Strange program cause radio clips to play.

[Kokojo]

Hello. I recently got a new problem that causes some strange sounds to start on my computer.

By pressing control-alt-delete once, i can see a strange program called
x0d9es63esfe. I can't close it (if i do, it pop-ups back the instant afther)
Screenshot.
hxxp://img382.imageshack.us/img382/3452/41284460gy3.png

I can't find any trace of it in the computer by doing a research. There was another program : nxtscpd that i whipped out by researching. There was also a program called Nxtscpd.sys-3764b2b0.pf

When oppening nxtscpd with notepad, there was a header ''run with win32'' so i trashed it. (not deleted yet)
However, i was pretty sure win32 was not on my computer.

But i ran i research and this popped up...
hxxp://img519.imageshack.us/img519/8647/17696709rz0.png

The main problem the program x0d9es63esfe cause is a radio clip.
Sometimes it does 2 crikets sounds, sometimes it plays music for 4-5 seconds, then a guy says ''i hope you had fun at...'', and it can play about 6-7 others clips like that. I never heard of something like that. They all play for about 6-7 seconds before closing. It's really annoying, and each time it happens, my computer autoclicks on the desktop, so if i am playing a full-screen game it minimize and if i am on the internet, it clicks out of the window (blue borders of mozilla become light-blue)

Afther 1 hour or so, the program stops (not in the ctrl-alt-del menu anymore)

Here are all my logs, hope you can help.


Deckard's System Scanner v20071014.68
Run by Benjamin on 2008-06-28 14:02:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Benjamin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:04 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afinding.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wserving.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Benjamin\Bureau\CHu tanner\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Benjamin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

--
End of file - 5824 bytes

-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-28 13:43:17 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-06-28 12:58:37 0 d-------- C:\WINDOWS\LastGood
2008-06-27 02:04:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-21 13:00:53 0 d-------- C:\Documents and Settings\Benjamin\Application Data\mIRC
2008-06-17 2127 0 d-------- C:\Program Files\CamStudio
2008-06-02 16:35:05 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-31 15:10:50 20480 --a------ C:\WINDOWS\spasm.dll
2008-05-29 21:11:10 0 d--hs---- C:\FOUND.032


-- Find3M Report ---------------------------------------------------------------

2008-06-27 22:38:20 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-05-13 15:42:28 0 d-------- C:\Program Files\Java
2008-05-13 15:42:02 0 d-------- C:\Program Files\Fichiers communs\Java
2008-05-12 21:30:36 0 d-------- C:\Program Files\uTorrent
2008-05-08 20:29:04 0 d-------- C:\Program Files\Softnyx
2008-05-08 16:12:52 370036 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-05-08 16:12:52 49346 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-05-07 18:24:50 0 d-------- C:\Program Files\Trend Micro
2008-05-04 12:03:24 2968 --a------ C:\WINDOWS\mozver.dat
2008-05-04 12:03:24 0 d-------- C:\Program Files\Panda Security
2008-04-28 21:20:52 6891077 --ahs---- C:\WINDOWS\system32\tsohsvs.dat
2008-04-10 16:44:22 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [07/14/2006 05:18 PM]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [09/26/2006 05:17 PM]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [10/24/2006 05:38 PM]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="rundll32.exe" [08/05/2004 12:00 PM C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/05/2004 12:00 PM]
"Fraps"="C:\FRAPS\FRAPS\FRAPS.EXE" [07/12/2007 03:15 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-06-28 14:03:16 ------------

When trying to upload extra.txt i got this error :
You have already attached this file in thread : Constant window minimising/tab

So i got in the .txt and added a space at the begining. Seems that the 2 logs are the same...

Thanks for your help.

[Kokojo]

Bump

New folders have been spotted then deleted, but i still have to select the folders, go look for the main application, delete that application (.sys) each time i restart. For now i got dp0eosf running.

[Kokojo]

Re-bump.

I am able to delete the folders at start, but they come back each restart.
Notably : cewxfst.sys xwxfst.sys but they come back..

[tetonbob]

Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

If you're not receiving help elsewhere, and still require assistance for this issue, and since it has been a few days since you first posted, please do this:

Please run Deckard's System Scanner once again, this time using these instructions(this assumes DSS is on your Desktop!):

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

---------------------------------------------------------------------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

We will address this during the course of this fix.

[Kokojo]

Sorry i could't reply before, i was gone out for the weekend.

"%userprofile%\desktop\dss.exe" /config din't work in run.exe, as i get a location error while trying to run that while dss.exe is on the desktop. (Desktop is not a valid location?)

I think that i might have moved an important file, but as far as i remember dss.exe came alone.

Thanks for your help and i shall await for further instructions.

[tetonbob]

Hmmm, non-English OS. Bureau is Desktop

This is where your log shows DSS to be:

C:\Documents and Settings\Benjamin\Bureau\CHu tanner\dss.exe

If it's still there, run the command as so:

"C:\Documents and Settings\Benjamin\Bureau\CHu tanner\dss.exe" /config

The quotes must be included.

Or....use the Browse button on the Run box to navigate to the file, dss.exe and add <space>/config to the end of the file path.

[Kokojo]

Totally forgotten about language so i moved back dss in the folder and ran dss full checked.

Main.txt is here and extra.txt is attached.

Thanks for your patience.

Note : The virus were NOT active at the start of the computer this time (i really don't know why, but it does that from time to time)

Deckard's System Scanner v20071014.68
Run by Benjamin on 2008-07-14 20:11:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-07-15 00:11:15 UTC - RP227 - Deckard's System Scanner Restore Point
38: 2008-07-14 01:48:20 UTC - RP226 - Point de vérification système
37: 2008-07-09 19:14:58 UTC - RP225 - Software Distribution Service 3.0
36: 2008-07-07 19:05:32 UTC - RP224 - Point de vérification système
35: 2008-07-07 22:15:33 UTC - RP223 - Point de vérification système


-- First Restore Point --
1: 2008-04-23 00:14:59 UTC - RP189 - Point de vérification système


Performed disk cleanup.



-- HijackThis (run as Benjamin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:27 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afinding.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svshost.exe
C:\Documents and Settings\Benjamin\Bureau\d2hackmap_v2.10_lite\d2hackmap.exe
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\Benjamin\LOCALS~1\APPLIC~1\d2hackmap.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Benjamin\Bureau\CHu tanner\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Benjamin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - (no file)
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\svshost.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O20 - Winlogon Notify: svshost - C:\WINDOWS\SYSTEM32\svshost.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 4987 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080509-155935-509 O20 - Winlogon Notify: svshost - svshost.dll (file missing)
backup-20080514-180411-900 O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} - http://xscanner.spyshredderscanner.c...up/webinst.cab
backup-20080629-002351-847 O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe
backup-20080629-002731-736 O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe
backup-20080629-003332-169 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
backup-20080629-003332-949 O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)
backup-20080629-003737-496 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
backup-20080629-003737-311 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
backup-20080629-003737-133 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
backup-20080629-003737-400 O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
backup-20080705-115716-131 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080705-115716-232 O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
backup-20080705-115803-460 O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
backup-20080705-115803-275 O23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exe
backup-20080706-115226-635 O23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R2 KeyAgent - c:\windows\system32\drivers\keyagent.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R2 keymagic (USB Keyboard HID Filter) - c:\windows\system32\drivers\keymagic.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R3 StartupDiskDriver - c:\windows\system32\drivers\startupdiskdriver.sys <Not Verified; Apple Computer, Inc.; Startup Disk Driver>

S3 catchme - c:\docume~1\benjamin\locals~1\temp\catchme.sys (file missing)
S3 CEDRIVER53 - c:\program files\cheat engine\dbk32.sys
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AFinding (AFinding Service) - c:\windows\system32\afinding.exe
R2 perfmons - c:\windows\system32\perfs.exe
R2 Routing (Routing Service) - c:\windows\system32\routing.exe
R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

S4 NOBICYT - c:\windows\system32\nobicyt.exe (file missing)
S4 WServing (WServing Service) - c:\windows\system32\wserving.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0002\A
Manufacturer:
Name:
PNP Device ID: ACPI\APP0002\A
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Service:

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: Périphérique d'interface utilisateur USB
Device ID: USB\VID_05AC&PID_8240\5&12F9C752&0&2
Manufacturer: (Périphériques système standard)
Name: Périphérique d'interface utilisateur USB
PNP Device ID: USB\VID_05AC&PID_8240\5&12F9C752&0&2
Service: HidUsb

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0001\4&38462492&0
Manufacturer:
Name:
PNP Device ID: ACPI\APP0001\4&38462492&0
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 980)
2006-09-26 16:48:34 61440 --a------ C:\WINDOWS\system32\ati2evxx.dll <Not Verified; ATI Technologies Inc.; ATI External Event Utility for NT, W2K and W9X>

C:\WINDOWS\explorer.exe (pid 1736)
2007-07-12 03:12:34 163840 --a------ C:\Fraps\Fraps\fraps.dll <Not Verified; Beepa P/L; FRAPS>
2006-11-21 11:00:00 5120 --a------ C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing LP; WinZip>
2007-05-22 10:59:22 128512 --a------ C:\Program Files\WinRAR\RarExt.dll
2006-12-22 12:28:14 271360 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2003-02-20 19:09:34 253952 --a------ C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\shfusion.dll <Not Verified; Microsoft Corporation; Microsoft .NET Framework>
2008-04-10 16:44:22 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-01-13 03:00:50 65536 --ahs---- C:\WINDOWS\system32\svshost.dll

C:\WINDOWS\system32\rundll32.exe (pid 1908)
2007-07-12 03:12:34 163840 --a------ C:\Fraps\Fraps\fraps.dll <Not Verified; Beepa P/L; FRAPS>
2007-01-13 03:00:50 65536 --ahs---- C:\WINDOWS\system32\svshost.dll


-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-09 20:16:56 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-07 13:19:07 0 d-------- C:\Documents and Settings\Benjamin\Application Data\uTorrent
2008-07-02 21:50:00 0 d--hs---- C:\FOUND.033
2008-06-29 18:58:05 0 d-------- C:\Program Files\eXact
2008-06-29 18:58:02 0 d-------- C:\Program Files\Screen Savers
2008-06-29 13:21:43 0 d-------- C:\WINDOWS\pss
2008-06-28 13:43:17 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-06-27 02:04:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-21 13:00:53 0 d-------- C:\Documents and Settings\Benjamin\Application Data\mIRC
2008-06-17 2127 0 d-------- C:\Program Files\CamStudio


-- Find3M Report ---------------------------------------------------------------

2008-07-14 20:09:58 6927853 --ahs---- C:\WINDOWS\system32\tsohsvs.dat
2008-07-14 17:48:46 113806 --a------ C:\WINDOWS\DIIUnin.dat
2008-07-14 12:10:48 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-05-08 16:12:52 370036 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-05-08 16:12:52 49346 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-05-04 12:03:24 2968 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [07/14/2006 05:18 PM]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [09/26/2006 05:17 PM]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [10/24/2006 05:38 PM]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="rundll32.exe" [08/05/2004 12:00 PM C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"svshost"="C:\WINDOWS\system32\svshost.exe" [01/13/2007 03:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="C:\FRAPS\FRAPS\FRAPS.EXE" [07/12/2007 03:15 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\svshost]
svshost.dll 01/13/2007 03:00 AM 65536 C:\WINDOWS\system32\svshost.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec360b3c-a2b1-11db-b309-806d6172696f}]
AutoRun\command- D:\SETUP.EXE




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-14 20:12:01 ------------

[tetonbob]

Good, now we can get to work.

In the case that you have used ComboFix before and still have it, I need you to delete it from your system, and follow these instructions on it's use:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

When it comes to that part of the procedure, be sure to use the package correct for the language of your OS.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

[Kokojo]

Heres my log and combofix in attached files.
I changed Hijackthis.log to hijackthis.txt because it said invalid file.
Thanks for your patience.

ComboFix 08-07-14.2 - Benjamin 2008-07-14 20:47:16.2 - FAT32x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.594 [GMT -4:00]
Endroit: C:\Documents and Settings\Benjamin\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Benjamin\Bureau\WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\svshost.dll
C:\WINDOWS\system32\svshost.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-06-15 to 2008-07-15 ))))))))))))))))))))))))))))))))))))
.

2008-07-09 20:16 . 2008-07-09 20:16 <REP> d-------- C:\Temp\ext18866
2008-07-09 20:16 . 2008-07-09 20:16 <REP> d-------- C:\Program Files\Microsoft Silverlight
2008-07-02 21:50 . 2008-07-02 21:50 <REP> d--hs---- C:\FOUND.033
2008-06-29 18:58 . 2008-06-29 18:58 <REP> d-------- C:\Program Files\Screen Savers
2008-06-29 18:58 . 2008-06-29 18:58 <REP> d-------- C:\Program Files\eXact
2008-06-21 13:00 . 2008-06-21 13:00 <REP> d-------- C:\Documents and Settings\Benjamin\Application Data\mIRC
2008-06-17 21:06 . 2008-06-17 21:06 <REP> d-------- C:\Program Files\CamStudio

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 22:38 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-14 22:38 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-14 18:18 137,472 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-14 18:18 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-28 20:40 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 17:59 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 17:59 272,768 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 20:35 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2002-06-10 21:30 7,175,689 ----a-w C:\Program Files\SC4_E3_hi.mov
1997-02-17 10:37 171,520 ----a-w C:\Program Files\CNCS32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_18.11.51.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:22 554,008 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:12 518,944 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:12 326,432 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:12 1,516,568 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:12 355,112 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-25 06:56:32 194,144 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:14 432,928 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:14 322,336 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:14 559,904 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:14 264,992 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:14 838,432 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-11-01 05:15:28 621,344 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ------w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:34:34 15,072 ------w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:34:38 216,800 ------w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:34:32 22,752 ------w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:34:56 727,776 ------w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:35:48 394,976 ------w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
+ 2008-04-21 06:57:16 1,024,512 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\browseui.dll
+ 2008-04-21 06:57:16 152,064 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\cdfview.dll
+ 2008-04-21 06:57:18 1,056,768 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\danim.dll
+ 2008-04-21 06:57:18 357,888 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\dxtmsft.dll
+ 2008-04-21 06:57:18 205,312 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\dxtrans.dll
+ 2008-04-21 06:57:18 55,808 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\extmgr.dll
+ 2008-04-17 10:47:00 18,432 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\iedw.exe
+ 2008-04-21 06:57:18 251,904 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\iepeers.dll
+ 2008-04-21 06:57:18 96,768 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\inseng.dll
+ 2008-04-21 06:57:18 16,384 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\jsproxy.dll
+ 2008-04-21 06:57:22 3,087,872 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mshtml.dll
+ 2008-04-21 06:57:22 449,024 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mshtmled.dll
+ 2008-04-21 06:57:24 146,432 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\msrating.dll
+ 2008-04-21 06:57:24 532,480 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mstime.dll
+ 2008-04-21 06:57:24 39,424 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\pngfilt.dll
+ 2008-04-21 06:57:26 1,499,648 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\shdocvw.dll
+ 2008-04-21 06:57:26 474,624 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\shlwapi.dll
+ 2008-04-17 11:03:46 370,176 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\spru040c.dll
+ 2008-04-21 06:57:26 620,544 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\urlmon.dll
+ 2008-04-21 06:57:28 670,720 ------w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\wininet.dll
+ 2008-04-21 06:43:36 3,087,872 ------w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\mshtml.dll
+ 2008-04-21 06:43:36 670,208 ------w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\wininet.dll
+ 2008-04-21 06:30:24 3,088,384 ------w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\mshtml.dll
+ 2008-04-21 06:30:24 670,720 ------w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\wininet.dll
+ 2007-11-30 11:19:06 18,296 ------w C:\WINDOWS\$hf_mig$\KB950759\spmsg.dll
+ 2007-11-30 11:19:06 234,872 ------w C:\WINDOWS\$hf_mig$\KB950759\spuninst.exe
+ 2007-11-30 11:19:06 26,488 ------w C:\WINDOWS\$hf_mig$\KB950759\update\spcustom.dll
+ 2007-11-30 12:39:30 767,352 ------w C:\WINDOWS\$hf_mig$\KB950759\update\update.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$hf_mig$\KB950759\update\updspapi.dll
+ 2007-11-30 12:39:30 18,296 ------w C:\WINDOWS\$hf_mig$\KB950760\spmsg.dll
+ 2007-11-30 12:39:30 234,872 ------w C:\WINDOWS\$hf_mig$\KB950760\spuninst.exe
+ 2007-11-30 12:39:30 26,488 ------w C:\WINDOWS\$hf_mig$\KB950760\update\spcustom.dll
+ 2007-11-30 12:39:30 767,352 ------w C:\WINDOWS\$hf_mig$\KB950760\update\update.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$hf_mig$\KB950760\update\updspapi.dll
+ 2008-05-08 12:14:52 203,008 ------w C:\WINDOWS\$hf_mig$\KB950762\SP2QFE\rmcast.sys
+ 2008-05-08 14:02:52 203,136 ------w C:\WINDOWS\$hf_mig$\KB950762\SP3GDR\rmcast.sys
+ 2008-05-08 13:58:18 203,136 ------w C:\WINDOWS\$hf_mig$\KB950762\SP3QFE\rmcast.sys
+ 2007-11-30 12:39:30 18,296 ------w C:\WINDOWS\$hf_mig$\KB950762\spmsg.dll
+ 2007-11-30 12:39:30 234,872 ------w C:\WINDOWS\$hf_mig$\KB950762\spuninst.exe
+ 2007-11-30 12:39:30 26,488 ------w C:\WINDOWS\$hf_mig$\KB950762\update\spcustom.dll
+ 2007-11-30 12:39:30 767,352 ------w C:\WINDOWS\$hf_mig$\KB950762\update\update.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$hf_mig$\KB950762\update\updspapi.dll
+ 2008-04-14 16:17:04 272,768 ------w C:\WINDOWS\$hf_mig$\KB951376\SP2QFE\bthport.sys
+ 2008-04-14 15:59:30 272,768 ------w C:\WINDOWS\$hf_mig$\KB951376\SP3GDR\bthport.sys
+ 2008-04-14 16:22:06 272,768 ------w C:\WINDOWS\$hf_mig$\KB951376\SP3QFE\bthport.sys
+ 2007-11-30 11:19:06 18,296 ------w C:\WINDOWS\$hf_mig$\KB951376\spmsg.dll
+ 2007-11-30 11:19:06 234,872 ------w C:\WINDOWS\$hf_mig$\KB951376\spuninst.exe
+ 2007-11-30 11:19:06 26,488 ------w C:\WINDOWS\$hf_mig$\KB951376\update\spcustom.dll
+ 2007-11-30 11:19:06 767,352 ------w C:\WINDOWS\$hf_mig$\KB951376\update\update.exe
+ 2007-11-30 11:19:10 406,392 ------w C:\WINDOWS\$hf_mig$\KB951376\update\updspapi.dll
+ 2008-05-07 04:55:48 1,294,336 ------w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:11:24 1,294,336 ------w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:05:00 1,294,336 ------w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:19:06 18,296 ------w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:19:06 234,872 ------w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:19:06 26,488 ------w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:30 767,352 ------w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
+ 2004-08-05 11:00:00 561,179 ------w C:\WINDOWS\$NtUninstallKB950749$\dao360.dll
+ 2004-08-05 16:00:00 512,029 ------w C:\WINDOWS\$NtUninstallKB950749$\msexch40.dll
+ 2004-08-05 16:00:00 319,517 ------w C:\WINDOWS\$NtUninstallKB950749$\msexcl40.dll
+ 2004-08-05 16:00:00 1,507,356 ------w C:\WINDOWS\$NtUninstallKB950749$\msjet40.dll
+ 2004-08-05 16:00:00 358,976 ------w C:\WINDOWS\$NtUninstallKB950749$\msjetol1.dll
+ 2004-08-05 16:00:00 358,976 ------w C:\WINDOWS\$NtUninstallKB950749$\msjetoledb40.dll
+ 2004-08-05 16:00:00 184,351 ------w C:\WINDOWS\$NtUninstallKB950749$\msjint40.dll
+ 2004-08-05 16:00:00 53,279 ------w C:\WINDOWS\$NtUninstallKB950749$\msjter40.dll
+ 2004-08-05 16:00:00 241,693 ------w C:\WINDOWS\$NtUninstallKB950749$\msjtes40.dll
+ 2004-08-05 16:00:00 213,023 ------w C:\WINDOWS\$NtUninstallKB950749$\msltus40.dll
+ 2004-08-05 16:00:00 348,189 ------w C:\WINDOWS\$NtUninstallKB950749$\mspbde40.dll
+ 2004-08-05 16:00:00 421,919 ------w C:\WINDOWS\$NtUninstallKB950749$\msrd2x40.dll
+ 2004-08-05 16:00:00 315,423 ------w C:\WINDOWS\$NtUninstallKB950749$\msrd3x40.dll
+ 2004-08-05 16:00:00 552,989 ------w C:\WINDOWS\$NtUninstallKB950749$\msrepl40.dll
+ 2004-08-05 16:00:00 258,077 ------w C:\WINDOWS\$NtUninstallKB950749$\mstext40.dll
+ 2004-08-05 16:00:00 831,519 ------w C:\WINDOWS\$NtUninstallKB950749$\mswdat10.dll
+ 2004-08-05 16:00:00 614,429 ------w C:\WINDOWS\$NtUninstallKB950749$\mswstr10.dll
+ 2004-08-05 16:00:00 348,189 ------w C:\WINDOWS\$NtUninstallKB950749$\msxbde40.dll
+ 2007-03-06 01:34:38 216,800 ------w C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe
+ 2007-03-06 01:35:48 394,976 ------w C:\WINDOWS\$NtUninstallKB950749$\spuninst\updspapi.dll
+ 2008-02-16 09:02:34 1,024,000 ------w C:\WINDOWS\$NtUninstallKB950759$\browseui.dll
+ 2008-02-16 09:02:34 152,064 ------w C:\WINDOWS\$NtUninstallKB950759$\cdfview.dll
+ 2008-02-16 09:02:34 1,056,768 ------w C:\WINDOWS\$NtUninstallKB950759$\danim.dll
+ 2008-02-16 09:02:34 357,888 ------w C:\WINDOWS\$NtUninstallKB950759$\dxtmsft.dll
+ 2008-02-16 09:02:36 205,312 ------w C:\WINDOWS\$NtUninstallKB950759$\dxtrans.dll
+ 2008-02-16 09:02:36 55,808 ------w C:\WINDOWS\$NtUninstallKB950759$\extmgr.dll
+ 2008-02-15 09:23:38 18,432 ------w C:\WINDOWS\$NtUninstallKB950759$\iedw.exe
+ 2008-02-16 09:02:36 251,392 ------w C:\WINDOWS\$NtUninstallKB950759$\iepeers.dll
+ 2008-02-16 09:02:36 96,768 ------w C:\WINDOWS\$NtUninstallKB950759$\inseng.dll
+ 2008-02-16 09:02:36 16,384 ------w C:\WINDOWS\$NtUninstallKB950759$\jsproxy.dll
+ 2008-02-16 22:32:38 3,080,704 ------w C:\WINDOWS\$NtUninstallKB950759$\mshtml.dll
+ 2008-02-16 09:02:36 449,024 ------w C:\WINDOWS\$NtUninstallKB950759$\mshtmled.dll
+ 2008-02-16 09:02:38 146,432 ------w C:\WINDOWS\$NtUninstallKB950759$\msrating.dll
+ 2008-02-16 09:02:38 532,480 ------w C:\WINDOWS\$NtUninstallKB950759$\mstime.dll
+ 2008-02-16 09:02:38 39,424 ------w C:\WINDOWS\$NtUninstallKB950759$\pngfilt.dll
+ 2008-02-16 09:02:38 1,495,040 ------w C:\WINDOWS\$NtUninstallKB950759$\shdocvw.dll
+ 2008-02-16 09:02:38 474,624 ------w C:\WINDOWS\$NtUninstallKB950759$\shlwapi.dll
+ 2007-11-30 11:19:06 234,872 ------w C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$NtUninstallKB950759$\spuninst\updspapi.dll
+ 2008-02-16 09:02:40 617,984 ------w C:\WINDOWS\$NtUninstallKB950759$\urlmon.dll
+ 2008-02-16 09:02:40 663,552 ------w C:\WINDOWS\$NtUninstallKB950759$\wininet.dll
+ 2008-02-15 23:03:14 370,176 ------w C:\WINDOWS\$NtUninstallKB950759$\xpsp3res.dll
+ 2007-11-30 12:39:30 234,872 ------w C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$NtUninstallKB950760$\spuninst\updspapi.dll
+ 2006-07-13 07:48:58 202,240 ------w C:\WINDOWS\$NtUninstallKB950762$\rmcast.sys
+ 2007-11-30 12:39:30 234,872 ------w C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$NtUninstallKB950762$\spuninst\updspapi.dll
+ 2004-08-04 04:40:30 274,944 ------w C:\WINDOWS\$NtUninstallKB951376$\bthport.sys
+ 2007-11-30 11:19:06 234,872 ------w C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe
+ 2007-11-30 11:19:10 406,392 ------w C:\WINDOWS\$NtUninstallKB951376$\spuninst\updspapi.dll
+ 2007-10-29 21:43:32 1,293,824 ------w C:\WINDOWS\$NtUninstallKB951698$\quartz.dll
+ 2007-11-30 11:19:06 234,872 ------w C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe
+ 2007-11-30 12:39:32 406,392 ------w C:\WINDOWS\$NtUninstallKB951698$\spuninst\updspapi.dll
- 2008-05-06 22:30:58 7,168 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-05-08 20:12:54 8,192 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2008-05-06 22:30:56 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-05-08 20:12:56 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
- 2008-05-06 22:30:54 716,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-05-08 20:13:00 720,896 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2008-05-06 22:30:54 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-05-08 20:12:56 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-05-06 22:30:58 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
+ 2008-05-08 20:12:58 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
- 2008-05-06 22:30:58 299,008 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-05-08 20:12:58 303,104 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2008-05-06 22:30:56 1,290,240 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
+ 2008-05-08 20:12:58 1,294,336 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
- 2008-05-06 22:30:56 1,699,840 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-05-08 20:12:54 1,703,936 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
- 2008-05-06 22:30:56 86,016 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-05-08 20:13:00 90,112 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2008-05-06 22:30:56 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-05-08 20:12:58 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2008-05-06 22:30:56 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-05-08 20:12:56 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-05-06 22:30:56 64,000 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
+ 2008-05-08 20:12:56 66,560 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
- 2008-05-06 22:30:56 368,640 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-05-08 20:12:58 372,736 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
- 2008-05-06 22:30:56 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-05-08 20:13:00 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-05-06 22:30:56 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-05-08 20:12:58 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-05-06 22:30:56 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-05-08 20:12:56 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-05-06 22:30:56 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-05-08 20:12:58 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-05-06 22:30:56 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-05-08 20:13:00 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-05-06 22:30:58 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-05-08 20:12:54 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-05-06 22:30:58 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-05-08 20:12:56 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2008-05-06 22:30:58 569,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-05-08 20:12:56 573,440 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-05-06 22:30:56 1,245,184 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-05-09 20:31:46 1,265,664 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-05-06 22:30:58 2,039,808 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-05-08 20:12:56 2,052,096 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
- 2008-05-06 22:30:58 1,335,296 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.Xml.dll
+ 2008-05-08 20:12:58 1,339,392 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
- 2008-05-06 22:30:56 1,216,512 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-05-09 20:31:46 1,232,896 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-05-09 20:31:52 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_33c12519\CustomMarshalers.dll
+ 2008-05-10 14:35:08 3,391,488 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_0bbf7074\mscorlib.dll
+ 2008-05-10 14:35:04 1,470,464 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_9a1e8d90\System.Design.dll
+ 2008-05-09 20:31:52 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_f27a9036\System.Drawing.Design.dll
+ 2008-05-10 14:35:06 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_84e17f5d\System.Drawing.dll
+ 2008-05-09 20:31:56 3,018,752 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_317f5daa\System.Windows.Forms.dll
+ 2008-05-10 14:35:02 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_e2483598\System.Xml.dll
+ 2008-05-09 20:31:50 1,966,080 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_c543bde5\System.dll
- 2007-12-11 02:07:26 112,989 ----a-w C:\WINDOWS\DIIUnin.dat
+ 2008-07-14 21:48:46 113,806 ----a-w C:\WINDOWS\DIIUnin.dat
+ 2008-06-14 17:59:52 272,768 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-05-07 09:09:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-08 20:22:12 5,165,056 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-05-08 20:22:12 1,277,952 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-07 09:09:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-08 20:21:54 5,165,056 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-05-08 20:21:56 1,277,952 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
- 2008-03-12 23:00:18 29,926 ----a-r C:\WINDOWS\Installer\{BADF6744-3787-48F6-B8C9-4C4995401D65}\MsblIco.Exe
+ 2008-06-11 17:28:48 29,926 ----a-r C:\WINDOWS\Installer\{BADF6744-3787-48F6-B8C9-4C4995401D65}\MsblIco.Exe
- 2003-02-20 23:19:32 253,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 01:30:52 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2003-02-20 23:19:34 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
+ 2004-07-15 05:49:18 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
- 2003-02-20 23:19:38 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
+ 2004-07-15 05:49:26 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
- 2003-02-20 23:19:36 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 01:30:52 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2003-02-20 23:09:08 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 00:57:52 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 14:20:44 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
+ 2004-07-15 15:23:28 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
- 2003-02-21 14:21:00 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
+ 2004-07-15 15:23:44 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
- 2003-02-20 2320 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
+ 2004-07-15 04:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
+ 2003-10-08 18:30:14 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
- 2003-02-21 11:24:38 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
+ 2004-07-15 18:31:00 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
- 2003-02-21 11:24:40 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
+ 2004-07-15 18:31:04 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
- 2003-02-20 23:09:40 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
+ 2004-07-15 04:35:30 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
- 2003-02-21 11:26:36 716,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
+ 2004-07-15 18:28:58 720,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
- 2003-02-21 11:26:38 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
+ 2004-07-15 18:28:56 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
- 2003-02-21 11:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
+ 2004-07-15 18:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
- 2003-02-21 11:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
+ 2004-07-15 18:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
- 2003-02-20 23:09:12 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
+ 2004-07-15 04:32:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
- 2003-02-20 23:09:12 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
+ 2004-07-15 04:32:46 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
- 2003-02-20 23:09:14 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 00:57:58 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2003-02-20 2332 311,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 00:56:30 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2003-02-20 23:09:16 98,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 00:58:00 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2003-02-21 11:26:34 2,088,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 00:50:46 2,142,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-20 23:09:18 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
+ 2004-07-15 04:33:22 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
- 2003-02-20 23:09:18 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
+ 2004-07-15 04:33:24 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
- 2003-02-20 23:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 00:58:02 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2003-02-20 23:07:34 2,494,464 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 00:57:00 2,523,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2003-02-20 23:08:32 2,482,176 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 00:57:28 2,514,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-01-15 20:11:26 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
- 2003-02-20 23:09:30 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
+ 2004-07-15 04:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
- 2003-02-21 11:26:46 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
+ 2004-07-15 18:28:48 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
+ 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_aspnet_isapi.dll
+ 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_CORPerfMonExt.dll
+ 2004-07-15 04:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_fusion.dll
+ 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_mscorjit.dll
+ 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_mscorlib.dll
+ 2003-02-20 23:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_mscorsn.dll
+ 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_mscorsvr.dll
+ 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_mscorwks.dll
+ 2003-02-21 08:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_msvcr71.dll
+ 2004-07-15 04:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW304\_PerfCounter.dll
- 2003-02-20 23:09:34 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
+ 2004-07-15 04:35:04 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
- 2003-02-21 11:26:38 1,290,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
+ 2004-07-15 18:32:00 1,294,336 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
- 2003-02-21 11:25:42 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
+ 2004-07-15 18:31:14 303,104 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
- 2003-02-21 11:26:42 1,699,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
+ 2004-07-15 18:29:02 1,703,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
- 2003-02-21 11:26:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
+ 2004-07-15 18:28:54 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
- 2003-02-21 11:26:46 1,216,512 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 01:35:38 1,232,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2003-02-21 11:26:50 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
+ 2004-07-15 18:28:58 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
- 2003-02-21 11:26:50 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
+ 2004-07-15 18:28:56 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
- 2003-02-20 23:09:36 64,000 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
+ 2004-07-15 04:35:12 66,560 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
- 2003-02-21 11:26:52 368,640 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
+ 2004-07-15 18:31:58 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
- 2003-02-21 11:26:54 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
+ 2004-07-15 18:31:12 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
- 2003-02-21 11:26:56 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
+ 2004-07-15 18:28:58 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
- 2003-02-21 11:26:56 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
+ 2004-07-15 18:31:54 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
- 2003-02-21 11:26:58 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2004-07-15 18:28:52 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2003-02-21 11:27:00 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
+ 2004-07-15 18:28:54 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
- 2003-02-21 11:27:02 1,245,184 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 01:35:46 1,265,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2003-02-21 11:27:06 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
+ 2004-07-15 18:28:58 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
- 2003-02-21 11:24:18 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
+ 2004-07-15 18:28:52 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
- 2003-02-21 11:27:06 569,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
+ 2004-07-15 18:31:16 573,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
- 2003-02-21 11:27:08 2,039,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2004-07-15 18:32:02 2,052,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
- 2003-02-21 11:27:10 1,335,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
+ 2004-07-15 18:29:00 1,339,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
+ 2004-06-22 17:51:38 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
- 2003-02-21 14:20:38 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
+ 2004-07-15 15:23:20 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
- 2003-02-21 09:04:18 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
+ 2004-07-15 12:15:14 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
- 2003-02-21 00:10:40 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
+ 2004-07-15 06:11:56 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
- 2000-08-31 12:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 12:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
+ 1998-04-24 15:37:44 20,480 ----a-w C:\WINDOWS\spasm.dll
+ 2004-08-05 16:00:00 196,096 ----a-w C:\WINDOWS\system32\atpsck.exe
+ 2004-08-05 16:00:00 182,272 ----a-w C:\WINDOWS\system32\axtpsck.exe
- 2008-02-16 09:02:34 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 07:02:28 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-02-16 09:02:34 152,064 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-04-21 07:02:28 152,064 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2004-08-05 16:00:00 15,360 ---ha-r C:\WINDOWS\system32\ctfmon2.exe
- 2008-02-16 09:02:34 1,056,768 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-04-21 07:02:28 1,056,768 ----a-w C:\WINDOWS\system32\danim.dll
- 2008-02-16 09:02:34 1,024,000 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-04-21 07:02:28 1,024,000 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-02-16 09:02:34 152,064 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-04-21 07:02:28 152,064 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-02-16 09:02:34 1,056,768 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-04-21 07:02:28 1,056,768 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2004-08-05 11:00:00 561,179 ----a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:26 554,008 ----a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2008-02-16 09:02:34 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-21 07:02:28 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-02-16 09:02:36 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-21 07:02:28 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-02-16 09:02:36 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-21 07:02:28 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-02-16 09:02:36 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-04-21 07:02:30 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-02-16 09:02:36 96,768 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-04-21 07:02:30 96,768 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-02-16 09:02:36 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-21 07:02:30 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-05 16:00:00 512,029 ----a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-05 16:00:00 319,517 ----a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2008-02-16 22:32:38 3,080,704 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-21 07:02:34 3,080,704 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-02-16 09:02:36 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-21 07:02:34 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2004-08-05 16:00:00 1,507,356 ----a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-05 16:00:00 358,976 ----a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-05 16:00:00 184,351 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-25 04:51:08 194,144 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-05 16:00:00 53,279 ----a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-05 16:00:00 241,693 ----a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-05 16:00:00 213,023 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-05 16:00:00 348,189 ----a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:46 355,104 ----a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2008-02-16 09:02:38 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-21 07:02:34 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2004-08-05 16:00:00 421,919 ----a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:48 432,928 ----a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-05 16:00:00 315,423 ----a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:50 322,336 ----a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-05 16:00:00 552,989 ----a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-05 16:00:00 258,077 ----a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:56 264,992 ----a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2008-02-16 09:02:38 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-21 07:02:36 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-05 16:00:00 831,519 ----a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:58 838,432 ----a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-05 16:00:00 614,429 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:51:10 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-05 16:00:00 348,189 ----a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2008-02-16 09:02:38 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-21 07:02:36 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-02-16 09:02:38 1,495,040 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-04-21 07:02:38 1,495,040 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-02-16 09:02:38 474,624 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-04-21 07:02:38 474,624 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2008-02-16 09:02:40 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-21 07:02:40 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-02-16 09:02:40 663,552 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-21 07:02:40 663,552 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-20 05:35:06 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:06 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2006-07-13 07:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
+ 2008-05-08 12:28:50 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
- 2008-02-16 09:02:34 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-21 07:02:28 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-02-16 09:02:36 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-21 07:02:28 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-02-16 09:02:36 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-21 07:02:28 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-02-16 09:02:36 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-04-21 07:02:30 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-02-16 09:02:36 96,768 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-04-21 07:02:30 96,768 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-02-22 05:23:36 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 05:23:40 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-02-16 09:02:36 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-21 07:02:30 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-05-31 22:11:08 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2003-02-20 2324 155,648 ----a-w C:\WINDOWS\system32\mscoree.dll
+ 2006-12-22 16:28:14 271,360 ----a-w C:\WINDOWS\system32\mscoree.dll
- 2003-02-20 22:43:38 16,896 ----a-w C:\WINDOWS\system32\mscorier.dll
+ 2004-07-15 03:34:06 16,896 ----a-w C:\WINDOWS\system32\mscorier.dll
- 2004-08-05 16:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-05 16:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2008-02-16 22:32:38 3,080,704 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 07:02:34 3,080,704 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-02-16 09:02:36 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-21 07:02:34 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-05 16:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-05 16:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-05 16:00:00 184,351 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2008-03-25 04:51:08 194,144 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2004-08-05 16:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-05 16:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-05 16:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-05 16:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:46 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2008-02-16 09:02:38 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-21 07:02:34 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2004-08-05 16:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:48 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-05 16:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:50 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-05 16:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-05 16:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:56 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2008-02-16 09:02:38 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-21 07:02:36 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2004-08-05 16:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:58 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-05 16:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:51:10 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-05 16:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2006-12-22 17:02:36 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
- 2008-05-06 22:31:30 53,812 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-08 20:12:52 53,812 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-07 00:15:30 49,346 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2008-05-08 20:12:52 49,346 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2008-05-06 22:31:30 383,584 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-08 20:12:52 383,584 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-03-07 00:15:30 370,036 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-05-08 20:12:52 370,036 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2004-08-05 16:00:00 32,768 ----a-w C:\WINDOWS\system32\perfs.exe
- 2008-02-16 09:02:38 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-21 07:02:36 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2004-08-05 16:00:00 20,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\i386\hid.dll
+ 2004-08-04 03:08:20 36,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\i386\hidclass.sys
+ 2004-08-04 03:08:18 24,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\i386\hidparse.sys
+ 2001-08-18 02:02:20 9,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\i386\hidusb.sys
- 2008-02-16 09:02:38 1,495,040 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 07:02:38 1,495,040 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-02-16 09:02:38 474,624 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 07:02:38 474,624 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-01-24 23:34:24 118,784 ----a-w C:\WINDOWS\system32\sirenacm.dll
+ 2007-10-18 15:31:46 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
- 2008-03-20 18:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:30 18,296 ------w C:\WINDOWS\system32\spmsg.dll
+ 2004-08-05 16:00:00 289,792 ----a-w C:\WINDOWS\system32\swand.sys
+ 2004-08-05 16:00:00 279,040 ----a-w C:\WINDOWS\system32\sxwand.sys
- 2008-04-29 01:20:52 6,891,077 --sha-w C:\WINDOWS\system32\tsohsvs.dat
+ 2008-07-15 00:41:24 6,936,019 --sha-w C:\WINDOWS\system32\tsohsvs.dat
- 2008-02-16 09:02:40 617,984 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 07:02:40 617,984 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-02-16 09:02:40 663,552 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-21 07:02:40 663,552 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-02-15 23:03:14 370,176 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-04-17 11:03:46 370,176 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2006-06-05 18:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 18:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 18:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="C:\FRAPS\FRAPS\FRAPS.EXE" [2007-07-12 03:15 913064]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-09-26 17:17 172032]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-10-24 17:38 315392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-05 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-05-06 18:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [2006-10-27 19:13]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S4 NOBICYT;NOBICYT;C:\WINDOWS\system32\Nobicyt.exe []

.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-svshost - C:\WINDOWS\system32\svshost.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe
Notify-svshost - svshost.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 20:49:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
--------------------- DLLs a charg‚ sous des processus courants ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\iphlpapi.dll
-> ?:\WINDOWS\system32\iphlpapi.dll
-> ?:\WINDOWS\system32\iphlpapi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAM FILES\FICHIERS COMMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
C:\WINDOWS\SYSTEM32\STACSV.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Temps d'accomplissement: 2008-07-14 20:50:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 00:50:36

Pre-Run: 5,547,360,256 octets libres
Post-Run: 5,575,393,280 octets libres

657 --- E O F --- 2008-07-09 19:15:10


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:30 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 4517 bytes

[tetonbob]

Hi -

If you just post the HijackThis log rather than attach it, there will be no need to rename. It's also easier for me to review that way.

Thanks.

Things are looking better, but we have more work to do.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/264012-strange-program-cause-radio-clips-play.html#post1591612
   
   Driver::
   NOBICYT
   
   DirLook::
   C:\Temp\ext18866
   
   Registry::
   [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
   "WServing"=-
   
   Collect::
   C:\WINDOWS\system32\Nobicyt.exe

   
   
   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------
   
6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
   
   ---------------------------------------------------------------------------------------------

[Kokojo]

I tried to use the script in a .txt file from notepad, and i dragged it into ComboFix.exe correctly, however, the file dissapeared and no special window to upload the file popped up. I am pretty sure that i did no errors.

Here are the logs. (combofix log.txt and hijackthis.txt)

ComboFix 08-07-14.2 - Benjamin 2008-07-15 12:15:16.3 - FAT32x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.677 [GMT -4:00]
Endroit: C:\Documents and Settings\Benjamin\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Benjamin\Bureau\CFScript.txt
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOBICYT
-------\Service_NOBICYT


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-06-15 to 2008-07-15 ))))))))))))))))))))))))))))))))))))
.

2008-07-09 20:16 . 2008-07-09 20:16 <REP> d-------- C:\Temp\ext18866
2008-07-09 20:16 . 2008-07-09 20:16 <REP> d-------- C:\Program Files\Microsoft Silverlight
2008-07-07 13:19 . 2008-07-07 13:19 <REP> d-------- C:\Documents and Settings\Benjamin\Application Data\uTorrent
2008-07-02 21:50 . 2008-07-02 21:50 <REP> d--hs---- C:\FOUND.033
2008-06-29 18:58 . 2008-06-29 18:58 <REP> d-------- C:\Program Files\Screen Savers
2008-06-29 18:58 . 2008-06-29 18:58 <REP> d-------- C:\Program Files\eXact
2008-06-21 13:00 . 2008-06-21 13:00 <REP> d-------- C:\Documents and Settings\Benjamin\Application Data\mIRC
2008-06-17 21:06 . 2008-06-17 21:06 <REP> d-------- C:\Program Files\CamStudio

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 03:27 137,472 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-15 03:27 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-14 22:38 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-14 22:38 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-28 20:40 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 17:59 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 17:59 272,768 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 20:35 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2002-06-10 21:30 7,175,689 ----a-w C:\Program Files\SC4_E3_hi.mov
1997-02-17 10:37 171,520 ----a-w C:\Program Files\CNCS32.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp\ext18866 ----

2008-03-31 21:51 153104 --a------ C:\Temp\ext18866\install.exe
2008-03-31 21:51 1065480 --a------ C:\Temp\ext18866\install.res.dll


((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="C:\FRAPS\FRAPS\FRAPS.EXE" [2007-07-12 03:15 913064]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-09-26 17:17 172032]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-10-24 17:38 315392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-05 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-05-06 18:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [2006-10-27 19:13]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 12:18:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAM FILES\FICHIERS COMMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
C:\WINDOWS\SYSTEM32\STACSV.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Temps d'accomplissement: 2008-07-15 12:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 16:19:12
ComboFix2.txt 2008-07-15 00:50:42

Pre-Run: 5,526,749,184 octets libres
Post-Run: 5,521,031,168 octets libres

127 --- E O F --- 2008-07-09 19:15:10



-



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:20 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 4518 bytes

[tetonbob]

That's ok...the file I was trying to collect was not present.

Please delete this folder:

C:\Temp\ext18866

=============================

Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.


Install this FREE AntiVirus program, update it, and run a full system scan.

Avira PersonalEdition Classic

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[Kokojo]

I deleted ext18866

I tried to install Avira PersonalEdition Classic but as soon as i downloaded the program, it was unusable, undeletable, and when ran, it says (in french) :
C:\documents and settings\benjamin\antivir_workstation_winu_en_h.exe is not a valid win32 application.

I know win32 is malware... but unsure what this message means. For now i tried changing the name, insolating, deleteing, archiving, de-archiving, and nothing works properly.

Any ideas ?

Thanks for your time.

[tetonbob]

It's possible the download was corrupted. Delete it, and try again.

Or, give one of these a try:

• Avast!
• AVG

[Kokojo]

antivir_workstation_winu_en_h.exe is still undeletable, and the Avira download still had the same name, so i got to avast. (The file weights 0bites..)

Anyway, here is the avast log and the hijackthis log.

07/16/2008 12:45
Scan of all local drives


File C:\Documents and Settings\Benjamin\Bureau\CHu tanner\Nouveau dossier (3)\SMW\Private Cell Hack - Spiro - Updated.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\Documents and Settings\Benjamin\Bureau\CHu tanner\Nouveau dossier (3)\SMW\TeamInfinity;SpaceCake HackPack.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\Program Files\Softnyx\Rakion\Bin\rakion.bin\[ASProtect] is infected by Win32:Mapler-H [Trj], Deleted
File C:\Program Files\eXact\eXactToolbar.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\Program Files\Cheat Engine\Cheat Engine.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll is infected by Win32:CTX, Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP218\A0143338.dll is infected by Win32:CTX, Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP218\A0143414.sys is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP221\A0145745.dll is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP221\A0145772.exe is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP221\A0145775.EXE is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP227\A0146217.exe is infected by Win32:SCKeylog-M [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP228\A0146231.dll is infected by Win32:SCKeylog-L [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP228\A0146234.exe is infected by Win32:SCKeylog-M [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146392.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146407.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146408.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146409.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146410.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146411.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146412.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146413.exe is infected by Win32:Agent-SJI [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP229\A0146414.dll is infected by Win32:CTX, Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP190\A0132491.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP190\A0133504.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP190\A0133516.dll is infected by Win32:Agent-LTS [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP190\A0133517.dll is infected by Win32:Vapsup-CJ [Adw], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP190\A0133539.exe is infected by Win32:Buzus-AD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP190\A0134568.dll is infected by Win32:Zlob-APQ [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP190\A0135660.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP196\A0138981.EXE is infected by Win32:SCKeylog-M [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP196\A0138982.exe is infected by Win32:SCKeylog-M [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP196\A0138983.exe is infected by Win32:Agent-QJS [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP199\A0139125.exe is infected by Win32:Obfuscated-BPT [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP200\A0139188.dll is infected by Win32:Vapsup-EB [Adw], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP200\A0139189.dll is infected by Win32:Agent-TJH [Drp], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP200\A0139190.DLL is infected by Win32:Agent-TJH [Drp], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139510.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139511.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139512.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139513.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139514.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139515.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139516.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139517.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139518.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139519.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139520.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139521.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139522.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139523.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139524.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139525.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139526.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139527.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139528.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139529.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139530.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139531.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139532.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139533.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139534.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139535.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139536.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139537.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139538.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139539.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139540.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139541.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139542.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139543.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139544.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139545.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139546.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139547.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139548.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139549.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139550.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139551.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139552.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139553.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139554.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139555.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139556.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139557.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139558.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139559.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139560.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139561.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139562.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139563.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139564.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139565.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139566.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139567.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139568.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139569.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139570.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139571.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139572.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139573.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139574.EXE is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139578.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139579.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139580.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139581.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139582.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139583.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139584.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139585.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139586.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139587.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139588.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139589.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139590.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139591.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139592.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139593.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139594.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139595.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139596.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139597.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139598.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139599.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139600.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139601.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139602.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139603.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139604.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139605.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139606.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139607.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139608.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139609.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139610.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139611.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139612.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139613.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139614.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139615.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139616.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139617.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139618.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139619.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139620.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139621.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139622.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139623.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139624.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139625.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139626.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139627.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139628.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139629.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139630.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139631.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139632.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139633.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139634.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139635.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139636.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139637.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139638.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139639.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139640.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139641.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139642.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP201\A0139708.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\System Volume Information\_restore{2A280326-9725-468D-959C-F78479FF3894}\RP205\A0140319.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\sta25.exe is infected by Win32:SDrop [Drp], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\bis62.exe is infected by Win32:Obfuscated-BPP [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\tmp1.exe is infected by Win32:ChanCrypt [Cryp], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\4bv7xxke.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\rYWz8P3I.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\565aw03n.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\mso11.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\brCCF53N.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\XKuCFW6e.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\msZXL8cQ.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\lulldDnB.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\ZfKZj4Uq.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\GWHfXc2P.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\d8W8Bzug.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\LibIpeC7.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\fOuctlpK.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\6CJcorIe.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\CwAiOGx1.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\c4q70rtc.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\zQ5DOuIc.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\GZ77lgSj.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\grhZPt0y.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\L817FEtc.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\7Nz4DlFq.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\SZEqss5V.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\rqvYBYK7.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\1wQJeM8j.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\tHigpRIb.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\O1xr0LCY.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\fVIQ7WX0.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\HuCVYZBn.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\oH1pyUSv.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\ZBAcAWwQ.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\qXAfja6h.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\rK8fdtWX.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\Kipiz8fz.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\lyNvCfpo.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\OOPsz9Um.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\RLmiOC4b.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\okz3Y7Xj.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\JYqVx3iH.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\zImHxZXH.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\e0r0CWpl.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\SBSn19b5.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\dn3XMwKN.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\fMJ55w0s.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\fjyBGqdG.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\F0IlKHF7.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\8ZMCIafs.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\wpgoeHHR.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\ObJVYBp3.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\XUCpU6TI.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\WHg91f1V.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\OJF8jh4n.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\m4bturUZ.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\V4I6qifo.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\Y0dMTAAc.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\DJkmaHXh.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\HiDAfjGN.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\1CzD6mEI.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\Kw2kbDOj.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\ooXQ9xkt.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\20080504160507\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\OLkEUtCk.exe is infected by Win32:Agent-UDD [Trj], Deleted
File C:\Deckard\System Scanner\backup\DOCUME~1\Benjamin\LOCALS~1\Temp\Rar$DR01.937\d2hackmap_v2.10_lite\d2hackmap.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\QooBox\Quarantine\C\WINDOWS\system32\svshost.dll.vir is infected by Win32:SCKeylog-L [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\system32\svshost.exe.vir is infected by Win32:SCKeylog-M [Trj], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\dkxrstqnog.dll.vir is infected by Win32:Vapsup-EB [Adw], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\Installer\{377ba2a0-0ad8-4831-a2d0-0690d11500a7}\RomKernel.dll.vir is infected by Win32:Agent-TJH [Drp], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\Installer\{12233bb6-6135-43af-89d0-ead08d1a274b}\zip.dll.vir is infected by Win32:Agent-TJH [Drp], Deleted
Number of searched folders: 4572
Number of tested files: 42885
Number of infected files: 241


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:18 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 5286 bytes

[tetonbob]

Quote:

antivir_workstation_winu_en_h.exe is still undeletable

Try deleting it while in Safe Mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. Then try to delete the file.

---------------------------------------------------------------------------------------------

Restart in normal mode, and let me know.

[Kokojo]

Still undeletable, still 0 bites and still suspicious while in safe mode.

I really wonder what it is.

[tetonbob]

Is this it's current file path?

C:\documents and settings\benjamin\antivir_workstation_winu_en_h.exe