Random popups and cpu running 50%

[briang3]

Hi, a couple days ago my computer began openning popups every minute or so on internet explorer. My cpu is also constantly running at around 50%.

I will admit that I used bittorent the day before to download something.. so I think I might have finally gotten this from there... since then I have deleted that and will not use it again.

I have attached dds.txt and attach.txt

can somebody help me out with this? I'd appreciate any help



DDS (Version 1.0) - NTFSx86
Run by Govier at 1711.71 on Sun 11/16/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1561 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dldtserv.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Govier\Application Data\gadcom\gadcom.exe
C:\Program Files\GetPack\GetPack24.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Govier\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7EDB9A15-ED71-439E-8EF9-1F4737264A37} - c:\windows\system32\urqOhecd.dll
BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\rqRhiFxx.dll
BHO: {ed8ac534-220c-43cf-a3a4-d95f8885eda6} - c:\windows\system32\byaaun.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [gadcom] "c:\documents and settings\govier\application data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
uRun: [GetPack24] "c:\program files\getpack\GetPack24.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: rqRhiFxx - rqRhiFxx.dll
AppInit_DLLs: byaaun.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\rqRhiFxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqOhecd

============= SERVICES / DRIVERS ===============

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service
R2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\\dldtserv.exe

=============== Created Last 30 ================

2008-11-16 17:05 124,928 a------- c:\windows\system32\byaaun.dll
2008-11-16 17:05 124,928 a------- c:\windows\system32\gwmmhtpu.dll
2008-11-16 16:56 250 a------- c:\windows\gmer.ini
2008-11-16 15:05 <DIR> --d----- c:\program files\iCheck
2008-11-16 15:05 <DIR> --d----- c:\program files\GetPack
2008-11-16 14:41 687,592 a------- c:\windows\system32\atmtd.dll._
2008-11-16 14:41 <DIR> --d----- c:\program files\Network Monitor
2008-11-16 14:25 894,038 a--sh--- c:\windows\system32\dcehOqru.ini2
2008-11-16 14:25 894,038 a--sh--- c:\windows\system32\dcehOqru.ini
2008-11-16 14:25 313,856 a------- c:\windows\system32\urqOhecd.dll
2008-11-16 14:21 <DIR> --d----- c:\program files\Mjcore
2008-11-16 14:21 <DIR> --d----- c:\docume~1\govier\applic~1\gadcom
2008-11-16 14:20 25,600 a------- c:\windows\system32\rqRhiFxx.dll
2008-11-16 14:20 25,600 a------- c:\windows\system32\fcccdARh.dll
2008-11-16 14:20 26,624 a------- c:\windows\system32\msansspc.dll
2008-11-10 11:55 <DIR> --d----- C:\BEES40e
2008-11-10 11:53 <DIR> --d----- C:\BEES40eSetup
2008-11-09 17:02 <DIR> --d----- c:\docume~1\govier\applic~1\ShoppingReport
2008-10-30 11:54 6,144 a------- c:\windows\system32\karna.dat
2008-10-30 11:54 6,144 a------- c:\windows\karna.dat
2008-10-25 20:17 <DIR> --d----- c:\windows\system32\scripting
2008-10-25 20:17 <DIR> --d----- c:\windows\l2schemas
2008-10-25 20:15 <DIR> --d----- c:\windows\ServicePackFiles
2008-10-25 20:13 <DIR> --d----- c:\windows\network diagnostic
2008-10-25 19:53 586,240 a------- c:\windows\system32\SET2E7.tmp
2008-10-25 19:41 337,408 -------- c:\windows\system32\SET1484.tmp
2008-10-25 19:08 1,956 a------- c:\windows\default.htm
2008-10-25 19:05 216,363 a------- c:\windows\system32\wpv964.cpx
2008-10-25 19:05 216,363 a------- c:\windows\system32\wpv274.cpx
2008-10-25 19:05 <DIR> --d----- c:\docume~1\govier\applic~1\GetModule
2008-10-19 20:02 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2008-11-16 16:48 <DIR> --d----- c:\program files\LimeWire
2008-11-16 15:00 <DIR> --d----- c:\docume~1\govier\applic~1\BitTorrent
2008-11-12 15:20 56,321 a------- c:\windows\system32\nvModes.dat
2008-10-30 13:12 <DIR> --d----- c:\program files\Dl_cats
2008-10-30 12:05 <DIR> --d----- c:\program files\Windows NT
2008-10-30 12:05 <DIR> --d----- c:\program files\Messenger
2008-10-25 20:20 89,015 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-19 14:53 <DIR> --d----- c:\docume~1\govier\applic~1\LimeWire
2008-10-15 08:57 332,800 a------- c:\windows\system32\netapi32(3).dll
2008-10-15 08:57 332,800 a------- c:\windows\system32\netapi32(2).dll
2008-08-13 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-08-07 12:12 <DIR> --d----- c:\docume~1\govier\applic~1\Dell Imaging Toolbox
2008-08-06 09:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2008-07-30 19:40 <DIR> --d----- c:\docume~1\govier\applic~1\DassaultSystemes
2008-07-30 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DassaultSystemes
2008-07-09 20:36 <DIR> --d----- c:\docume~1\govier\applic~1\SolidWorks
2008-07-07 23:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-05-20 13:29 <DIR> --d----- c:\docume~1\govier\applic~1\Diskeeper Corporation
2008-04-10 13:06 <DIR> --d----- c:\docume~1\govier\applic~1\DNA
2008-04-10 12:28 <DIR> --d----- c:\docume~1\govier\applic~1\Malwarebytes
2008-04-10 12:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-04-08 17:15 <DIR> --d----- c:\docume~1\govier\applic~1\DWGeditor
2008-03-13 06:54 <DIR> --d----- c:\docume~1\govier\applic~1\BitTorrent DNA
2008-01-30 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SupportSoft
2008-01-30 16:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2007-11-13 14:04 <DIR> --d----- c:\docume~1\govier\applic~1\SlySoft
2007-01-22 23:37 <DIR> --d----- c:\docume~1\govier\applic~1\Viewpoint
2006-12-31 00:19 <DIR> --d----- c:\docume~1\govier\applic~1\Atari
2006-12-14 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2006-10-23 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2006-09-08 21:49 <DIR> --d----- c:\docume~1\govier\applic~1\Corel Photo Album
2006-08-22 09:31 <DIR> --d----- c:\docume~1\govier\applic~1\Symantec
2007-02-14 15:53 56 ---shr-- c:\windows\system32\6929A60EE9.sys
2007-01-14 18:54 88 ---shr-- c:\windows\system32\E90EA62969.sys
2007-02-14 15:53 5,382 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:07:39.09 ===============

[briang3]

bump







bump

[tetonbob]

Hello -

There's one more log we require to begin analysis, from GMER.

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe

The program will begin to run. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes. Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the Save button, and save the log file somewhere you can easily find it, such as your desktop. Please attach that log to your next reply.

If you do not receive notice about possible rootkit activity, remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. It will produce a log. Click on the Save button, and save the log file somewhere you can easily find it, such as your desktop. Please attach that log to your next reply.

[briang3]

Hi, thanks for the reply

I downloaded the GMER rootkit scanner an ran GMER.exe. (it only ran for about 3-4 seconds before it finished)

When I ran it, it gave me 5 items under the rootkit/malware tab, but then didn't prompt me to run any more scans. So I tried to click on the scan button on the left hand side of the screen and its like the button is grayed out (not able to click it). I also made sure that the rootkey/malware tab was the only one visible.

Anyways, here's the log it gave me in the initial scan which only lasted e few seconds:

[tetonbob]

Hi again -

Quote:

(it only ran for about 3-4 seconds before it finished)

That's the initial memory scan. After that, click on the Scan button.

There's no scan button on the left hand side, it's on the right. There's only a prompt to continue if rootkit activity is found. If no activity is found, one must click on the scan button on the right, as indicated in this image




After clicking on the Scan button, it will change to a Stop button, and you'll see evidence of a scan in the lower part of the screen. Once that new scan is complete, Save that log and post it, please.

If this still poses a problem, let me know, and we'll move on.

[briang3]

Sorry, i meant to say right side. At first the scan button wasn't working but after a while it started. heres the scan:

I changed it to .txt because .log wouldnt allow posting

thanks

[tetonbob]

Good work...let's begin removing malware.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[briang3]

Hi, I ran combofix and here's the log:

ComboFix 08-11-18.A2 - Govier 2008-11-19 12:37:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1469 [GMT -8:00]
Running from: c:\documents and settings\Govier\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Govier\Application Data\gadcom
c:\documents and settings\Govier\Application Data\gadcom\gadcom.exe
c:\documents and settings\Govier\Application Data\ShoppingReport
c:\documents and settings\Govier\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Govier\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Govier\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\windows\system32\aqjfkn.dll
c:\windows\system32\byaaun.dll
c:\windows\system32\dcehOqru.ini
c:\windows\system32\dcehOqru.ini2
c:\windows\system32\dzwxze.dll
c:\windows\system32\fcccdARh.dll
c:\windows\system32\fnaskxld.dll
c:\windows\system32\gwmmhtpu.dll
c:\windows\system32\IQrCIkkj.ini
c:\windows\system32\IQrCIkkj.ini2
c:\windows\system32\jkkICrQI.dll
c:\windows\system32\lmmahcfe.dll
c:\windows\system32\msansspc.dll
c:\windows\system32\rqRhiFxx.dll
c:\windows\system32\wkxygsql.dll
c:\windows\system32\wpv274.cpx
c:\windows\system32\wpv964.cpx
c:\windows\wiaserviv.log
c:\windows\wiaservv.log

.
((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-17 18:13 . 2008-11-17 18:13 120 --ahs---- c:\windows\system32\dlxksanf.ini
2008-11-16 16:56 . 2008-11-19 11:50 250 --a------ c:\windows\gmer.ini
2008-11-10 11:55 . 2008-11-12 21:14 <DIR> d-------- C:\BEES40e
2008-11-10 11:53 . 2008-11-12 17:11 <DIR> d-------- C:\BEES40eSetup
2008-10-25 20:17 . 2008-10-25 20:17 <DIR> d-------- c:\windows\system32\scripting
2008-10-25 20:17 . 2008-10-25 20:17 <DIR> d-------- c:\windows\l2schemas
2008-10-25 20:15 . 2008-10-25 20:17 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-25 19:53 . 2008-04-13 16:11 1,267,200 --a------ c:\windows\system32\SET3DE.tmp
2008-10-25 19:41 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\SET1484.tmp
2008-10-19 20:02 . 2008-10-19 20:02 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 00:48 --------- d-----w c:\program files\Enigma Software Group
2008-11-17 22:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 00:48 --------- d-----w c:\program files\LimeWire
2008-11-16 23:00 --------- d-----w c:\documents and settings\Govier\Application Data\BitTorrent
2008-10-30 21:12 --------- d-----w c:\program files\Dl_cats
2008-10-19 22:53 --------- d-----w c:\documents and settings\Govier\Application Data\LimeWire
2008-08-21 03:11 24,896 ----a-w c:\documents and settings\Govier\Application Data\GDIPFONTCACHEV1.DAT
2008-07-13 01:46 0 --sha-w c:\documents and settings\Govier\Application Data\0000000000CHEV1.dat
2007-02-14 23:53 56 --sh--r c:\windows\system32\6929A60EE9.sys
2007-01-15 02:54 88 --sh--r c:\windows\system32\E90EA62969.sys
2007-02-14 23:53 5,382 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-13_13.49.53.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-23 16:01:38 124,928 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\advpack.dll
+ 2008-06-23 16:01:38 347,136 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\dxtmsft.dll
+ 2008-06-23 16:01:39 214,528 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\dxtrans.dll
+ 2008-06-23 16:01:39 132,608 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\extmgr.dll
+ 2008-06-23 16:01:39 63,488 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\icardie.dll
+ 2008-06-23 08:23:18 70,656 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ie4uinit.exe
+ 2008-06-23 16:01:39 153,088 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ieakeng.dll
+ 2008-06-23 16:01:39 230,400 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ieaksie.dll
+ 2008-06-21 05:23:53 161,792 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ieapfltr.dat
+ 2008-06-23 16:01:40 383,488 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ieapfltr.dll
+ 2008-06-23 16:01:40 388,608 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iedkcs32.dll
+ 2008-06-23 16:01:43 6,068,736 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ieframe.dll
+ 2008-06-23 16:01:43 44,544 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iernonce.dll
+ 2008-06-23 16:01:44 267,776 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iertutil.dll
+ 2008-06-23 08:23:18 13,824 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\ieudinit.exe
+ 2008-06-23 08:23:52 625,664 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
+ 2008-06-23 16:01:46 27,648 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\jsproxy.dll
+ 2008-06-23 16:01:46 459,264 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\msfeeds.dll
+ 2008-06-23 16:01:46 52,224 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\msfeedsbs.dll
+ 2008-06-23 16:01:49 3,594,240 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
+ 2008-06-23 16:01:49 477,696 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtmled.dll
+ 2008-06-23 16:01:49 193,024 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\msrating.dll
+ 2008-06-23 16:01:50 671,232 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mstime.dll
+ 2008-06-23 16:01:50 102,912 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\occache.dll
+ 2008-06-23 16:01:50 44,544 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\pngfilt.dll
+ 2008-06-23 16:01:50 105,984 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\url.dll
+ 2008-06-23 16:01:51 1,162,752 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\urlmon.dll
+ 2008-06-23 16:01:51 233,472 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\webcheck.dll
+ 2008-06-23 16:01:51 827,904 ----a-w c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:33 14,048 ----a-w c:\windows\$hf_mig$\KB953838-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w c:\windows\$hf_mig$\KB953838-IE7\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w c:\windows\$hf_mig$\KB953838-IE7\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ----a-w c:\windows\$hf_mig$\KB953838-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB953838-IE7\update\updspapi.dll
+ 2007-04-17 09:28:12 2,455,488 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dat
+ 2006-10-04 14:05:26 39,424 ----a-w c:\windows\AppPatch\acadproc(2).dll
- 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2007-06-13 10:23:07 1,033,216 ----a-w c:\windows\explorer(2).exe
+ 2008-11-17 00:56:09 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-04-23 04:16:28 124,928 -c----w c:\windows\ie7updates\KB953838-IE7\advpack.dll
+ 2008-04-23 04:16:28 347,136 -c----w c:\windows\ie7updates\KB953838-IE7\dxtmsft.dll
+ 2008-04-23 04:16:28 214,528 -c----w c:\windows\ie7updates\KB953838-IE7\dxtrans.dll
+ 2008-04-23 04:16:28 133,120 -c----w c:\windows\ie7updates\KB953838-IE7\extmgr.dll
+ 2008-04-23 04:16:28 63,488 -c----w c:\windows\ie7updates\KB953838-IE7\icardie.dll
+ 2008-04-22 07:39:58 70,656 -c----w c:\windows\ie7updates\KB953838-IE7\ie4uinit.exe
+ 2008-04-23 04:16:28 153,088 -c----w c:\windows\ie7updates\KB953838-IE7\ieakeng.dll
+ 2008-04-23 04:16:28 230,400 -c----w c:\windows\ie7updates\KB953838-IE7\ieaksie.dll
+ 2008-04-20 05:07:51 161,792 -c----w c:\windows\ie7updates\KB953838-IE7\ieakui.dll
+ 2008-04-23 04:16:28 383,488 -c----w c:\windows\ie7updates\KB953838-IE7\ieapfltr.dll
+ 2008-04-23 04:16:28 384,512 -c----w c:\windows\ie7updates\KB953838-IE7\iedkcs32.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w c:\windows\ie7updates\KB953838-IE7\ieframe.dll
+ 2008-04-23 04:16:28 44,544 -c----w c:\windows\ie7updates\KB953838-IE7\iernonce.dll
+ 2008-04-23 04:16:28 267,776 -c----w c:\windows\ie7updates\KB953838-IE7\iertutil.dll
+ 2008-04-22 07:39:58 13,824 -c----w c:\windows\ie7updates\KB953838-IE7\ieudinit.exe
+ 2008-04-22 07:40:18 625,664 -c----w c:\windows\ie7updates\KB953838-IE7\iexplore.exe
+ 2008-04-23 04:16:28 27,648 -c----w c:\windows\ie7updates\KB953838-IE7\jsproxy.dll
+ 2008-04-23 04:16:28 459,264 -c----w c:\windows\ie7updates\KB953838-IE7\msfeeds.dll
+ 2008-04-23 04:16:28 52,224 -c----w c:\windows\ie7updates\KB953838-IE7\msfeedsbs.dll
+ 2008-04-24 05:16:30 3,591,680 -c----w c:\windows\ie7updates\KB953838-IE7\mshtml.dll
+ 2008-04-23 04:16:28 478,208 -c----w c:\windows\ie7updates\KB953838-IE7\mshtmled.dll
+ 2008-04-23 04:16:28 193,024 -c----w c:\windows\ie7updates\KB953838-IE7\msrating.dll
+ 2008-04-23 04:16:28 671,232 -c----w c:\windows\ie7updates\KB953838-IE7\mstime.dll
+ 2008-04-23 04:16:28 102,912 -c----w c:\windows\ie7updates\KB953838-IE7\occache.dll
+ 2008-04-23 04:16:28 44,544 -c----w c:\windows\ie7updates\KB953838-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB953838-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB953838-IE7\spuninst\updspapi.dll
+ 2008-04-23 04:16:28 105,984 -c----w c:\windows\ie7updates\KB953838-IE7\url.dll
+ 2008-04-23 04:16:29 1,159,680 -c----w c:\windows\ie7updates\KB953838-IE7\urlmon.dll
+ 2008-04-23 04:16:29 233,472 -c----w c:\windows\ie7updates\KB953838-IE7\webcheck.dll
+ 2008-04-23 04:16:29 826,368 -c----w c:\windows\ie7updates\KB953838-IE7\wininet.dll
- 2000-08-31 15:00:00 28,672 ----a-w c:\windows\Nircmd.exe
+ 2000-08-31 16:00:00 28,672 ----a-w c:\windows\Nircmd.exe
+ 2004-08-10 10:00:00 38,912 ----a-w c:\windows\pchealth\helpctr\binaries\pchsvc(2).dll
- 2006-08-22 17:14:34 89,015 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
+ 2008-10-26 04:20:09 89,015 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
- 2006-08-22 17:14:34 5,186 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-10-26 04:20:09 5,924 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2004-08-10 10:00:00 146,432 ----a-w c:\windows\regedit(2).exe
+ 2008-04-14 00:25:26 1,804 ------w c:\windows\ServicePackFiles\i386\dcache.bin
+ 2006-12-31 14:57:08 4,569 ------w c:\windows\ServicePackFiles\i386\secupd.dat
- 2000-08-31 15:00:00 161,792 ----a-w c:\windows\swreg.exe
+ 2000-08-31 16:00:00 161,792 ----a-w c:\windows\swreg.exe
+ 2004-08-10 10:00:00 114,688 ----a-w c:\windows\system32\aclui(2).dll
+ 2004-08-10 10:00:00 194,048 ----a-w c:\windows\system32\activeds(2).dll
+ 2004-08-10 10:00:00 101,888 ----a-w c:\windows\system32\actxprxy(2).dll
+ 2004-08-10 10:00:00 143,360 ----a-w c:\windows\system32\adsldpc(2).dll
+ 2008-06-23 16:57:27 124,928 ----a-w c:\windows\system32\advpack(2).dll
- 2008-04-23 04:16:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-06-23 16:57:27 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2004-08-10 10:00:00 44,544 ----a-w c:\windows\system32\alg(2).exe
+ 2004-08-10 10:00:00 58,880 ----a-w c:\windows\system32\atl(2).dll
+ 2004-08-10 10:00:00 42,496 ----a-w c:\windows\system32\audiosrv(2).dll
+ 2005-03-02 18:09:29 56,832 ----a-w c:\windows\system32\authz(2).dll
+ 2004-08-10 10:00:00 28,672 ----a-w c:\windows\system32\batmeter(2).dll
+ 2004-08-10 10:00:00 77,312 ----a-w c:\windows\system32\browser(2).dll
+ 2006-09-14 08:31:26 1,022,976 ----a-w c:\windows\system32\browseui(2).dll
+ 2004-08-10 10:00:00 59,904 ----a-w c:\windows\system32\cabinet(2).dll
+ 2005-07-26 04:39:42 225,792 ----a-w c:\windows\system32\catsrv(2).dll
+ 2005-07-26 04:39:43 625,152 ----a-w c:\windows\system32\catsrvut(2).dll
- 2007-07-31 02:19:20 92,504 ----a-w c:\windows\system32\cdm.dll
+ 2008-07-19 05:10:48 94,920 ----a-w c:\windows\system32\cdm.dll
+ 2004-08-10 10:00:00 194,560 ----a-w c:\windows\system32\certcli(2).dll
+ 2004-08-10 10:00:00 16,896 ----a-w c:\windows\system32\cfgmgr32(2).dll
+ 2005-07-26 04:39:43 498,688 ----a-w c:\windows\system32\clbcatq(2).dll
+ 2004-08-10 10:00:00 57,856 ----a-w c:\windows\system32\clusapi(2).dll
+ 2004-08-10 10:00:00 47,104 ----a-w c:\windows\system32\cnbjmon(2).dll
+ 2005-07-26 04:39:43 60,416 ----a-w c:\windows\system32\colbact(2).dll
+ 2004-08-10 10:00:00 792,064 ----a-w c:\windows\system32\comres(2).dll
+ 2004-08-10 10:00:00 163,840 ----a-w c:\windows\system32\credui(2).dll
+ 2004-08-10 10:00:00 597,504 ----a-w c:\windows\system32\crypt32(2).dll
+ 2004-08-10 10:00:00 33,280 ----a-w c:\windows\system32\cryptdll(2).dll
+ 2004-08-10 10:00:00 63,488 ----a-w c:\windows\system32\cryptnet(2).dll
+ 2004-08-10 10:00:00 60,416 ----a-w c:\windows\system32\cryptsvc(2).dll
+ 2004-08-10 10:00:00 512,512 ----a-w c:\windows\system32\cryptui(2).dll
+ 2004-08-10 10:00:00 101,888 ----a-w c:\windows\system32\cscdll(2).dll
+ 2004-08-10 10:00:00 326,656 ----a-w c:\windows\system32\cscui(2).dll
+ 2004-08-10 10:00:00 6,144 ----a-w c:\windows\system32\csrss(2).exe
+ 2004-08-10 10:00:00 15,360 ----a-w c:\windows\system32\ctfmon(2).exe
+ 2004-08-10 10:00:00 24,576 ----a-w c:\windows\system32\davclnt(2).dll
+ 2004-08-10 10:00:00 640,000 ----a-w c:\windows\system32\dbghelp(2).dll
- 2004-08-10 10:00:00 1,788 ----a-w c:\windows\system32\Dcache.bin
+ 2008-04-14 00:25:26 1,804 ----a-w c:\windows\system32\dcache.bin
+ 2004-08-10 10:00:00 8,704 ----a-w c:\windows\system32\dciman32(2).dll
+ 2004-08-10 10:00:00 266,240 ----a-w c:\windows\system32\ddraw(2).dll
+ 2004-08-10 10:00:00 27,136 ----a-w c:\windows\system32\ddrawex(2).dll
+ 2004-08-10 10:00:00 59,904 ----a-w c:\windows\system32\devenum(2).dll
- 2008-04-23 04:16:28 124,928 ------w c:\windows\system32\dllcache\advpack.dll
+ 2008-06-23 16:57:27 124,928 ------w c:\windows\system32\dllcache\advpack.dll
- 2007-07-31 02:19:20 92,504 ----a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-07-19 05:10:48 94,920 ----a-w c:\windows\system32\dllcache\cdm.dll
- 2008-04-23 04:16:28 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-04-23 04:16:28 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-06-23 16:57:27 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-04-23 04:16:28 63,488 ------w c:\windows\system32\dllcache\icardie.dll
+ 2008-06-23 16:57:28 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2008-04-22 07:39:58 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
- 2008-04-23 04:16:28 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
- 2008-04-20 05:07:51 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
+ 2008-06-21 05:23:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
- 2008-04-23 04:16:28 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
- 2008-04-23 04:16:28 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
+ 2008-06-23 16:57:33 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
- 2008-04-23 04:16:28 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
+ 2008-06-23 16:57:34 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2008-04-22 07:39:58 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2008-04-22 07:40:18 625,664 ------w c:\windows\system32\dllcache\iexplore.exe
+ 2008-06-23 09:20:52 625,664 ------w c:\windows\system32\dllcache\iexplore.exe
- 2008-04-23 04:16:28 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-04-23 04:16:28 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2008-04-23 04:16:28 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-04-24 05:16:30 3,591,680 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-06-24 17:57:40 3,592,192 ----a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-04-23 04:16:28 478,208 ----a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-04-23 04:16:28 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-06-23 16:57:39 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
- 2008-04-23 04:16:28 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-06-23 16:57:40 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2008-04-23 04:16:28 102,912 ------w c:\windows\system32\dllcache\occache.dll
+ 2008-06-23 16:57:40 102,912 ------w c:\windows\system32\dllcache\occache.dll
- 2008-04-23 04:16:28 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-04-23 04:16:28 105,984 ------w c:\windows\system32\dllcache\url.dll
+ 2008-06-23 16:57:40 105,984 ------w c:\windows\system32\dllcache\url.dll
- 2008-04-23 04:16:29 1,159,680 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-04-23 04:16:29 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
+ 2008-06-23 16:57:41 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
- 2008-04-23 04:16:29 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-06-23 16:57:41 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2007-07-31 02:19:36 549,720 ----a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-07-19 05:09:44 563,912 ----a-w c:\windows\system32\dllcache\wuapi.dll
- 2007-07-31 02:19:16 53,080 ----a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-07-19 05:10:42 53,448 ----a-w c:\windows\system32\dllcache\wuauclt.exe
- 2007-07-31 02:19:42 1,712,984 ----a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-07-19 05:09:42 1,811,656 ----a-w c:\windows\system32\dllcache\wuaueng.dll
- 2007-07-31 02:19:32 325,976 ----a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-07-19 05:09:46 325,832 ----a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-07-31 02:18:40 33,624 ----a-w c:\windows\system32\dllcache\wups.dll
+ 2008-07-19 05:10:20 36,552 ----a-w c:\windows\system32\dllcache\wups.dll
- 2007-07-31 02:19:28 203,096 ----a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-07-19 05:09:44 205,000 ----a-w c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-10 10:00:00 5,120 ----a-w c:\windows\system32\dllhost(2).exe
+ 2008-06-20 17:41:10 148,992 ----a-w c:\windows\system32\dnsapi(2).dll
+ 2008-02-20 05:32:43 45,568 ----a-w c:\windows\system32\dnsrslvr(2).dll
+ 2008-11-17 00:56:09 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2004-08-10 10:00:00 14,336 ----a-w c:\windows\system32\drprov(2).dll
+ 2004-08-10 10:00:00 137,216 ----a-w c:\windows\system32\dssenh(2).dll
+ 2008-06-23 16:57:27 347,136 ----a-w c:\windows\system32\dxtmsft(2).dll
- 2008-04-23 04:16:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-06-23 16:57:27 214,528 ----a-w c:\windows\system32\dxtrans(2).dll
- 2008-04-23 04:16:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2004-08-10 10:00:00 23,040 ----a-w c:\windows\system32\ersvc(2).dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es(2).dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es(4).dll
+ 2005-10-20 22:20:03 1,082,368 ----a-w c:\windows\system32\esent(2).dll
+ 2004-08-10 10:00:00 55,808 ----a-w c:\windows\system32\eventlog(2).dll
- 2008-04-23 04:16:28 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-06-23 16:57:27 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2004-08-10 10:00:00 80,384 ----a-w c:\windows\system32\faultrep(2).dll
- 2008-07-10 16:20:02 128,504 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-10-26 04:31:57 128,504 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2004-08-10 10:00:00 452,096 ----a-w c:\windows\system32\fxsapi(2).dll
+ 2004-08-10 10:00:00 55,296 ----a-w c:\windows\system32\fxsevent(2).dll
+ 2004-08-10 10:00:00 23,552 ----a-w c:\windows\system32\fxsmon(2).dll
+ 2004-08-10 10:00:00 562,176 ----a-w c:\windows\system32\fxsst(2).dll
+ 2004-08-10 10:00:00 20,992 ----a-w c:\windows\system32\hid(2).dll
+ 2004-08-10 10:00:00 344,064 ----a-w c:\windows\system32\hnetcfg(2).dll
+ 2004-08-10 10:00:00 24,576 ----a-w c:\windows\system32\httpapi(2).dll
+ 2004-08-10 10:00:00 11,264 ----a-w c:\windows\system32\icaapi(2).dll
- 2008-04-23 04:16:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-06-23 16:57:28 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-04-22 07:39:58 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-04-23 04:16:28 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-04-20 05:07:51 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-06-21 05:23:54 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-04-23 04:16:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-04-23 04:16:28 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-06-23 16:57:33 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-04-23 04:16:28 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-06-23 16:57:34 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-04-22 07:39:58 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2004-08-10 10:00:00 75,264 ----a-w c:\windows\system32\inetpp(2).dll
+ 2006-05-19 12:59:41 94,720 ----a-w c:\windows\system32\iphlpapi(2).dll
+ 2004-08-10 10:00:00 331,264 ----a-w c:\windows\system32\ipnathlp(2).dll
+ 2004-08-10 10:00:00 182,784 ----a-w c:\windows\system32\ipsecsvc(2).dll
- 2005-11-10 16:27:06 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w c:\windows\system32\java.exe
- 2005-11-10 16:27:16 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 18:03:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2006-10-17 20:00:00 491,520 ----a-w c:\windows\system32\jscript(2).dll
- 2008-04-23 04:16:28 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2005-06-15 17:49:30 295,936 ----a-w c:\windows\system32\kerberos(2).dll
+ 2005-09-01 01:41:53 19,968 ----a-w c:\windows\system32\linkinfo(2).dll
+ 2004-08-10 10:00:00 97,280 ----a-w c:\windows\system32\loadperf(2).dll
+ 2004-08-10 10:00:00 13,312 ----a-w c:\windows\system32\lsass(2).exe
+ 2004-08-10 10:00:00 22,528 ----a-w c:\windows\system32\mfcsubs(2).dll
+ 2004-08-10 10:00:00 18,944 ----a-w c:\windows\system32\midimap(2).dll
+ 2004-08-10 10:00:00 586,240 ----a-w c:\windows\system32\mlang(2).dll
+ 2004-08-10 10:00:00 59,904 ----a-w c:\windows\system32\mpr(2).dll
+ 2004-08-10 10:00:00 87,040 ----a-w c:\windows\system32\mprapi(2).dll
+ 2007-07-06 12:46:59 95,744 ----a-w c:\windows\system32\mqsec(2).dll
+ 2007-07-06 12:46:59 471,552 ----a-w c:\windows\system32\mqutil(2).dll
+ 2004-08-10 10:00:00 71,680 ----a-w c:\windows\system32\msacm32(2).dll
+ 2004-08-10 10:00:00 57,344 ----a-w c:\windows\system32\msasn1(2).dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms(2).dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms(3).dll
+ 2008-02-26 11:59:50 294,912 ----a-w c:\windows\system32\msctf(2).dll
+ 2004-08-10 10:00:00 14,336 ----a-w c:\windows\system32\msdmo(2).dll
- 2008-04-23 04:16:28 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-04-23 04:16:28 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-04-24 05:16:30 3,591,680 ----a-w c:\windows\system32\mshtml.dll
+ 2008-06-24 17:57:40 3,592,192 ----a-w c:\windows\system32\mshtml.dll
+ 2008-06-23 16:57:39 477,696 ----a-w c:\windows\system32\mshtmled(2).dll
- 2008-04-23 04:16:28 478,208 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2004-08-10 10:00:00 6,656 ----a-w c:\windows\system32\msidle(2).dll
+ 2004-08-10 10:00:00 4,608 ----a-w c:\windows\system32\msimg32(2).dll
+ 2004-08-10 10:00:00 159,232 ----a-w c:\windows\system32\MSIMTF(2).dll
+ 2004-08-10 10:00:00 30,208 ----a-w c:\windows\system32\mspatcha(2).dll
+ 2004-08-10 10:00:00 48,128 ----a-w c:\windows\system32\msprivs(2).dll
- 2008-04-23 04:16:28 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-06-23 16:57:39 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-04-23 04:16:28 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-06-23 16:57:40 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2004-08-10 10:00:00 115,712 ----a-w c:\windows\system32\mstlsapi(2).dll
+ 2004-08-10 10:00:00 195,072 ----a-w c:\windows\system32\msutb(2).dll
+ 2004-08-10 10:00:00 1,392,671 ----a-w c:\windows\system32\msvbvm60(2).dll
+ 2004-08-10 10:00:00 413,696 ----a-w c:\windows\system32\msvcp60(2).dll
+ 2004-08-10 10:00:00 343,040 ----a-w c:\windows\system32\msvcrt(2).dll
+ 2004-08-10 10:00:00 120,832 ----a-w c:\windows\system32\msvfw32(2).dll
+ 2008-06-20 17:41:10 245,248 ----a-w c:\windows\system32\mswsock(2).dll
+ 2007-06-26 06:08:16 1,104,896 ----a-w c:\windows\system32\msxml3(2).dll
+ 2006-03-01 19:42:42 66,560 ----a-w c:\windows\system32\mtxclu(2).dll
+ 2004-08-10 10:00:00 90,624 ----a-w c:\windows\system32\mydocs(2).dll
+ 2004-08-10 10:00:00 17,920 ----a-w c:\windows\system32\nddeapi(2).dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32(2).dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32(3).dll
+ 2006-08-17 12:28:27 332,288 ----a-w c:\windows\system32\netapi32(4).dll
+ 2004-08-10 10:00:00 622,080 ----a-w c:\windows\system32\netcfgx(2).dll
+ 2004-08-10 10:00:00 407,040 ----a-w c:\windows\system32\netlogon(2).dll
+ 2005-08-22 18:29:46 197,632 ----a-w c:\windows\system32\netman(2).dll
+ 2004-08-10 10:00:00 12,288 ----a-w c:\windows\system32\netrap(2).dll
+ 2005-06-21 15:00:18 1,705,472 ----a-w c:\windows\system32\netshell(2).dll
+ 2004-08-10 10:00:00 80,896 ----a-w c:\windows\system32\netui0(2).dll
+ 2004-08-10 10:00:00 245,760 ----a-w c:\windows\system32\netui1(2).dll
+ 2004-08-10 10:00:00 248,832 ----a-w c:\windows\system32\newdev(2).dll
+ 2004-08-10 10:00:00 67,072 ----a-w c:\windows\system32\ntdsapi(2).dll
+ 2004-08-10 10:00:00 43,520 ----a-w c:\windows\system32\ntlanman(2).dll
+ 2004-08-10 10:00:00 118,784 ----a-w c:\windows\system32\ntmarta(2).dll
+ 2004-08-10 10:00:00 143,872 ----a-w c:\windows\system32\ntshrui(2).dll
- 2008-08-13 17:07:50 56,321 ----a-w c:\windows\system32\nvModes.dat
+ 2008-11-12 23:20:29 56,321 ----a-w c:\windows\system32\nvModes.dat
+ 2004-08-10 10:00:00 266,752 ----a-w c:\windows\system32\oakley(2).dll
- 2008-04-23 04:16:28 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-06-23 16:57:40 102,912 ----a-w c:\windows\system32\occache.dll
+ 2004-08-10 10:00:00 60,928 ----a-w c:\windows\system32\ocmanage(2).dll
+ 2006-09-20 11:40:23 1,286,656 ----a-w c:\windows\system32\ole32(2).dll
+ 2005-07-26 04:39:48 74,752 ----a-w c:\windows\system32\olecli32(2).dll
+ 2006-10-16 16:15:00 122,880 ----a-w c:\windows\system32\oledlg(2).dll
- 2008-06-19 1829 64,602 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-02 23:04:35 64,602 ----a-w c:\windows\system32\perfc009.dat
- 2008-06-19 1829 408,238 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-02 23:04:35 408,238 ----a-w c:\windows\system32\perfh009.dat
+ 2004-08-10 10:00:00 15,360 ----a-w c:\windows\system32\pjlmon(2).dll
+ 2008-06-23 16:57:40 44,544 ----a-w c:\windows\system32\pngfilt(2).dll
- 2008-04-23 04:16:28 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2004-08-10 10:00:00 17,408 ----a-w c:\windows\system32\powrprof(2).dll
+ 2004-08-10 10:00:00 27,648 ----a-w c:\windows\system32\profmap(2).dll
+ 2004-08-10 10:00:00 23,040 ----a-w c:\windows\system32\psapi(2).dll
+ 2004-08-10 10:00:00 96,768 ----a-w c:\windows\system32\psbase(2).dll
+ 2004-08-10 10:00:00 34,304 ----a-w c:\windows\system32\pstorsvc(2).dll
+ 2008-05-07 04:55:40 1,288,192 ----a-w c:\windows\system32\quartz(2).dll
+ 2006-06-26 17:37:10 8,192 ----a-w c:\windows\system32\rasadhlp(2).dll
+ 2004-08-10 10:00:00 69,632 ----a-w c:\windows\system32\raschap(2).dll
+ 2006-06-22 10:47:18 181,248 ----a-w c:\windows\system32\rasmans(2).dll
+ 2004-08-10 10:00:00 206,336 ----a-w c:\windows\system32\rasppp(2).dll
+ 2004-08-10 10:00:00 112,128 ----a-w c:\windows\system32\rastls(2).dll
+ 2004-08-10 10:00:00 49,664 ----a-w c:\windows\system32\regapi(2).dll
+ 2004-08-10 10:00:00 59,904 ----a-w c:\windows\system32\regsvc(2).dll
+ 2008-11-16 23:00:30 46,976 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2004-08-10 10:00:00 58,880 ----a-w c:\windows\system32\resutils(2).dll
+ 2006-11-27 14:54:06 433,152 ----a-w c:\windows\system32\riched20(2).dll
+ 2007-07-09 13:16:16 582,656 ----a-w c:\windows\system32\rpcrt4(2).dll
+ 2006-09-20 11:40:23 399,360 ----a-w c:\windows\system32\rpcss(2).dll
+ 2004-08-10 10:00:00 152,576 ----a-w c:\windows\system32\rsaenh(2).dll
+ 2004-08-10 10:00:00 44,032 ----a-w c:\windows\system32\rtutils(2).dll
+ 2004-08-10 10:00:00 180,224 ----a-w c:\windows\system32\scecli(2).dll
+ 2004-08-10 10:00:00 313,856 ----a-w c:\windows\system32\scesrv(2).dll
+ 2004-08-10 10:00:00 190,976 ----a-w c:\windows\system32\schedsvc(2).dll
+ 2004-08-10 10:00:00 18,944 ----a-w c:\windows\system32\seclogon(2).dll
+ 2004-08-10 10:00:00 55,808 ----a-w c:\windows\system32\secur32(2).dll
+ 2004-08-10 10:00:00 5,632 ----a-w c:\windows\system32\security(2).dll
+ 2004-08-10 10:00:00 38,912 ----a-w c:\windows\system32\sens(2).dll
+ 2004-08-10 10:00:00 6,656 ----a-w c:\windows\system32\sensapi(2).dll
+ 2004-08-10 10:00:00 259,584 ----a-w c:\windows\system32\Setup\comsetup(2).dll
+ 2004-08-10 10:00:00 32,828 ----a-w c:\windows\system32\Setup\fp40ext(2).dll
+ 2004-08-10 10:00:00 132,608 ----a-w c:\windows\system32\Setup\fxsocm(2).dll
+ 2004-08-10 10:00:00 505,344 ----a-w c:\windows\system32\Setup\iis(2).dll
+ 2004-08-10 10:00:00 115,712 ----a-w c:\windows\system32\Setup\imsinsnt(2).dll
+ 2004-08-10 10:00:00 82,432 ----a-w c:\windows\system32\Setup\msdtcstp(2).dll
+ 2004-08-10 10:00:00 15,360 ----a-w c:\windows\system32\Setup\msgrocm(2).dll
+ 2004-08-10 10:00:00 169,984 ----a-w c:\windows\system32\Setup\msmqocm(2).dll
+ 2004-08-10 10:00:00 77,312 ----a-w c:\windows\system32\Setup\netoc(2).dll
+ 2004-08-10 10:00:00 62,976 ----a-w c:\windows\system32\Setup\ntoc(2).dll
+ 2004-08-10 10:00:00 15,872 ----a-w c:\windows\system32\Setup\ocgen(2).dll
+ 2004-08-10 10:00:00 17,408 ----a-w c:\windows\system32\Setup\ocmsn(2).dll
+ 2004-08-10 10:00:00 101,376 ----a-w c:\windows\system32\Setup\setupqry(2).dll
+ 2004-08-10 10:00:00 33,792 ----a-w c:\windows\system32\Setup\tabletoc(2).dll
+ 2004-08-10 10:00:00 121,856 ----a-w c:\windows\system32\Setup\tsoc(2).dll
+ 2004-08-10 10:00:00 5,120 ----a-w c:\windows\system32\sfc(2).dll
+ 2004-08-10 10:00:00 140,288 ----a-w c:\windows\system32\sfc_os(2).dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w c:\windows\system32\shell32(2).dll
+ 2004-08-10 10:00:00 438,272 ----a-w c:\windows\system32\shimgvw(2).dll
+ 2006-09-14 08:31:29 474,112 ----a-w c:\windows\system32\shlwapi(2).dll
+ 2006-12-19 21:52:18 134,656 ----a-w c:\windows\system32\shsvcs(2).dll
+ 2008-07-19 05:10:20 36,552 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 05:10:40 45,768 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
+ 2001-08-18 05:36:16 435,200 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPF900AL.DLL
+ 2001-08-18 05:36:16 1,853,952 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPFIMG50.DLL
+ 2004-08-04 07:56:44 87,552 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPFUD50.DLL
+ 2001-08-18 05:36:16 32,768 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPFUI50.DLL
+ 2004-08-04 07:56:48 264,704 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2004-08-04 07:56:48 197,120 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2004-08-04 07:56:36 619,520 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2004-08-10 10:00:00 74,752 ----a-w c:\windows\system32\spoolss(2).dll
+ 2005-06-10 23:53:32 57,856 ----a-w c:\windows\system32\spoolsv(2).exe
+ 2004-08-10 10:00:00 67,584 ----a-w c:\windows\system32\srclient(2).dll
+ 2004-08-10 10:00:00 170,496 ----a-w c:\windows\system32\srsvc(2).dll
+ 2004-08-10 10:00:00 34,816 ----a-w c:\windows\system32\ssdpapi(2).dll
+ 2004-08-10 10:00:00 71,680 ----a-w c:\windows\system32\ssdpsrv(2).dll
+ 2004-08-10 10:00:00 121,856 ----a-w c:\windows\system32\stobject(2).dll
+ 2004-08-10 10:00:00 75,776 ----a-w c:\windows\system32\strmfilt(2).dll
+ 2004-08-10 10:00:00 14,336 ----a-w c:\windows\system32\svchost(2).exe
+ 2006-10-19 13:56:32 713,216 ----a-w c:\windows\system32\sxs(2).dll
+ 2004-08-10 10:00:00 181,760 ----a-w c:\windows\system32\tapi32(2).dll
+ 2005-07-08 16:27:56 249,344 ----a-w c:\windows\system32\tapisrv(2).dll
+ 2004-08-10 10:00:00 45,568 ----a-w c:\windows\system32\tcpmon(2).dll
+ 2005-03-10 00:49:52 295,424 ----a-w c:\windows\system32\termsrv(2).dll
+ 2004-08-10 10:00:00 385,536 ----a-w c:\windows\system32\themeui(2).dll
+ 2004-08-10 10:00:00 90,624 ----a-w c:\windows\system32\trkwks(2).dll
+ 2005-07-26 04:39:49 101,376 ----a-w c:\windows\system32\txflog(2).dll
+ 2005-08-23 03:35:42 123,392 ----a-w c:\windows\system32\umpnpmgr(2).dll
+ 2004-08-10 10:00:00 132,608 ----a-w c:\windows\system32\upnp(2).dll
+ 2008-06-23 16:57:40 105,984 ----a-w c:\windows\system32\url(2).dll
- 2008-04-23 04:16:28 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-06-23 16:57:40 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-06-23 16:57:40 1,159,680 ----a-w c:\windows\system32\urlmon(2).dll
- 2008-04-23 04:16:29 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2004-08-10 10:00:00 16,896 ----a-w c:\windows\system32\usbmon(2).dll
+ 2004-08-10 10:00:00 406,528 ----a-w c:\windows\system32\usp10(2).dll
+ 2004-08-10 10:00:00 218,624 ----a-w c:\windows\system32\uxtheme(2).dll
+ 2006-11-08 05:03:36 413,696 ----a-w c:\windows\system32\vbscript(2).dll
+ 2004-08-10 10:00:00 18,944 ----a-w c:\windows\system32\version(2).dll
+ 2004-08-10 10:00:00 430,592 ----a-w c:\windows\system32\vssapi(2).dll
+ 2004-08-10 10:00:00 174,592 ----a-w c:\windows\system32\w32time(2).dll
+ 2004-08-10 10:00:00 15,872 ----a-w c:\windows\system32\w3ssl(2).dll
+ 2004-08-10 10:00:00 185,856 ----a-w c:\windows\system32\wbem\framedyn(2).dll
+ 2004-08-10 10:00:00 18,944 ----a-w c:\windows\system32\wbem\wbemprox(2).dll
+ 2004-08-10 10:00:00 49,152 ----a-w c:\windows\system32\wdigest(2).dll
+ 2004-08-10 10:00:00 23,552 ----a-w c:\windows\system32\wdmaud(2).drv
+ 2008-06-23 16:57:41 233,472 ----a-w c:\windows\system32\webcheck(2).dll
- 2008-04-23 04:16:29 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-06-23 16:57:41 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2006-01-04 03:35:05 68,096 ----a-w c:\windows\system32\webclnt(2).dll
+ 2006-12-19 18:16:47 333,824 ----a-w c:\windows\system32\wiaservc(2).dll
+ 2004-08-10 10:00:00 351,232 ----a-w c:\windows\system32\winhttp(2).dll
+ 2008-06-23 16:57:41 826,368 ----a-w c:\windows\system32\wininet(2).dll
- 2008-04-23 04:16:29 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-06-23 16:57:41 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2004-08-10 10:00:00 32,768 ----a-w c:\windows\system32\winipsec(2).dll
+ 2004-08-10 10:00:00 176,128 ----a-w c:\windows\system32\winmm(2).dll
+ 2004-08-10 10:00:00 16,896 ----a-w c:\windows\system32\winrnr(2).dll
+ 2004-08-10 10:00:00 99,328 ----a-w c:\windows\system32\winscard(2).dll
+ 2004-08-10 10:00:00 176,640 ----a-w c:\windows\system32\wintrust(2).dll
+ 2004-08-10 10:00:00 172,032 ----a-w c:\windows\system32\wldap32(2).dll
+ 2004-08-10 10:00:00 92,672 ----a-w c:\windows\system32\wlnotify(2).dll
+ 2004-08-10 10:00:00 5,632 ----a-w c:\windows\system32\wmi(2).dll
+ 2004-08-10 10:00:00 264,192 ----a-w c:\windows\system32\wow32(2).dll
+ 2004-08-10 10:00:00 82,944 ----a-w c:\windows\system32\ws2_32(2).dll
+ 2004-08-10 10:00:00 19,968 ----a-w c:\windows\system32\ws2help(2).dll
+ 2004-08-10 10:00:00 81,408 ----a-w c:\windows\system32\wscsvc(2).dll
+ 2004-08-10 10:00:00 19,968 ----a-w c:\windows\system32\wshtcpip(2).dll
+ 2004-08-10 10:00:00 22,528 ----a-w c:\windows\system32\wsock32(2).dll
+ 2004-08-10 10:00:00 18,432 ----a-w c:\windows\system32\wtsapi32(2).dll
- 2007-07-31 02:19:36 549,720 ----a-w c:\windows\system32\wuapi.dll
+ 2008-07-19 05:09:44 563,912 ----a-w c:\windows\system32\wuapi.dll
- 2007-07-31 02:19:16 53,080 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-07-19 05:10:42 53,448 ----a-w c:\windows\system32\wuauclt.exe
- 2007-07-31 02:19:42 1,712,984 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-07-19 05:09:42 1,811,656 ----a-w c:\windows\system32\wuaueng.dll
+ 2004-08-10 10:00:00 6,656 ----a-w c:\windows\system32\wuauserv(2).dll
- 2007-07-31 02:19:32 325,976 ----a-w c:\windows\system32\wucltui.dll
+ 2008-07-19 05:09:46 325,832 ----a-w c:\windows\system32\wucltui.dll
- 2007-07-31 02:18:40 33,624 ----a-w c:\windows\system32\wups.dll
+ 2008-07-19 05:10:20 36,552 ----a-w c:\windows\system32\wups.dll
- 2007-07-31 02:19:12 43,352 ----a-w c:\windows\system32\wups2.dll
+ 2008-07-19 05:10:40 45,768 ----a-w c:\windows\system32\wups2.dll
- 2007-07-31 02:19:28 203,096 ----a-w c:\windows\system32\wuweb.dll
+ 2008-07-19 05:09:44 205,000 ----a-w c:\windows\system32\wuweb.dll
+ 2005-06-21 15:00:18 52,736 ----a-w c:\windows\system32\wzcsapi(2).dll
+ 2005-06-21 15:00:18 474,624 ----a-w c:\windows\system32\wzcsvc(2).dll
+ 2006-07-14 15:51:51 121,856 ----a-w c:\windows\system32\xmllite(2).dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2008-08-06 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-08-06 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-08-06 81920]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-07 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-06 761947]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-06 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-06 385024]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-03-19 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-03-19 16624]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7557120]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dzwxze.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= c:\windows\system32\i263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= c:\windows\system32\i263_32.drv
"msacm.imc"= c:\windows\system32\imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Govier^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Govier\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-08-06 13:36 288576 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2008-08-06 14:03 1347584 c:\windows\system32\wltray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 02:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2008-08-06 13:35 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2008-08-06 14:02 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 17:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 11:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-08-06 13:37 267048 c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--a------ 2008-08-06 13:40 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-21 03:03 7557120 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-08-06 13:12 385024 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-10 12:37 1271032 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
--a------ 2007-01-18 12:20 190008 c:\program files\Seagate\SystemTray\StxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-06 13:12 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
braviax.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2006-03-21 03:03 73728 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-08-06 14:03 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Dell V305\\dldtamon.exe"=
"c:\\Program Files\\Dell V305\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtwbgw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15402:TCP"= 15402:TCP:BND
"10046:TCP"= 10046:TCP:BND
"13500:TCP"= 13500:TCP:BND
"14502:TCP"= 14502:TCP:BND
"33227:TCP"= 33227:TCP:BND

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service []
R2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\dldtserv.exe [2008-07-11 99568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20a266e9-bd70-11db-bfbe-0015c5b0a027}]
\Shell\AutoRun\command - F:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{048457E0-E8EA-4BA5-886D-CF5F4FC93B2A} - (no file)
BHO-{1D143A0E-F1AD-46D8-9456-160F3AE3487A} - c:\windows\system32\urqOhecd.dll
BHO-{398c02aa-25b4-4d4f-9470-cf9eccecd6c4} - c:\windows\system32\dzwxze.dll
BHO-{513CF211-F103-49C5-8799-E43398C5F91F} - (no file)
BHO-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - (no file)
BHO-{BEAEB54B-EC1C-4546-8AEE-308FC6F30C13} - c:\windows\system32\jkkICrQI.dll
HKLM-Run-aca38e8f - c:\windows\system32\fnaskxld.dll
Notify-rqRhiFxx - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 12:43:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe
c:\windows\system32\dldtcoms.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Dell V305\dldtmsdmon.exe
.
**************************************************************************
.
Completion time: 2008-11-19 12:49:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 20:49:34
ComboFix2.txt 2008-08-13 20:50:36
ComboFix3.txt 2008-08-12 20:57:57

Pre-Run: 22,568,599,552 bytes free
Post-Run: 22,790,975,488 bytes free

722 --- E O F --- 2008-08-14 15:57:34

[tetonbob]

Next instructions

---------------------------------------------------------------------------------------------

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.
• See this link for a tutorial

Using Internet Explorer, Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

I see no AntiVirus application installed. An AntiVirus is a must have for machines connected to the internet today.

Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

There are excellent free AntiVirus applications available today, so there's no reason to be unprotected.

I see that Trend Micro Internet Security was removed on the 16th. Do you still have installation media for this, and would it be current? If so, please reinstall it, update it, and run a full system scan.

If not, please install this FREE antivirus now.


Install this FREE AntiVirus program, update it, and run a full system scan.

Avira AntiVir Personal

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------

[briang3]

Hi, I downloaded the Avira virus protection and heres the log from the scan:

Thanks




Avira AntiVir Personal
Report file date: Wednesday, November 19, 2008 14:44

Scanning for 1042450 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: BRIAN

Version information:
BUILD.DAT : 8.2.0.336 16933 Bytes 10/30/2008 11:40:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 18:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 17:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 22:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 17:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 22:42:20
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 22:42:26
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 22:42:30
ANTIVIR3.VDF : 7.1.0.110 109568 Bytes 11/19/2008 22:42:33
Engineversion : 8.2.0.34
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 20:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/19/2008 22:43:04
AESCN.DLL : 8.1.1.5 123251 Bytes 11/19/2008 22:43:01
AERDL.DLL : 8.1.1.3 438645 Bytes 11/19/2008 22:42:59
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/19/2008 22:42:56
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/19/2008 22:42:52
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/19/2008 22:42:50
AEHELP.DLL : 8.1.2.0 119159 Bytes 11/19/2008 22:42:40
AEGEN.DLL : 8.1.1.4 319861 Bytes 11/19/2008 22:42:39
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 20:05:56
AECORE.DLL : 8.1.5.0 172407 Bytes 11/19/2008 22:42:36
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 20:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 18:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 19:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 11/19/2008 22:42:34
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 21:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 18:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 22:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 03:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 22:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 22:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 23:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 23:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, November 19, 2008 14:44

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'dldtmsdmon.exe' - '1' Module(s) have been scanned
Scan process 'dsagnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'dldtmon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'syntpenh.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'dldtcoms.exe' - '1' Module(s) have been scanned
Scan process 'dldtserv.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Deckard\System Scanner\backup\DOCUME~1\Govier\LOCALS~1\Temp\lamdp32.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '49919748.qua'!
C:\Deckard\System Scanner\backup\DOCUME~1\Govier\LOCALS~1\Temp\msinfo32.dat
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '498d9762.qua'!
C:\Deckard\System Scanner\backup\DOCUME~1\Govier\LOCALS~1\Temp\nimura32.exe
[DETECTION] Is the TR/Buzus.iij Trojan
[NOTE] The file was moved to '49919758.qua'!
C:\Deckard\System Scanner\backup\DOCUME~1\Govier\LOCALS~1\Temp\EZ_temp\Product\TrendMicro_TAV_16.1_1063_x32_T_0806173829.exe
[0] Archive type: CAB SFX (self extracting)
--> \Readme.txt
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Deckard\System Scanner\backup\DOCUME~1\Govier\LOCALS~1\Temp\Temporary Directory 3 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, a.zip\OFFICE1.CAB
[0] Archive type: CAB (Microsoft)
--> uspmetax.7057.AF40AAF8_9187_4E0C_A23E_344075B53E7C
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49989857.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4998984f.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallbuy.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49929854.qua'!
C:\Documents and Settings\Govier\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-3d56afdc
[0] Archive type: ZIP
--> OP.class
[DETECTION] Contains recognition pattern of the EXP/ByteVerify.I exploit
[NOTE] The file was moved to '495b986c.qua'!
C:\Documents and Settings\Govier\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-51de10e-6c0309b1.zip
[0] Archive type: ZIP
--> OP.class
[DETECTION] Contains recognition pattern of the EXP/ByteVerify.I exploit
[NOTE] The file was moved to '4952985b.qua'!
C:\Documents and Settings\Govier\My Documents\LimeWire\Saved\Johnny Cash & June Carter Cash - Johnny Cash & June Carter Cash - 'Cause i love you.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '498c9974.qua'!
C:\Documents and Settings\Govier\My Documents\LimeWire\Saved\Natasha Beddingfield - Take Me Away.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '49989968.qua'!
C:\Program Files\SW2007SDK\swwi\data\tb0.cab
[0] Archive type: CAB (Microsoft)
--> fltile5.jpg
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\QooBox\Quarantine\C\Documents and Settings\Govier\Application Data\gadcom\gadcom.exe.vir
[DETECTION] Is the TR/Agent.amyy Trojan
[NOTE] The file was moved to '49889f1d.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\aqjfkn.dll.vir
[DETECTION] Is the TR/Vundo.fyd.21 Trojan
[NOTE] The file was moved to '498e9f2e.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\dzwxze.dll.vir
[DETECTION] Is the TR/Vundo.fyd.26 Trojan
[NOTE] The file was moved to '499b9f37.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\fcccdARh.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49879f20.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\lmmahcfe.dll.vir
[DETECTION] Is the TR/Vundo.fyd.21 Trojan
[NOTE] The file was moved to '49919f2b.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\msansspc.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49859f32.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRhiFxx.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49769f30.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\wkxygsql.dll.vir
[DETECTION] Is the TR/Vundo.fyd.26 Trojan
[NOTE] The file was moved to '499c9f2a.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\wpv274.cpx.vir
[0] Archive type: NSIS
--> ProgramFilesDir/GetModule25.exe
[DETECTION] Is the TR/Agent.akgc Trojan
[DETECTION] Contains recognition pattern of the DR/Agent.akgc dropper
[NOTE] The file was moved to '499a9f30.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\wpv964.cpx.vir
[0] Archive type: NSIS
--> ProgramFilesDir/GetModule25.exe
[DETECTION] Is the TR/Agent.akgc Trojan
[DETECTION] Contains recognition pattern of the DR/Agent.akgc dropper
[NOTE] The file was moved to '481902b1.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\dlha\mstask32.com.vir
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '49989f33.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\spfx\hypinit32.exe.vir
[DETECTION] Is the TR/Buzus.iij Trojan
[NOTE] The file was moved to '49949f3a.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\spfx\mstlsapi.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49989f35.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\spfx\olcserv32.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49879f2e.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\spfx\pfsbase32.dll.vir
[DETECTION] Is the TR/Dldr.Agent.zoi Trojan
[NOTE] The file was moved to '49979f28.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP636\A0046404.dll
[DETECTION] Is the TR/Peed.JVI Trojan
[NOTE] The file was moved to '49549f13.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP639\A0053309.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '49549fba.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP639\A0053310.exe
[DETECTION] Is the TR/Agent.AJDU.2 Trojan
[NOTE] The file was moved to '48d511fb.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP639\A0053312.exe
[DETECTION] Is the TR/Agent.akgc Trojan
[NOTE] The file was moved to '49549fbb.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP639\A0053315.dll
[DETECTION] Is the TR/Peed.JVI Trojan
[NOTE] The file was moved to '48d511fc.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP639\A0053316.dll
[DETECTION] Is the TR/Peed.JVI Trojan
[NOTE] The file was moved to '49549fbd.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP639\A0053317.exe
[DETECTION] Is the TR/Peed.JVI Trojan
[NOTE] The file was moved to '49549fbc.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP641\A0053809.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.nuz worm
[NOTE] The file was moved to '49549fc6.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP641\A0053810.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49549fc7.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0053826.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.nuz worm
[NOTE] The file was moved to '48d51188.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0053827.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.nuz worm
[NOTE] The file was moved to '49549fc9.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0053829.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49549fc8.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0053830.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '48d51189.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0053831.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.nuz worm
[NOTE] The file was moved to '49549fca.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0054173.dll
[DETECTION] Is the TR/Peed.JVI Trojan
[NOTE] The file was moved to '49549fce.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0056257.dll
[DETECTION] Is the TR/Peed.JVI Trojan
[NOTE] The file was moved to '49549fff.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP642\A0056258.dll
[DETECTION] Is the TR/Peed.JVI Trojan
[NOTE] The file was moved to '48d52e40.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP645\A0057005.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP645\A0057005.exe
--> Object
[2] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Dldr.Agent.neq Trojan
[DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
[NOTE] The file was moved to '4954a011.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP645\A0057006.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP645\A0057006.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '48d52e52.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP655\A0058436.vbs
[DETECTION] Is the TR/Small.WY Trojan
[NOTE] The file was moved to '4954a01f.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP655\A0058438.exe
[DETECTION] Is the TR/Spy.Banbra.df.199 Trojan
[NOTE] The file was moved to '48d52e60.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP655\A0058441.exe
[DETECTION] Is the TR/Agent.amwr Trojan
[NOTE] The file was moved to '4954a021.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP655\A0058444.dll
[DETECTION] Is the TR/Agent.90624.1 Trojan
[NOTE] The file was moved to '4954a020.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP657\A0058506.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48d52e62.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059654.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4954a02c.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059655.exe
[DETECTION] Is the TR/Agent.amyy Trojan
[NOTE] The file was moved to '48d52e6d.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059656.dll
[DETECTION] Is the TR/Vundo.fyd.21 Trojan
[NOTE] The file was moved to '48d6d515.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059659.dll
[DETECTION] Is the TR/Vundo.fyd.26 Trojan
[NOTE] The file was moved to '4954a02d.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059660.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48d6d516.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059664.dll
[DETECTION] Is the TR/Vundo.fyd.21 Trojan
[NOTE] The file was moved to '4954a02f.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059665.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4954a02e.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0059666.dll
[DETECTION] Is the TR/Vundo.fyd.26 Trojan
[NOTE] The file was moved to '48d6d517.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP661\A0059777.exe
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '4954a031.qua'!
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP661\A0059778.exe
[DETECTION] Is the TR/Buzus.iij Trojan
[NOTE] The file was moved to '48d6d50a.qua'!
C:\WINDOWS\http.dll
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to '4998a079.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\etc\hosts.20081117-164836.backup
[DETECTION] Is the TR/AntiHosts.Gen Trojan
[NOTE] The file was moved to '4997a225.qua'!
C:\WINDOWS\system32\drivers\etc\hosts.20081117-180811.backup
[DETECTION] Is the TR/AntiHosts.Gen Trojan
[NOTE] The file was moved to '4814defe.qua'!
Begin scan in 'D:\' <Backup>


End of the scan: Wednesday, November 19, 2008 15:31
Used time: 47:29 Minute(s)

The scan has been done completely.

10057 Scanning directories
735658 Files were scanned
62 viruses and/or unwanted programs were found
3 Files were classified as suspicious:
0 files were deleted
0 files were repaired
62 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
735589 Files not concerned
5853 Archives were scanned
8 Warnings
62 Notes

[tetonbob]

Good work.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

Also let me know how the machine is behaving.

[briang3]

Hey, my computer seems to be running pretty normal now. I haven't had a popup since I ran combofix and before they would appear about half the time I clicked on a link.

Here's that text file:

[tetonbob]

Thanks.

P2P - I see you have P2P software ( Limewire, (uninstalled, but folders still present) BitTorrent DNA) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

http://www.techsupportforum.com/secu...e-sharing.html

I would strongly recommend that you uninstall this. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------


Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Since it seems as though Limewire was uninstalled, these folders should be deleted:

c:\program files\LimeWire
C:\Documents and Settings\Govier\My Documents\LimeWire
c:\documents and settings\Govier\Application Data\LimeWire


Using Windows Explorer, or Windows Search, Also locate and delete this folder, and this file:

C:\Deckard
c:\windows\system32\dlxksanf.ini

---------------------------------------------------------------------------------------------


When files found by other scanners are in the Recovery directory inside the Spybot-S&D directory, it is only a backup. It is no longer of any harm there, as the file won't be loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge the files.

1. Open Spybot.
If you have a shortcut on your desktop, double click it.
or
Click Start, then All Programs, then Spybot - Search & Destroy and then Spybot - Search & Destroy.
2. On the left side, click "Recovery".
3. Select (place a check) beside ALL the backup files that contain quarantined items.
4. Click on the Purge Selected Items button.
5. A dialog will appear, stating that the backup will be removed. Click Yes.
6. When the Recovery window is empty, Exit Spybot.

---------------------------------------------------------------------------------------------

Go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants. One vendor's definitions may find what another's does not. This will take a while.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

[briang3]

Hi, sorry for the delay.

Here's the log from the kaspersky scan:

[tetonbob]

The items found by Kaspersky are in ComboFix quarantine, and will be removed when you uninstall ComboFix as instructed below.

Other than that, your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[briang3]

Okay, Thanks a lot for the help. Ill definately be more careful in the future.

Where should I send a check if I want to donate? And who would I make it out to?

[briang3]

Nevermind about that last part, I found the info on your donations page.

Thanks again for the help

[tetonbob]

Hi briang3 -

You're quite welcome for the help. Thanks for your support of the forum, as well.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.