Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Damn Winforms.dll ! - For sUBs
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 10-15-2007, 08:08 AM   #1 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Damn Winforms.dll ! - For sUBs
Here is my second machine (wifes) which has the problem that sUBs cleared on my own machine.

Panda scan - Done!
SpywareBlaster - Done!
Windows update - Done!

SpySweeper with Anti Virus is installed and it keeps suggesting that it has quarantined the problem but it always reappears.

Logs as requested:


Incident Status Location

Virus:Trj/Lineage.FVF Disinfected Operating system
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[4].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[2].txt
Spyware:Cookie/Intelli-tracker Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.intelli-tracker[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.cfexe]
Virus:Trj/Legmir.AST Disinfected C:\qoobox\Quarantine\C\WINDOWS\371662MM.DLL.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\adbbyr.dll.vir
Virus:Trj/Lineage.FUM Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\aerjbg.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\AVPSrv.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bdfmla.dll.vir
Virus:Trj/Lineage.FUL Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bkfmqp.dll.vir
Virus:Trj/Lineage.FTQ Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\blpdtr.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\cjznco.dll.vir
Virus:Trj/Lineage.FTU Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\cujpgb.dll.vir
Virus:Trj/Lineage.FVF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\cvzzfi.dll.vir
Virus:Trj/Lineage.FVF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\DbgHlp32.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\fzumpm.dll.vir
Virus:Trj/Lineage.FVF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\jpdhne.dll.vir
Virus:Trj/Lineage.FUM Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\kbwmgy.dll.vir
Virus:Trj/Lineage.FTQ Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\kcjxet.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\kfnddp.dll.vir
Virus:Trj/Lineage.FSU Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\kgcehn.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\krddiu.dll.vir
Virus:Trj/Lineage.FUM Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\loelbh.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\louuag.dll.vir
Virus:Trj/Lineage.FUL Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\mkkneb.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\mqnjbe.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\MsPrint32D.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\mvgyhy.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\rxxuph.dll.vir
Virus:Trj/Lineage.FUM Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ujgxdm.dll.vir
Virus:Trj/Lineage.FSN Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\umgwbl.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\whghuo.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\xbpcfy.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\xiwctw.dll.vir
Virus:Trj/Lineage.FTU Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\xnzdnl.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\xuwtpe.dll.vir
Virus:Trj/Lineage.FUF Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\xywbjz.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\yjuesu.dll.vir
Virus:Trj/Lineage.FTU Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\zacmwh.dll.vir
Virus:Trj/Lineage.FTQ Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\zduxca.dll.vir
Virus:Trj/Lineage.FTQ Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\zqzfls.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Trj/Lineage.FUF Disinfected C:\WINDOWS\system32\agxlpl.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\aldiyw.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\azyyom.dll
Virus:Trj/Lineage.FUH Disinfected C:\WINDOWS\system32\bjbzta.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\ddsevk.dll
Virus:Trj/Lineage.FTB Disinfected C:\WINDOWS\system32\dvraqo.dll
Virus:Trj/Lineage.FTB Disinfected C:\WINDOWS\system32\fbvguy.dll
Virus:Trj/Lineage.FUF Disinfected C:\WINDOWS\system32\foevle.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\fvngit.dll
Virus:Trj/Lineage.FUH Disinfected C:\WINDOWS\system32\huhrun.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\juyspi.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\khfzmz.dll
Virus:Trj/Lineage.FUL Disinfected C:\WINDOWS\system32\kijbke.dll
Virus:Trj/Lineage.FUH Disinfected C:\WINDOWS\system32\kwvydv.dll
Virus:Trj/Lineage.FUM Disinfected C:\WINDOWS\system32\lachbc.dll
Virus:Generic Malware Disinfected C:\WINDOWS\system32\lreaje.dll
Virus:Trj/Lineage.FTL Disinfected C:\WINDOWS\system32\maooek.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\nlaobw.dll
Virus:Generic Malware Disinfected C:\WINDOWS\system32\ohhmyw.dll
Virus:Trj/Lineage.FUF Disinfected C:\WINDOWS\system32\ookkil.dll
Virus:Trj/Lineage.FUM Disinfected C:\WINDOWS\system32\pitqsg.dll
Virus:Trj/Lineage.FVF Disinfected C:\WINDOWS\system32\plhuco.dll
Virus:Trj/Lineage.FTB Disinfected C:\WINDOWS\system32\pmtrxf.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\pslqss.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\pyngeb.dll
Virus:Trj/Lineage.FTU Disinfected C:\WINDOWS\system32\pyxmnr.dll
Virus:Trj/Lineage.FTQ Disinfected C:\WINDOWS\system32\qdytsr.dll
Virus:Trj/Lineage.FUH Disinfected C:\WINDOWS\system32\rhqxkg.dll
Virus:Trj/Lineage.FTL Disinfected C:\WINDOWS\system32\rkhdab.dll
Virus:Trj/Lineage.FUH Disinfected C:\WINDOWS\system32\tlhqwg.dll
Virus:Generic Malware Disinfected C:\WINDOWS\system32\utdxkb.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\uxkewl.dll
Virus:Trj/Lineage.FVF Disinfected C:\WINDOWS\system32\uywonh.dll
Virus:Trj/Lineage.FTU Disinfected C:\WINDOWS\system32\uzqpzu.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\vamnbz.dll
Virus:Trj/Lineage.FVF Disinfected C:\WINDOWS\system32\winforms.dll
Virus:Trj/Lineage.FUH Disinfected C:\WINDOWS\system32\wrwosk.dll
Virus:Trj/Lineage.FTB Disinfected C:\WINDOWS\system32\xcrjya.dll
Virus:Trj/Lineage.FUM Disinfected C:\WINDOWS\system32\xnwnql.dll
Virus:Trj/Lineage.FUH Disinfected C:\WINDOWS\system32\xvxafm.dll
Virus:Trj/Lineage.FTB Disinfected C:\WINDOWS\system32\ycggyg.dll
Virus:Trj/Lineage.FTB Disinfected C:\WINDOWS\system32\yoejlq.dll
Virus:Trj/Lineage.FTL Disinfected C:\WINDOWS\system32\zkxdar.dll
Virus:Trj/Lineage.FTL Disinfected C:\WINDOWS\system32\zmcmxa.dll
Virus:Trj/Lineage.FUL Disinfected C:\WINDOWS\system32\zobjjv.dll ______________________________________________________________


Deckard's System Scanner v20071014.68
Run by Administrator on 2007-10-15 14:56:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2007-10-15 13:56:57 UTC - RP253 - Deckard's System Scanner Restore Point
4: 2007-10-15 09:37:27 UTC - RP252 - Software Distribution Service 3.0
3: 2007-10-15 09:05:54 UTC - RP251 - Software Distribution Service 3.0
2: 2007-10-15 07:52:25 UTC - RP250 - ComboFix created restore point
1: 2007-10-15 07:50:40 UTC - RP249 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:57:32, on 15/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\lxcfcoms.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [SetRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKLM\..\Run: [Deskup] "C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192439035062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: winforms.dll
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 5683 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\Desktop\backups\) ------------

backup-20071015-085845-350 O23 - Service: 1E3F603C - Unknown owner - C:\WINDOWS\system32\80FEE47E.EXE (file missing)
backup-20071015-085845-558 O20 - AppInit_DLLs: winforms.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - "c:\program files\iomega\autodisk\adservice.exe" <Not Verified; Iomega Corporation; Iomega Active Disk>
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S4 1E3F603C - c:\windows\system32\80fee47e.exe -k (file missing)
S4 Iomega Activity Disk2 - ""


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-09-15 and 2007-10-15 -----------------------------

2007-10-15 10:38:17 0 d-------- C:\Program Files\MSXML 4.0
2007-10-15 10:12:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-10-15 1033 0 d-------- C:\WINDOWS\system32\PreInstall
2007-10-15 10:04:20 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-10-15 10:02:25 0 d-------- C:\Program Files\SpywareBlaster
2007-10-15 09:19:33 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-12 09:43:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:42:58 0 d-------- C:\Program Files\Webroot
2007-10-12 09:42:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-12 09:42:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 09:36:57 164 --a------ C:\install.dat
2007-10-12 08:49:39 125440 --a------ C:\WINDOWS\system32\etramf.dll
2007-10-11 15:09:54 125440 --a------ C:\WINDOWS\system32\kfghvw.dll
2007-10-10 16:24:44 0 d-------- C:\WINDOWS\pss
2007-10-05 10:15:01 34304 --a------ C:\WINDOWS\system32\SHQ.DLL
2007-10-05 10:15:01 20 --a------ C:\WINDOWS\system32\mhsha1.dat


-- Find3M Report ---------------------------------------------------------------

2007-10-15 11:53:34 0 d-------- C:\Program Files\Sage Payroll
2007-10-15 10:45:39 0 d-------- C:\Program Files\Messenger
2007-10-15 09:41:27 0 d-------- C:\Program Files\Google
2007-10-15 09:40:20 0 d-------- C:\Program Files\Common Files\Sonic Shared
2007-10-15 09:00:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2007-10-04 12:18:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-09-24 10:03:15 0 d-------- C:\Program Files\Lx_cats
2007-09-13 14:56:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\EPSON
2007-09-13 14:52:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 14:51:43 0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-13 14:50:33 0 d-------- C:\Program Files\EPSON
2007-09-13 14:48:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [05/04/2005 15:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [05/04/2005 15:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [05/04/2005 15:23]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [07/01/2005 18:07 C:\WINDOWS\system32\hdashcut.exe]
"RTHDCPL"="RTHDCPL.EXE" [08/03/2005 13:26 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [04/10/2005 23:23]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [20/11/2003 19:01]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11/05/2005 23:12]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [20/12/2001 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [20/12/2001 09:42]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [24/09/2002 16:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [13/08/2002 14:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [16/07/2002 10:55]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [20/07/2005 18:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/07/2007 16:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91974}"= winforms.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=winforms.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b039e569-c0d1-11db-a5fc-0017a4401193}]
AutoRun\command- E:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2007-10-15 14:58:14 ------------

I'm glad this all means something to somebody.......
Attached Files
File Type: txt extra.txt (13.5 KB, 0 views)
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 10-16-2007, 07:04 PM   #2 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


Re: Damn Winforms.dll ! - For sUBs
Hi..

Please download Combofix from HERE

Save ComboFix to the desktop.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:


Quote:

File::
C:\WINDOWS\system32\winforms.dll


Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91974}"= winforms.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 02:17 AM   #3 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
Hi Pancake Thanks for the reply. Fresh combofix and hijackthis texts below:

ComboFix 07-10-14.5 - Administrator 2007-10-17 9:05:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1660 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\winforms.dll
.

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-15 17:13 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-15 15:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-15 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-15 14:56 <DIR> d-------- C:\Deckard
2007-10-15 10:38 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-15 10:19 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-15 10:04 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-10-15 10:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-15 09:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-15 08:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-12 09:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:43 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-12 09:43 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-12 09:43 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-12 09:42 <DIR> d-------- C:\Program Files\Webroot
2007-10-12 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-12 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 09:42 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-12 09:36 164 --a------ C:\install.dat
2007-10-12 08:49 125,440 --a------ C:\WINDOWS\system32\etramf.dll
2007-10-11 15:09 125,440 --a------ C:\WINDOWS\system32\kfghvw.dll
2007-10-10 16:24 <DIR> d-------- C:\WINDOWS\pss
2007-10-05 10:15 34,304 --a------ C:\WINDOWS\system32\SHQ.DLL
2007-10-05 10:15 20 --a------ C:\WINDOWS\system32\mhsha1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 08:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2007-10-17 08:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2007-10-16 10:49 --------- d-----w C:\Program Files\Sage Payroll
2007-10-16 10:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-16 10:19 --------- d-----w C:\Program Files\EPSON
2007-10-15 08:41 --------- d-----w C:\Program Files\Google
2007-10-15 08:40 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-04 11:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-04 11:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-09-24 09:03 --------- d-----w C:\Program Files\Lx_cats
2007-09-13 13:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EPSON
2007-09-13 13:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EPSON
2007-09-13 13:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-13 13:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-09-13 13:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-09-13 13:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-09-13 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2006-09-01 10:01 5,415,101 ----a-w C:\Program Files\Bolshan July'06 .001
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-15_ 8.56.09.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 08:00:00 1,016,832 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\browseui.dll
- 2004-08-04 08:00:00 150,528 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\cdfview.dll
- 2004-08-04 08:00:00 1,053,696 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\danim.dll
- 2004-08-04 08:00:00 201,728 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\dxtrans.dll
- 2004-08-04 08:00:00 55,808 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\extmgr.dll
- 2004-08-04 08:00:00 18,432 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\iedw.exe
- 2004-08-04 08:00:00 249,344 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\iepeers.dll
- 2004-08-04 08:00:00 96,256 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\inseng.dll
- 2004-08-04 08:00:00 3,003,392 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\mshtml.dll
- 2004-08-04 08:00:00 448,512 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\mshtmled.dll
- 2004-08-04 08:00:00 146,432 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\msrating.dll
- 2004-08-04 08:00:00 530,432 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\mstime.dll
- 2004-08-04 08:00:00 39,424 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\pngfilt.dll
- 2004-08-04 08:00:00 1,483,264 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\shdocvw.dll
- 2004-08-04 08:00:00 473,600 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\shlwapi.dll
- 2004-08-04 08:00:00 601,088 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\urlmon.dll
- 2004-08-04 08:00:00 656,384 -c--a-w C:\WINDOWS\$NtUninstallKB912945$\wininet.dll
+ 2004-08-04 08:00:00 1,016,832 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\browseui.dll
+ 2004-08-04 08:00:00 150,528 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\cdfview.dll
+ 2004-08-04 08:00:00 1,053,696 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\danim.dll
+ 2004-08-04 08:00:00 201,728 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\dxtrans.dll
+ 2004-08-04 08:00:00 55,808 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\extmgr.dll
+ 2004-08-04 08:00:00 18,432 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\iedw.exe
+ 2004-08-04 08:00:00 249,344 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\iepeers.dll
+ 2004-08-04 08:00:00 96,256 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\inseng.dll
+ 2004-08-04 08:00:00 3,003,392 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\mshtml.dll
+ 2004-08-04 08:00:00 448,512 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\mshtmled.dll
+ 2004-08-04 08:00:00 146,432 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\msrating.dll
+ 2004-08-04 08:00:00 530,432 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\mstime.dll
+ 2004-08-04 08:00:00 39,424 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\pngfilt.dll
+ 2004-08-04 08:00:00 1,483,264 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\shdocvw.dll
+ 2004-08-04 08:00:00 473,600 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\shlwapi.dll
+ 2005-10-12 23:12:26 213,216 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\spuninst\spuninst.exe
+ 2005-10-12 23:12:34 371,424 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\spuninst\updspapi.dll
+ 2004-08-04 08:00:00 601,088 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\urlmon.dll
+ 2004-08-04 08:00:00 656,384 -c--a-w C:\WINDOWS\$NtUninstallKB912945_0$\wininet.dll
+ 2006-02-15 00:22:26 142,464 ------w C:\WINDOWS\Driver Cache\i386\aec.sys
+ 2006-03-17 00:33:10 262,784 ------w C:\WINDOWS\Driver Cache\i386\http.sys
+ 2006-06-14 08:47:45 172,416 ------w C:\WINDOWS\Driver Cache\i386\kmixer.sys
+ 2006-05-05 09:41:45 453,120 ------w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys
+ 2007-02-28 09:53:04 2,137,600 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2007-02-28 09:15:56 2,059,392 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2007-02-28 09:15:59 2,017,280 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2007-02-28 09:55:14 2,182,144 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2006-06-14 08:47:46 6,400 ------w C:\WINDOWS\Driver Cache\i386\splitter.sys
+ 2006-06-14 09:00:45 82,944 ------w C:\WINDOWS\Driver Cache\i386\wdmaud.sys
- 2004-08-04 08:00:00 1,032,192 ----a-w C:\WINDOWS\explorer.exe
+ 2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer.exe
+ 2007-10-15 09:38:18 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
+ 2004-07-15 08:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_aspnet_isapi.dll
+ 2004-07-15 07:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_CORPerfMonExt.dll
+ 2004-07-15 07:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_fusion.dll
+ 2004-07-15 07:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_mscorjit.dll
+ 2004-07-15 21:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_mscorlib.dll
+ 2003-02-21 02:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_mscorsn.dll
+ 2004-07-15 07:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_mscorsvr.dll
+ 2004-07-15 07:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_mscorwks.dll
+ 2003-02-21 11:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_msvcr71.dll
+ 2004-07-15 07:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3068\_PerfCounter.dll
- 2004-08-04 08:00:00 41,984 ----a-w C:\WINDOWS\msagent\agentdp2.dll
+ 2006-10-12 13:54:18 42,496 ----a-w C:\WINDOWS\msagent\agentdp2.dll
- 2004-08-04 08:00:00 58,880 ----a-w C:\WINDOWS\msagent\agentdpv.dll
+ 2007-03-09 13:58:57 57,344 ----a-w C:\WINDOWS\msagent\agentdpv.dll
- 2004-08-04 08:00:00 256,512 ----a-w C:\WINDOWS\msagent\agentsvr.exe
+ 2006-10-12 11:54:07 256,512 ----a-w C:\WINDOWS\msagent\agentsvr.exe
- 2004-08-04 08:00:00 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2007-03-29 08:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 15:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 13:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 10:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 12:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 17:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 17:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 14:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 12:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 09:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 12:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 17:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 15:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 13:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 13:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 12:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 1208 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 10:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 10:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 07:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 13:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 09:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 09:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 15:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 08:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 09:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 13:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 13:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 12:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 07:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 07:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 16:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 13:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 05:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 16:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 11:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2004-08-04 08:00:00 56,832 ----a-w C:\WINDOWS\system32\authz.dll
+ 2005-03-02 18:19:56 62,464 ----a-w C:\WINDOWS\system32\authz.dll
- 2006-01-09 18:08:38 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-08-22 12:55:28 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2004-08-04 08:00:00 229,888 ----a-w C:\WINDOWS\system32\catsrv.dll
+ 2005-07-26 04:39:42 225,792 ----a-w C:\WINDOWS\system32\catsrv.dll
- 2004-08-04 08:00:00 628,224 ----a-w C:\WINDOWS\system32\catsrvut.dll
+ 2005-07-26 04:39:43 625,152 ----a-w C:\WINDOWS\system32\catsrvut.dll
- 2006-01-09 18:08:38 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-08-22 12:55:29 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2004-08-04 08:00:00 2,067,968 ----a-w C:\WINDOWS\system32\cdosys.dll
+ 2005-09-10 01:53:41 2,067,968 ----a-w C:\WINDOWS\system32\cdosys.dll
- 2004-08-04 08:00:00 69,120 ----a-w C:\WINDOWS\system32\ciodm.dll
+ 2006-06-22 0529 69,120 ----a-w C:\WINDOWS\system32\ciodm.dll
- 2004-08-04 08:00:00 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
- 2004-08-04 08:00:00 501,248 ----a-w C:\WINDOWS\system32\clbcatq.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2004-08-04 08:00:00 62,464 ----a-w C:\WINDOWS\system32\colbact.dll
+ 2005-07-26 04:39:43 60,416 ----a-w C:\WINDOWS\system32\colbact.dll
- 2004-08-04 08:00:00 195,584 ----a-w C:\WINDOWS\system32\Com\comadmin.dll
+ 2005-07-26 04:39:44 195,072 ----a-w C:\WINDOWS\system32\Com\comadmin.dll
- 2004-08-04 08:00:00 611,328 ----a-w C:\WINDOWS\system32\comctl32.dll
+ 2006-08-25 15:45:58 617,472 ----a-w C:\WINDOWS\system32\comctl32.dll
- 2004-08-04 08:00:00 82,432 ----a-w C:\WINDOWS\system32\comrepl.dll
+ 2005-07-26 04:39:44 97,792 ----a-w C:\WINDOWS\system32\comrepl.dll
- 2004-08-04 08:00:00 1,251,840 ----a-w C:\WINDOWS\system32\comsvcs.dll
+ 2005-07-26 04:39:44 1,267,200 ----a-w C:\WINDOWS\system32\comsvcs.dll
- 2004-08-04 08:00:00 540,160 ----a-w C:\WINDOWS\system32\comuid.dll
+ 2005-07-26 04:39:45 540,160 ----a-w C:\WINDOWS\system32\comuid.dll
- 2006-01-09 18:08:38 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2007-08-22 12:55:30 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2004-10-27 18:57:52 111,104 ----a-w C:\WINDOWS\system32\dhcpcsvc.dll
+ 2006-05-19 13:46:40 112,128 ----a-w C:\WINDOWS\system32\dhcpcsvc.dll
+ 2006-08-16 11:58:05 100,352 ------w C:\WINDOWS\system32\dllcache\6to4svc.dll
+ 2006-10-12 13:54:18 42,496 ------w C:\WINDOWS\system32\dllcache\agentdp2.dll
+ 2007-03-09 13:58:57 57,344 ----a-w C:\WINDOWS\system32\dllcache\agentdpv.dll
+ 2006-10-12 11:54:07 256,512 ------w C:\WINDOWS\system32\dllcache\agentsvr.exe
+ 2006-06-22 0529 69,120 ------w C:\WINDOWS\system32\dllcache\ciodm.dll
+ 2006-08-25 15:45:58 617,472 ------w C:\WINDOWS\system32\dllcache\comctl32.dll
+ 2006-05-19 13:46:40 112,128 ------w C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
+ 2007-05-16 15:12:00 86,528 ------w C:\WINDOWS\system32\dllcache\directdb.dll
+ 2006-06-26 17:45:19 147,456 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2006-08-22 03:05:26 498,742 ------w C:\WINDOWS\system32\dllcache\dxmasf.dll
+ 2007-06-13 10:23:07 1,033,216 ------w C:\WINDOWS\system32\dllcache\explorer.exe
+ 2006-08-21 12:21:06 16,896 ------w C:\WINDOWS\system32\dllcache\fltlib.dll
+ 2006-08-21 09:14:58 23,040 ------w C:\WINDOWS\system32\dllcache\fltmc.exe
+ 2006-08-21 09:14:58 128,896 ------w C:\WINDOWS\system32\dllcache\fltmgr.sys
+ 2007-06-19 13:37:21 282,112 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2006-07-21 08:24:43 72,704 ------w C:\WINDOWS\system32\dllcache\hlink.dll
+ 2006-05-19 13:46:40 94,720 ------w C:\WINDOWS\system32\dllcache\iphlpapi.dll
+ 2006-06-01 18:47:07 163,840 ------w C:\WINDOWS\system32\dllcache\jgdw400.dll
+ 2006-06-01 18:47:07 27,648 ------w C:\WINDOWS\system32\dllcache\jgpl400.dll
+ 2006-05-18 05:24:25 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-04-16 15:52:53 984,576 ------w C:\WINDOWS\system32\dllcache\kernel32.dll
+ 2006-06-14 08:47:45 172,416 ------w C:\WINDOWS\system32\dllcache\kmixer.sys
+ 2006-08-17 12:28:27 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-03-08 15:48:36 40,960 ------w C:\WINDOWS\system32\dllcache\mf3216.dll
+ 2006-11-01 19:17:45 927,504 ------w C:\WINDOWS\system32\dllcache\mfc40u.dll
+ 2006-10-14 08:13:25 981,760 ------w C:\WINDOWS\system32\dllcache\mfc42u.dll
+ 2006-05-05 09:41:45 453,120 ------w C:\WINDOWS\system32\dllcache\mrxsmb.sys
+ 2006-12-26 13:07:23 536,576 ------w C:\WINDOWS\system32\dllcache\msado15.dll
+ 2006-12-26 13:07:23 180,224 ------w C:\WINDOWS\system32\dllcache\msadomd.dll
+ 2006-12-26 13:07:23 200,704 ------w C:\WINDOWS\system32\dllcache\msadox.dll
+ 2006-11-27 14:54:06 539,136 ------w C:\WINDOWS\system32\dllcache\msftedit.dll
+ 2006-12-26 13:07:23 102,400 ------w C:\WINDOWS\system32\dllcache\msjro.dll
+ 2007-05-16 15:12:08 1,314,816 ------w C:\WINDOWS\system32\dllcache\msoe.dll
+ 2007-06-26 06:08:16 1,104,896 ------w C:\WINDOWS\system32\dllcache\msxml3.dll
+ 2006-08-17 12:28:27 332,288 ------w C:\WINDOWS\system32\dllcache\netapi32.dll
+ 2007-02-09 11:10:35 574,464 ------w C:\WINDOWS\system32\dllcache\ntfs.sys
+ 2007-02-28 09:53:04 2,137,600 ------w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
+ 2007-02-28 09:15:56 2,059,392 ------w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
+ 2007-02-28 09:15:59 2,017,280 ------w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
+ 2007-02-28 09:55:14 2,182,144 ------w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
+ 2006-10-13 12:35:12 64,000 ------w C:\WINDOWS\system32\dllcache\nwapi32.dll
+ 2006-10-13 12:35:12 142,336 ------w C:\WINDOWS\system32\dllcache\nwprovau.dll
+ 2006-10-13 10:23:15 163,584 ------w C:\WINDOWS\system32\dllcache\nwrdr.sys
+ 2006-10-13 12:35:12 65,536 ------w C:\WINDOWS\system32\dllcache\nwwks.dll
+ 2007-05-17 11:28:05 549,376 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
+ 2006-10-16 16:15:00 122,880 ------w C:\WINDOWS\system32\dllcache\oledlg.dll
+ 2006-06-22 0530 1,435,648 ------w C:\WINDOWS\system32\dllcache\query.dll
+ 2006-06-26 17:45:19 7,680 ------w C:\WINDOWS\system32\dllcache\rasadhlp.dll
+ 2006-06-22 10:47:18 181,248 ------w C:\WINDOWS\system32\dllcache\rasmans.dll
+ 2006-05-05 09:47:57 174,592 ------w C:\WINDOWS\system32\dllcache\rdbss.sys
+ 2006-11-27 14:54:06 433,152 ------w C:\WINDOWS\system32\dllcache\riched20.dll
+ 2006-07-13 08:48:58 202,240 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\dllcache\schannel.dll
+ 2006-12-19 21:50:10 8,458,752 ------w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2006-12-19 21:50:10 135,168 ------w C:\WINDOWS\system32\dllcache\shsvcs.dll
+ 2006-06-14 08:47:46 6,400 ------w C:\WINDOWS\system32\dllcache\splitter.sys
+ 2006-08-14 10:34:41 332,928 ------w C:\WINDOWS\system32\dllcache\srv.sys
+ 2006-08-21 08:52:08 246,814 ------w C:\WINDOWS\system32\dllcache\strmdll.dll
+ 2006-10-19 13:56:32 713,216 ------w C:\WINDOWS\system32\dllcache\sxs.dll
+ 2006-04-20 11:51:50 359,808 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2006-08-16 09:37:30 225,664 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2007-04-23 10:32:54 364,160 ------w C:\WINDOWS\system32\dllcache\update.sys
+ 2007-02-05 20:17:02 185,344 ------w C:\WINDOWS\system32\dllcache\upnphost.dll
+ 2007-03-08 15:48:36 578,048 ------w C:\WINDOWS\system32\dllcache\user32.dll
+ 2007-06-26 15:13:22 851,968 ------w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-05-16 15:12:12 510,976 ------w C:\WINDOWS\system32\dllcache\wab32.dll
+ 2007-05-16 15:12:15 85,504 ------w C:\WINDOWS\system32\dllcache\wabimp.dll
+ 2006-06-14 09:00:45 82,944 ------w C:\WINDOWS\system32\dllcache\wdmaud.sys
+ 2006-12-19 18:16:47 333,824 ------w C:\WINDOWS\system32\dllcache\wiaservc.dll
- 2005-01-14 06:50:28 1,836,032 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2007-03-17 13:45:03 292,864 ------w C:\WINDOWS\system32\dllcache\winsrv.dll
+ 2006-08-17 12:28:27 132,096 ------w C:\WINDOWS\system32\dllcache\wkssvc.dll
+ 2006-12-07 16:02:24 2,174,976 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2004-08-04 08:00:00 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2006-06-26 17:45:19 147,456 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-03 17:39:38 142,464 ----a-w C:\WINDOWS\system32\drivers\aec.sys
+ 2006-02-15 00:22:26 142,464 ----a-w C:\WINDOWS\system32\drivers\aec.sys
- 2004-08-04 08:00:00 124,800 ----a-w C:\WINDOWS\system32\drivers\fltMgr.sys
+ 2006-08-21 09:14:58 128,896 ----a-w C:\WINDOWS\system32\drivers\fltmgr.sys
- 2004-08-04 08:00:00 263,040 ----a-w C:\WINDOWS\system32\drivers\http.sys
+ 2006-03-17 00:33:10 262,784 ----a-w C:\WINDOWS\system32\drivers\http.sys
- 2004-08-04 08:00:00 134,912 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
+ 2004-09-29 22:28:37 134,912 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
- 2004-08-03 18:07:50 171,776 ----a-w C:\WINDOWS\system32\drivers\kmixer.sys
+ 2006-06-14 08:47:45 172,416 ----a-w C:\WINDOWS\system32\drivers\kmixer.sys
- 2004-08-04 08:00:00 451,456 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
+ 2006-05-05 09:41:45 453,120 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
- 2004-08-04 08:00:00 574,592 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
+ 2007-02-09 11:10:35 574,464 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
- 2004-08-04 08:00:00 163,584 ----a-w C:\WINDOWS\system32\drivers\nwrdr.sys
+ 2006-10-13 10:23:15 163,584 ----a-w C:\WINDOWS\system32\drivers\nwrdr.sys
- 2004-08-04 08:00:00 176,512 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
+ 2006-05-05 09:47:57 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
- 2004-08-04 08:00:00 139,400 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
+ 2005-06-10 04:09:46 139,528 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
- 2004-08-04 08:00:00 200,064 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
+ 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2004-08-03 18:07:48 6,400 ----a-w C:\WINDOWS\system32\drivers\splitter.sys
+ 2006-06-14 08:47:46 6,400 ----a-w C:\WINDOWS\system32\drivers\splitter.sys
- 2004-08-04 08:00:00 336,256 ----a-w C:\WINDOWS\system32\drivers\srv.sys
+ 2006-08-14 10:34:41 332,928 ----a-w C:\WINDOWS\system32\drivers\srv.sys
- 2004-08-04 08:00:00 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2004-08-04 08:00:00 223,616 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
+ 2006-08-16 09:37:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
- 2004-08-04 08:00:00 209,408 ----a-w C:\WINDOWS\system32\drivers\update.sys
+ 2007-04-23 10:32:54 364,160 ----a-w C:\WINDOWS\system32\drivers\update.sys
- 2004-08-03 18:15:06 82,944 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
+ 2006-06-14 09:00:45 82,944 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
- 2004-08-04 08:00:00 498,205 ----a-w C:\WINDOWS\system32\dxmasf.dll
+ 2006-08-22 03:05:26 498,742 ----a-w C:\WINDOWS\system32\dxmasf.dll
- 2004-08-04 08:00:00 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-22 12:55:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2006-01-09 18:08:38 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2004-08-04 08:00:00 243,200 ----a-w C:\WINDOWS\system32\es.dll
+ 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\system32\es.dll
- 2004-08-04 08:00:00 1,082,368 ----a-w C:\WINDOWS\system32\esent.dll
+ 2005-10-20 22:20:03 1,082,368 ----a-w C:\WINDOWS\system32\esent.dll
- 2006-01-09 18:08:38 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2004-08-04 08:00:00 16,896 ----a-w C:\WINDOWS\system32\fltlib.dll
+ 2006-08-21 12:21:06 16,896 ----a-w C:\WINDOWS\system32\fltlib.dll
- 2004-08-04 08:00:00 22,528 ----a-w C:\WINDOWS\system32\fltMc.exe
+ 2006-08-21 09:14:58 23,040 ----a-w C:\WINDOWS\system32\fltmc.exe
- 2006-08-28 18:09:51 270,984 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-10-15 09:50:54 270,984 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-08-04 08:00:00 79,360 ----a-w C:\WINDOWS\system32\fontsub.dll
+ 2005-10-17 21:14:45 80,896 ----a-w C:\WINDOWS\system32\fontsub.dll
- 2004-08-04 08:00:00 278,016 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2007-06-19 13:37:21 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2004-08-04 08:00:00 77,850 ----a-w C:\WINDOWS\system32\hlink.dll
+ 2006-07-21 08:24:43 72,704 ----a-w C:\WINDOWS\system32\hlink.dll
- 2004-08-04 08:00:00 345,088 ----a-w C:\WINDOWS\system32\hypertrm.dll
+ 2004-11-17 17:41:24 347,136 ----a-w C:\WINDOWS\system32\hypertrm.dll
- 2004-08-04 08:00:00 253,952 ----a-w C:\WINDOWS\system32\icm32.dll
+ 2005-06-29 01:46:00 254,976 ----a-w C:\WINDOWS\system32\icm32.dll
- 2006-01-09 18:08:38 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2006-01-09 18:08:38 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2004-08-04 08:00:00 94,720 ----a-w C:\WINDOWS\system32\iphlpapi.dll
+ 2006-05-19 13:46:40 94,720 ----a-w C:\WINDOWS\system32\iphlpapi.dll
- 2004-08-04 08:00:00 144,896 ----a-w C:\WINDOWS\system32\jgdw400.dll
+ 2006-06-01 18:47:07 163,840 ----a-w C:\WINDOWS\system32\jgdw400.dll
- 2004-08-04 08:00:00 42,496 ----a-w C:\WINDOWS\system32\jgpl400.dll
+ 2006-06-01 18:47:07 27,648 ----a-w C:\WINDOWS\system32\jgpl400.dll
- 2004-08-04 08:00:00 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2004-08-04 08:00:00 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-08-22 12:55:32 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2004-08-04 08:00:00 294,400 ----a-w C:\WINDOWS\system32\kerberos.dll
+ 2005-06-15 17:49:30 295,936 ----a-w C:\WINDOWS\system32\kerberos.dll
- 2004-08-04 08:00:00 983,552 ----a-w C:\WINDOWS\system32\kernel32.dll
+ 2007-04-16 15:52:53 984,576 ----a-w C:\WINDOWS\system32\kernel32.dll
+ 2007-04-24 10:32:06 1,485,696 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2004-08-04 08:00:00 18,944 ----a-w C:\WINDOWS\system32\linkinfo.dll
+ 2005-09-01 01:44:04 19,968 ----a-w C:\WINDOWS\system32\linkinfo.dll
- 2004-08-04 08:00:00 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2004-08-04 08:00:00 39,936 ----a-w C:\WINDOWS\system32\mf3216.dll
+ 2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
- 2004-08-04 08:00:00 924,432 ----a-w C:\WINDOWS\system32\mfc40u.dll
+ 2006-11-01 19:17:45 927,504 ----a-w C:\WINDOWS\system32\mfc40u.dll
- 2004-08-04 08:00:00 1,024,000 ----a-w C:\WINDOWS\system32\mfc42u.dll
+ 2006-10-14 08:13:25 981,760 ----a-w C:\WINDOWS\system32\mfc42u.dll
+ 2007-09-27 21:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-04 08:00:00 73,728 ----a-w C:\WINDOWS\system32\mscms.dll
+ 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
- 2004-08-04 08:00:00 425,472 ----a-w C:\WINDOWS\system32\msdtcprx.dll
+ 2006-03-01 19:42:42 426,496 ----a-w C:\WINDOWS\system32\msdtcprx.dll
- 2004-08-04 08:00:00 949,248 ----a-w C:\WINDOWS\system32\msdtctm.dll
+ 2006-03-01 19:42:42 956,416 ----a-w C:\WINDOWS\system32\msdtctm.dll
- 2004-08-04 08:00:00 161,280 ----a-w C:\WINDOWS\system32\msdtcuiu.dll
+ 2006-03-01 19:42:42 161,280 ----a-w C:\WINDOWS\system32\msdtcuiu.dll
- 2004-08-04 08:00:00 537,088 ----a-w C:\WINDOWS\system32\msftedit.dll
+ 2006-11-27 14:54:06 539,136 ----a-w C:\WINDOWS\system32\msftedit.dll
- 2006-02-01 01:59:04 3,070,464 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2006-01-09 18:08:40 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-04 08:00:00 2,804,224 ----a-w C:\WINDOWS\system32\msi.dll
+ 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
- 2004-08-04 08:00:00 77,312 ----a-w C:\WINDOWS\system32\msiexec.exe
+ 2005-05-04 13:45:36 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
- 2004-08-04 08:00:00 331,264 ----a-w C:\WINDOWS\system32\msihnd.dll
+ 2005-05-04 13:45:36 271,360 ----a-w C:\WINDOWS\system32\msihnd.dll
- 2004-08-04 08:00:00 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
+ 2005-05-04 13:45:36 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
- 2004-08-04 08:00:00 44,032 ----a-w C:\WINDOWS\system32\msisip.dll
+ 2005-05-04 13:45:36 15,360 ----a-w C:\WINDOWS\system32\msisip.dll
- 2006-01-09 18:08:40 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2006-01-09 18:08:40 530,944 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2004-08-04 08:00:00 1,236,480 ----a-w C:\WINDOWS\system32\msxml3.dll
+ 2007-06-26 06:08:16 1,104,896 ----a-w C:\WINDOWS\system32\msxml3.dll
- 2002-02-04 01:52:54 1,230,336 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 14:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
- 2004-08-04 08:00:00 66,560 ----a-w C:\WINDOWS\system32\mtxclu.dll
+ 2006-03-01 19:42:42 66,560 ----a-w C:\WINDOWS\system32\mtxclu.dll
- 2004-08-04 08:00:00 90,112 ----a-w C:\WINDOWS\system32\mtxoci.dll
+ 2006-03-01 19:42:42 91,136 ----a-w C:\WINDOWS\system32\mtxoci.dll
- 2004-08-04 08:00:00 332,288 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2006-08-17 12:28:27 332,288 ----a-w C:\WINDOWS\system32\netapi32.dll
- 2004-08-04 08:00:00 198,144 ----a-w C:\WINDOWS\system32\netman.dll
+ 2005-08-22 18:29:46 197,632 ----a-w C:\WINDOWS\system32\netman.dll
- 2004-08-04 05:59:02 2,015,232 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
+ 2007-02-28 09:15:59 2,017,280 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
- 2004-08-04 06:18:32 2,148,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
+ 2007-02-28 09:53:04 2,137,600 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
- 2004-08-04 08:00:00 58,880 ----a-w C:\WINDOWS\system32\nwapi32.dll
+ 2006-10-13 12:35:12 64,000 ----a-w C:\WINDOWS\system32\nwapi32.dll
- 2004-08-04 08:00:00 144,384 ----a-w C:\WINDOWS\system32\nwprovau.dll
+ 2006-10-13 12:35:12 142,336 ----a-w C:\WINDOWS\system32\nwprovau.dll
- 2004-08-04 08:00:00 64,000 ----a-w C:\WINDOWS\system32\nwwks.dll
+ 2006-10-13 12:35:12 65,536 ----a-w C:\WINDOWS\system32\nwwks.dll
- 2004-08-04 08:00:00 1,281,536 ----a-w C:\WINDOWS\system32\ole32.dll
+ 2005-07-26 04:39:48 1,285,120 ----a-w C:\WINDOWS\system32\ole32.dll
- 2004-08-04 08:00:00 553,472 ----a-w C:\WINDOWS\system32\oleaut32.dll
+ 2007-05-17 11:28:05 549,376 ----a-w C:\WINDOWS\system32\oleaut32.dll
- 2004-08-04 08:00:00 68,608 ----a-w C:\WINDOWS\system32\olecli32.dll
+ 2005-07-26 04:39:48 74,752 ----a-w C:\WINDOWS\system32\olecli32.dll
- 2004-08-04 08:00:00 34,304 ----a-w C:\WINDOWS\system32\olecnv32.dll
+ 2005-07-26 04:39:49 37,888 ----a-w C:\WINDOWS\system32\olecnv32.dll
- 2004-08-04 08:00:00 117,760 ----a-w C:\WINDOWS\system32\oledlg.dll
+ 2006-10-16 16:15:00 122,880 ----a-w C:\WINDOWS\system32\oledlg.dll
- 2007-10-15 07:48:53 52,968 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-17 08:04:37 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-15 07:48:53 380,680 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-17 08:04:37 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2006-01-09 18:08:40 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2004-08-04 08:00:00 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\system32\quartz.dll
- 2004-08-04 08:00:00 1,435,648 ----a-w C:\WINDOWS\system32\query.dll
+ 2006-06-22 0530 1,435,648 ----a-w C:\WINDOWS\system32\query.dll
- 2004-08-04 08:00:00 8,192 ----a-w C:\WINDOWS\system32\rasadhlp.dll
+ 2006-06-26 17:45:19 7,680 ----a-w C:\WINDOWS\system32\rasadhlp.dll
- 2004-08-04 08:00:00 174,080 ----a-w C:\WINDOWS\system32\rasmans.dll
+ 2006-06-22 10:47:18 181,248 ----a-w C:\WINDOWS\system32\rasmans.dll
- 2004-08-04 08:00:00 431,616 ----a-w C:\WINDOWS\system32\riched20.dll
+ 2006-11-27 14:54:06 433,152 ----a-w C:\WINDOWS\system32\riched20.dll
- 2004-08-04 08:00:00 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2004-08-04 08:00:00 395,776 ----a-w C:\WINDOWS\system32\rpcss.dll
+ 2005-07-26 04:39:49 397,824 ----a-w C:\WINDOWS\system32\rpcss.dll
- 2004-08-04 08:00:00 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
+ 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
- 2006-01-09 18:08:41 1,492,480 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-08-22 12:55:40 1,498,112 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2004-08-04 08:00:00 8,384,000 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2006-12-19 21:50:10 8,458,752 ----a-w C:\WINDOWS\system32\shell32.dll
- 2006-01-09 18:08:41 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-08-22 12:55:41 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2004-08-04 08:00:00 134,656 ----a-w C:\WINDOWS\system32\shsvcs.dll
+ 2006-12-19 21:50:10 135,168 ----a-w C:\WINDOWS\system32\shsvcs.dll
+ 2007-07-30 18:19:36 549,720 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.0.6000.381\wuapi.dll
+ 2007-07-30 18:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2006-11-17 15:14:30 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2004-08-04 08:00:00 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2005-06-10 23:53:32 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
- 2004-11-18 17:42:52 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2005-06-28 09:21:34 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2004-08-04 08:00:00 96,768 ----a-w C:\WINDOWS\system32\srvsvc.dll
+ 2004-12-07 19:32:34 96,768 ----a-w C:\WINDOWS\system32\srvsvc.dll
- 2007-07-19 21:42:36 16,184 ----a-w C:\WINDOWS\system32\ssiefr.EXE
+ 2007-10-01 15:24:34 16,184 ----a-w C:\WINDOWS\system32\ssiefr.EXE
- 2004-08-04 08:00:00 246,302 ----a-w C:\WINDOWS\system32\strmdll.dll
+ 2006-08-21 08:52:08 246,814 ----a-w C:\WINDOWS\system32\strmdll.dll
- 2004-08-04 08:00:00 713,216 ----a-w C:\WINDOWS\system32\sxs.dll
+ 2006-10-19 13:56:32 713,216 ----a-w C:\WINDOWS\system32\sxs.dll
- 2004-08-04 08:00:00 210,432 ----a-w C:\WINDOWS\system32\t2embed.dll
+ 2005-10-17 21:14:46 118,272 ----a-w C:\WINDOWS\system32\t2embed.dll
- 2004-08-04 08:00:00 246,272 ----a-w C:\WINDOWS\system32\tapisrv.dll
+ 2005-07-08 16:27:56 249,344 ----a-w C:\WINDOWS\system32\tapisrv.dll
- 2004-08-04 08:00:00 75,264 ----a-w C:\WINDOWS\system32\telnet.exe
+ 2005-05-10 23:45:48 75,776 ----a-w C:\WINDOWS\system32\telnet.exe
- 2004-08-04 08:00:00 101,376 ----a-w C:\WINDOWS\system32\txflog.dll
+ 2005-07-26 04:39:49 101,376 ----a-w C:\WINDOWS\system32\txflog.dll
+ 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2004-08-04 08:00:00 118,272 ----a-w C:\WINDOWS\system32\umpnpmgr.dll
+ 2005-08-23 03:35:42 123,392 ----a-w C:\WINDOWS\system32\umpnpmgr.dll
- 2004-08-04 08:00:00 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll
+ 2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll
- 2006-01-09 18:08:41 612,352 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 08:00:00 577,024 ----a-w C:\WINDOWS\system32\user32.dll
+ 2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll
+ 2006-03-17 01:05:35 28,672 ----a-w C:\WINDOWS\system32\verclsid.exe
- 2004-08-04 08:00:00 67,584 ----a-w C:\WINDOWS\system32\webclnt.dll
+ 2006-01-04 03:35:05 68,096 ----a-w C:\WINDOWS\system32\webclnt.dll
- 2004-08-04 08:00:00 333,312 ----a-w C:\WINDOWS\system32\wiaservc.dll
+ 2006-12-19 18:16:47 333,824 ----a-w C:\WINDOWS\system32\wiaservc.dll
- 2005-01-14 06:50:28 1,836,032 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
- 2006-01-09 18:08:41 658,432 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\system32\wininet.dll
- 2004-08-04 08:00:00 290,816 ----a-w C:\WINDOWS\system32\winsrv.dll
+ 2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
- 2004-08-04 08:00:00 132,096 ----a-w C:\WINDOWS\system32\wkssvc.dll
+ 2006-08-17 12:28:27 132,096 ----a-w C:\WINDOWS\system32\wkssvc.dll
- 2004-08-04 08:00:00 4,874,240 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-04-30 01:22:16 4,734,976 ----a-w C:\WINDOWS\system32\wmp.dll
- 2004-08-04 08:00:00 2,105,344 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-12-07 16:02:24 2,174,976 ----a-w C:\WINDOWS\system32\wmvcore.dll
- 2007-07-19 21:42:36 219,448 ----a-w C:\WINDOWS\system32\WRLogonNtf.dll
+ 2007-10-01 15:24:36 219,448 ----a-w C:\WINDOWS\system32\WRLogonNtf.dll
- 2007-07-19 21:42:36 26,424 ----a-w C:\WINDOWS\system32\wrlzma.dll
+ 2007-10-01 15:24:36 26,424 ----a-w C:\WINDOWS\system32\wrlzma.dll
- 2004-08-04 08:00:00 11,776 ----a-w C:\WINDOWS\system32\xolehlp.dll
+ 2006-03-01 19:42:42 11,776 ----a-w C:\WINDOWS\system32\xolehlp.dll
- 2006-02-08 00:29:48 16,384 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-08-21 10:13:33 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2003-03-25 17:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
+ 2007-05-08 1444 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2007-01-19 20:15:24 74,802 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2007-01-19 20:15:24 995,383 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll
+ 2007-01-19 20:15:24 1,011,774 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
+ 2007-01-19 20:15:24 401,462 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll
+ 2006-08-25 15:45:55 1,054,208 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 15:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 15:23]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 C:\WINDOWS\system32\hdashcut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 13:26 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 23:23]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 19:01]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-12-20 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-20 09:42]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 14:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 10:55]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 16:01]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher\MailWasher.exe [2006-08-28 18:42:52]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher\MailWasher.exe [2006-08-28 18:42:52]

R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\system32\DRIVERS\iomdisk.sys
R0 ppa3;Iomega Parallel Port Legacy Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa3.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 _IOMEGA_ACTIVE_DISK_SERVICE_;Iomega Active Disk;"C:\Program Files\Iomega\AutoDisk\ADService.exe"
S4 1E3F603C;1E3F603C;C:\WINDOWS\system32\80FEE47E.EXE -k

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b039e569-c0d1-11db-a5fc-0017a4401193}]
AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 0922
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 947
C:\ComboFix2.txt ... 2007-10-15 09:08
C:\ComboFix3.txt ... 2007-10-15 08:56
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:15:24, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [SetRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKLM\..\Run: [Deskup] "C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192439035062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 5555 bytes
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 04:09 AM   #4 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


Re: Damn Winforms.dll ! - For sUBs
Seems to have fixes it.How are things now ?.
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 04:41 AM   #5 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
Nope

Spysweeper still detects Mal/PWS-N which it cannot quarantine (quarantine failed).
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 04:17 PM   #6 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


Re: Damn Winforms.dll ! - For sUBs
Place a shortcut to Panda ActiveScan on your desktop. Click the Panda ActiveScan shortcut.
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
  • Click on see report. Then click Save report
Post the contents of the Panda scan report if malware is found.
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 04:31 AM   #7 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
Firstly, spysweeper is still showing:

MAL/PWS-M – Quarantine Failed.......

I believe this is the “pws onlinegames.gen” issue?


Fresh Panda Scan (and Hijack this log) as follows:


Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[4].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[2].txt
Spyware:Cookie/Intelli-tracker Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.intelli-tracker[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.cfexe]
Virus:Trj/Lineage.FVY Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\cmdbcs.dll.vir
Virus:Trj/Lineage.FVO Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\GenProtect.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\Kvsc3.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\mddrbf.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\mppds.dll.vir
Virus:Trj/Lineage.FVY Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\msccrt.dll.vir
Virus:Trj/Lineage.BZE Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\MsIMMs32.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\pktrwr.dll.vir
Virus:Trj/Lineage.FVU Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\upxdnd.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Trj/Lineage.FVO Disinfected C:\WINDOWS\system32\advomi.dll
Virus:Trj/Lineage.FVO Disinfected C:\WINDOWS\system32\etlcnc.dll
Virus:Trj/Lineage.FVO Disinfected C:\WINDOWS\system32\etramf.dll
Virus:Trj/Lineage.FVO Disinfected C:\WINDOWS\system32\jvwpzz.dll
Virus:Trj/Lineage.BZE Disinfected C:\WINDOWS\system32\kfghvw.dll
Virus:Trj/Lineage.FVO Disinfected C:\WINDOWS\system32\pqamnt.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:59, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spider.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [SetRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKLM\..\Run: [Deskup] "C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192439035062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4726 bytes
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 10:12 AM   #8 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
It seems I cannot edit my posts. Start should have read:

Spysweeper is still showing: MAL/PWS-N – Quarantine Failed.......
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 03:53 PM   #9 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


Re: Damn Winforms.dll ! - For sUBs
What is the full path to the file that Spysweeper is showing ?


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:


Quote:



File::
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\LYLOADER.EXE


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"MSDEG32"=-
"MSDWG32"=-
"MSDCG32 "=-
"MSDOG32"=-
"MSDSG32"=-
"MSDMG32"=-
"MSDHG32"=-
"MSDQG32"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
__________________
Eddy
Last edited by Pancake; 10-18-2007 at 04:21 PM.
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2007, 04:26 PM   #10 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


Re: Damn Winforms.dll ! - For sUBs
Download AVG Anti-Spyware saving the installation file to your desktop.
( This is a 30 day trial of the program )
http://www.majorgeeks.com/AVG_Anti-Spyware_d5287.html

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under How to scan?
All checkboxes should be ticked.
Under "Reports" Select "Automatically generate report after every scan" Also, Un-Select "Only if threats were found".
Under What to scan?
Select Scan every file
Now close AVG Anti-Spyware and procede to the next set of instructions.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then press ENTER.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

Now lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".

AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, when prompted select Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-19-2007, 03:04 AM   #11 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
Quote:
Originally Posted by Pancake View Post
What is the full path to the file that Spysweeper is showing ?
It doesn't show a path - only an 'infection name' and the status report

Quote:
Originally Posted by Pancake View Post
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.
ComboFix 07-10-14.5 - Administrator 2007-10-19 9:55:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1679 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\LYLOADER.EXE
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\MSDEG32.DLL
.

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-18 09:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-15 17:13 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-15 15:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-15 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-15 14:56 <DIR> d-------- C:\Deckard
2007-10-15 10:38 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-15 10:19 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-15 10:04 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-10-15 10:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-15 08:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-12 09:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:43 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-12 09:43 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-12 09:43 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-12 09:42 <DIR> d-------- C:\Program Files\Webroot
2007-10-12 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-12 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 09:42 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-12 09:36 164 --a------ C:\install.dat
2007-10-10 16:24 <DIR> d-------- C:\WINDOWS\pss
2007-10-05 10:15 34,304 --a------ C:\WINDOWS\system32\SHQ.DLL
2007-10-05 10:15 20 --a------ C:\WINDOWS\system32\mhsha1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 08:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2007-10-19 08:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2007-10-18 09:12 --------- d-----w C:\Program Files\Google
2007-10-17 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2007-10-17 10:44 --------- d-----w C:\Program Files\EPSON
2007-10-17 08:47 --------- d-----w C:\Program Files\Iomega
2007-10-16 10:49 --------- d-----w C:\Program Files\Sage Payroll
2007-10-16 10:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 08:40 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-04 11:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-04 11:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-09-24 09:03 --------- d-----w C:\Program Files\Lx_cats
2007-09-13 13:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EPSON
2007-09-13 13:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EPSON
2007-09-13 13:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-13 13:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-09-13 13:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-09-13 13:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2006-09-01 10:01 5,415,101 ----a-w C:\Program Files\Bolshan July'06 .001
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot_2007-10-17_ 9.06.30.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 07:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2007-10-17 08:04:37 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-19 08:09:38 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-17 08:04:37 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-19 08:09:38 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 15:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 15:23]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 C:\WINDOWS\system32\hdashcut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 13:26 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 23:23]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 19:01]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-12-20 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-20 09:42]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" []
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 14:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 10:55]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 16:01]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher\MailWasher.exe [2006-08-28 18:42:52]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher\MailWasher.exe [2006-08-28 18:42:52]

R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\system32\DRIVERS\iomdisk.sys
R0 ppa3;Iomega Parallel Port Legacy Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa3.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S4 1E3F603C;1E3F603C;C:\WINDOWS\system32\80FEE47E.EXE -k

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b039e569-c0d1-11db-a5fc-0017a4401193}]
AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 09:56:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-19 9:57:13
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58:46, on 19/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [SetRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKLM\..\Run: [Deskup] "C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192439035062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4574 bytes
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-19-2007, 04:17 AM   #12 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
Quote:
Originally Posted by Pancake View Post
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:07:50 19/10/2007

+ Scan result:



C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056835.DLL -> Downloader.Delf.cid : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@amazonms.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@blacks.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@brora.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@carphonewarehouse.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@digitalclarity.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@epson.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@heavenlytreasures.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ice.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@jewelrytelevision.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@marketlive.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@marksandspencer.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@plumbworldltd.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@preferredhotelgroup.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@snapfish.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@viator.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6walygiajkcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wbkiehd5cho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wck4sicpmhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkosicjago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkoupdpslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wflismdzsdp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfmialcjilo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlokmazwfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmikodzwfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@estat[1].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-autotrader.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-bbc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-bestwestern.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-carphonewarehouse.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-debenhams.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-gucciamericainc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-hsamuel.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-jgdreamarts.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-littlewoods.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-mastercard.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-nokiafin.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-penguingroupusa.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-quiksilver.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-samsungrussia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-tiscover.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-totalsystemsservices.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-venda.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-zoom.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.intelli-tracker[1].txt -> TrackingCookie.Intelli-tracker : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@guide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@realguide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056819.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056828.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\WINDOWS\system32\k11753574211.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\WINDOWS\system32\k11753703821.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\k11915973541.exe.vir -> Trojan.OnLineGames.dvu : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\k11919358201.exe.vir -> Trojan.OnLineGames.dvu : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056818.exe -> Trojan.OnLineGames.edd : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\k11915816436.exe.vir -> Trojan.OnLineGames.edd : Cleaned.


::Report end
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-19-2007, 04:21 AM   #13 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


Re: Damn Winforms.dll ! - For sUBs
Everything looks ok now but without knowing the path to that file i have no way of removing it.Did you run AVG ??
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-19-2007, 04:25 AM   #14 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
Quote:
Originally Posted by Pancake View Post
Everything looks ok now but without knowing the path to that file i have no way of removing it.Did you run AVG ??
http://www.techsupportforum.com/secu...ml#post1130048
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-22-2007, 02:51 AM   #15 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
No reply to the above so here is another scan (today).

onlinegames just keeps coming back. This pc hasn't been used for days



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:07:50 19/10/2007

+ Scan result:



C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056835.DLL -> Downloader.Delf.cid : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@amazonms.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@blacks.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@brora.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@carphonewarehouse.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@digitalclarity.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@epson.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@heavenlytreasures.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ice.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@jewelrytelevision.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@marketlive.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@marksandspencer.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@plumbworldltd.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@preferredhotelgroup.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@snapfish.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@viator.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6walygiajkcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wbkiehd5cho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wck4sicpmhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkosicjago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkoupdpslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wflismdzsdp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfmialcjilo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlokmazwfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmikodzwfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@estat[1].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-autotrader.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-bbc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-bestwestern.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-carphonewarehouse.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-debenhams.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-gucciamericainc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-hsamuel.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-jgdreamarts.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-littlewoods.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-mastercard.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-nokiafin.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-penguingroupusa.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-quiksilver.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-samsungrussia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-tiscover.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-totalsystemsservices.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-venda.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-zoom.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.intelli-tracker[1].txt -> TrackingCookie.Intelli-tracker : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@guide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@realguide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056819.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056828.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\WINDOWS\system32\k11753574211.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\WINDOWS\system32\k11753703821.exe -> Trojan.OnLineGames.dvu : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\k11915973541.exe.vir -> Trojan.OnLineGames.dvu : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\k11919358201.exe.vir -> Trojan.OnLineGames.dvu : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP250\A0056818.exe -> Trojan.OnLineGames.edd : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\k11915816436.exe.vir -> Trojan.OnLineGames.edd : Cleaned.


::Report end


AVG keeps reporting that it has cleaned this trojan, but it will come back again on restart.
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-22-2007, 03:00 AM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Re: Damn Winforms.dll ! - For sUBs
Please delete your existing copy of ComboFix. There's an updated copy here :> http://download.bleepingcomputer.com...a/ComboFix.exe

For the moment, ComboFix's log is all that I require
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-22-2007, 04:11 AM   #17 (permalink)
I helped the forums.
 
Join Date: Oct 2007
Location: Scotland
Posts: 33
OS: XP Pro SP2


Re: Damn Winforms.dll ! - For sUBs
Hi sUBs

ComboFix 07-10-22.5 - Administrator 2007-10-22 1153.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1414 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-19 10:13 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-19 10:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-19 10:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-18 09:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-15 17:13 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-15 15:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-15 14:56 <DIR> d-------- C:\Deckard
2007-10-15 10:38 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-15 10:19 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-15 10:04 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-10-15 10:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-15 08:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-12 09:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-12 09:43 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-12 09:43 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-12 09:43 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-12 09:42 <DIR> d-------- C:\Program Files\Webroot
2007-10-12 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 09:42 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-12 09:36 164 --a------ C:\install.dat
2007-10-10 16:24 <DIR> d-------- C:\WINDOWS\pss
2007-10-05 10:15 34,304 --a------ C:\WINDOWS\system32\SHQ.DLL
2007-10-05 10:15 20 --a------ C:\WINDOWS\system32\mhsha1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 09:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2007-10-18 09:12 --------- d-----w C:\Program Files\Google
2007-10-17 10:44 --------- d-----w C:\Program Files\EPSON
2007-10-17 08:47 --------- d-----w C:\Program Files\Iomega
2007-10-16 10:49 --------- d-----w C:\Program Files\Sage Payroll
2007-10-16 10:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 08:40 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-04 11:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-09-24 09:03 --------- d-----w C:\Program Files\Lx_cats
2007-09-13 13:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EPSON
2007-09-13 13:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-13 13:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2006-09-01 10:01 5,415,101 ----a-w C:\Program Files\Bolshan July'06 .001
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot_2007-10-17_ 9.06.30.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 0808 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 05:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2006-08-24 07:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2007-10-17 08:04:37 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-22 07:58:35 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-17 08:04:37 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-22 07:58:35 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-05 09:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 13:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 15:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 15:23]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 C:\WINDOWS\system32\hdashcut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 13:26 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 23:23]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 19:01]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-12-20 01:59]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-20 09:42]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" []
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 14:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 10:55]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 16:01]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher\MailWasher.exe [2006-08-28 18:42:52]

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S4 1E3F603C;1E3F603C;C:\WINDOWS\system32\80FEE47E.EXE -k

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b039e569-c0d1-11db-a5fc-0017a4401193}]
AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 11:08:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 11:08:47
C:\ComboFix2.txt ... 2007-10-19 09:57
.
--- E O F ---
LYT4X is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-22-2007, 04:29 AM   #18 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Re: Damn Winforms.dll ! - For sUBs
Don't seem to be much to clean. Just some leftovers.

Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\install.dat
C:\WINDOWS\system32\SHQ.DLL
C:\WINDOWS\system32\mhsha1.dat
Driver::
1E3F603C
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:
  1. Online scan
  2. ComboFix's log
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-22-2007, 04:29 AM   #19 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Re: Damn Winforms.dll ! - For sUBs
Do this after posting the required logs.





Please download this tool > System Repair Engineer
  1. Extract it to it's own folder & double click SREng.exe to run it

  2. Select 'Smart Scan' & tick "Verify Digital Signatures"

  3. Click on the [Scan] button

  4. When finished, click on the [Save Reports] button & save the log to Desktop

  5. Attach the log in your next reply. Dont post it

Note: You may have to rename SREngLog.log to SREngLog.txt before attaching
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-22-2007, 04:34 AM   #20 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Re: Damn Winforms.dll ! - For sUBs
Since you already have Webroot SpySweeper, it's okay to uninstall AVG. No point placing unnecessary demands on the machine's resources.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:09 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85