://musicon.co.kr/ack/musicONCtrl.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itraining4x.webex.com/client...ng/ieatgpc.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing) O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe That's the latest. Let me know what I should do next, if anything. Can't thank you enough...

01-26-2007, 12:22 PM	#8 (permalink)
fincup Registered User Join Date: Jan 2007 Posts: 5 OS: WindowsXP	Of course you were right. I was attempting to run Kaspersky in Firefox....duh. Anyway, I've got that log along with another updated HJT log for you. They are as follows: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, January 26, 2007 11:14:56 AM Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 26/01/2007 Kaspersky Anti-Virus database records: 262386 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 49476 Number of viruses found: 2 Number of infected objects: 12 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:41:58 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\cert8.db Object is locked skipped C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\formhistory.dat Object is locked skipped C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\history.dat Object is locked skipped C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\key3.db Object is locked skipped C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\parent.lock Object is locked skipped C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\search.sqlite Object is locked skipped C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\zkpn21jr.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007012620070127\index.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017198.exe Infected: Worm.Win32.Detnat.d skipped C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe RarSFX: infected - 2 skipped C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017230.exe PE_Patch.UPX: infected - 2 skipped C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP74\A0017235.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{BC209F87-F305-4CF8-AE4C-5E747946B1FE}\RP75\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{790AA45B-8FBD-4D14-A4CB-B184D8417C1A}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 11:16:49 AM, on 1/26/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\tp4mon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\YTBSDK.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\HijackThis\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\ Smax4.exe" /tray O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169237783377 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymus.../skcbgmset.cab O16 - DPF: {CB601488-69CA-4FDB-8041-6557A4EE5684} (musicONManager Class) - http://musicon.co.kr/ack/musicONCtrl.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itraining4x.webex.com/client...ng/ieatgpc.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing) O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe Thank you!!

01-26-2007, 08:12 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,647 OS: 2000 Pro; XP Pro; XP Home	The finds by Kaspersky are either in System Restore, which we'll take care of shortly, or placed on your system by, or part of, SmitfraudFix. We can delete those: C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix C:\Documents and Settings\user\My Documents\log data malware help\SmitfraudFix.exe C:\Program Files\Mozilla Firefox\SmitfraudFix Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are a few very good free Antivirus products which are available: AOL Active Virus Shield (powered by Kaspersky Antivirus) Avast! AVG Avira PersonalEdition Classic Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial If you do not have a firewall, here are a few free ones available for personal use: Comodo Personal Firewall ZoneAlarm OutPost Firewall In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-26-2007, 11:00 PM	#10 (permalink)
fincup Registered User Join Date: Jan 2007 Posts: 5 OS: WindowsXP	tbob, Looks like I'm all set. Things are running great thanks to you. You led me through this process very skillfully. Can't thank you enough. I'll be making a donation right away. fincup

01-26-2007, 11:05 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,647 OS: 2000 Pro; XP Pro; XP Home	Happy Computing, and Safe Surfing to you! __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009