Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Virtumonde infection. Need help

  1. #1
    Junior Member
    Join Date
    Jul 2008
    Posts
    7

    Unhappy Virtumonde infection. Need help

    Previous Scan History
    =====================
    1. Ran TrendMicro HouseCall 6.5 -- Virtumonde found and removed.
    2. Ran Panda Security Activean 2.0 -- Virtumonde found and removed.
    3. Found your forum -- Ran SpyBot SD as instructed -- Virtumonde found and removed.

    The bastard keeps coming back.
    ========================

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:06:17 PM, on 7/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Winamp\winampa.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Dell\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server/traxter/
    O1 - Hosts: APFTQ
    O1 - Hosts: =================================
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [MétéoIMédia] C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://housecall65.trendmicro.com
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
    O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
    O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html

    --
    End of file - 6979 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi rad3tech

    Rename HijackThis.exe to rad3tech.exe and psot back a fresh HijackThis log, please
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Jul 2008
    Posts
    7

    Default

    Quote Originally Posted by Shaba View Post
    Hi rad3tech

    Rename HijackThis.exe to rad3tech.exe and psot back a fresh HijackThis log, please
    Hi Shaba, here's the new log.
    =========================================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:07:35 AM, on 7/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Dell\Bluetooth Software\BTTray.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Trend Micro\HijackThis\rad3tech.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server/traxter/
    O1 - Hosts: APFTQ
    O1 - Hosts: =================================
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {D922732B-A7BC-4F7A-A40F-545DE90FA21E} - C:\WINDOWS\system32\urqOGWOF.dll
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [MétéoIMédia] C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://housecall65.trendmicro.com
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O20 - Winlogon Notify: pmnoOFwU - pmnoOFwU.dll (file missing)
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
    O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
    O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html

    --
    End of file - 6891 bytes

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    1. Download combofix from any of these links and save it to Desktop:
    Link 1
    Link 2
    Link 3

    **Note: It is important that it is saved directly to your desktop**

    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.

    If you have problems with Combofix usage, see here

    Post:

    - a fresh HijackThis log
    - combofix report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Jul 2008
    Posts
    7

    Default

    Hi Shaba,

    ComboFix is very impressive. It ran just as described in the instructions. I believe this may have removed Virtumundo for good.

    I had a few files which I just could not shake:
    1. C:\WINDOWS\system32\pmnoOFwU.dll
    2. C:\WINDOWS\system32\urqOGWOF.dll
    3. C:\WINDOWS\system32\FOWGOqru.ini

    urqFOWGO.dll was attached to the following processes:
    1. lsass.exe
    2. explorer.exe

    There has also a BHO referencing one of the above files, which I could not get rid of. I ran Spybot SD, and checked for those files in the BHO, Process List, and System Startup. They're now gone.

    Shaba, thanks a lot for your help. Please let me know if you see anything else in the logs below:


    HJT LOG #2
    ========================================================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:59:56 AM, on 7/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Winamp\winampa.exe
    C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Dell\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\mmc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\rad3tech.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server/traxter/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://housecall65.trendmicro.com
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
    O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
    O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html

    --
    End of file - 6717 bytes

    ========================================================


    COMBOFIX LOG ============================================
    ========================================================

    ComboFix 08-07-21.2 - Administrator 2008-07-30 1:31:23.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.162 [GMT -4:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
    C:\Program Files\windows
    C:\Program Files\windows\System32\Resources\1033\sqldmo.rll
    C:\Program Files\windows\System32\Resources\1033\sqlsvc.rll
    C:\Program Files\windows\System32\sqldmo.dll
    C:\Program Files\windows\System32\sqlresld.dll
    C:\Program Files\windows\System32\sqlsvc.dll
    C:\Program Files\windows\System32\w95scm.dll
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\abcfgk.dll
    C:\WINDOWS\system32\aefaqjlx.ini
    C:\WINDOWS\system32\bhrqbvtm.dll
    C:\WINDOWS\system32\Cache
    C:\WINDOWS\system32\cmdbdufe.dll
    C:\WINDOWS\system32\djsdmobr.ini
    C:\WINDOWS\system32\dvgrny.dll
    C:\WINDOWS\system32\efudbdmc.ini
    C:\WINDOWS\system32\eilackvv.dll
    C:\WINDOWS\system32\emteuarl.ini
    C:\WINDOWS\system32\fgfukwdm.ini
    C:\WINDOWS\system32\FOWGOqru.ini
    C:\WINDOWS\system32\FOWGOqru.ini2
    C:\WINDOWS\system32\frcglkve.dll
    C:\WINDOWS\system32\fxgcibfm.dll
    C:\WINDOWS\system32\hbsuqejj.dll
    C:\WINDOWS\system32\hifiruqn.ini
    C:\WINDOWS\system32\idiejpny.dll
    C:\WINDOWS\system32\iparhpej.dll
    C:\WINDOWS\system32\jalinj.dll
    C:\WINDOWS\system32\jhecsgdc.dll
    C:\WINDOWS\system32\kbznnv.dll
    C:\WINDOWS\system32\kenmyxvc.dll
    C:\WINDOWS\system32\kpepdl.dll
    C:\WINDOWS\system32\kwumorwf.ini
    C:\WINDOWS\system32\ldlxbvls.ini
    C:\WINDOWS\system32\ltlznb.dll
    C:\WINDOWS\system32\mbxaqhgw.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mdwkufgf.dll
    C:\WINDOWS\system32\mkadpovw.ini
    C:\WINDOWS\system32\MSINET.oca
    C:\WINDOWS\system32\mtvbqrhb.ini
    C:\WINDOWS\system32\niioajxt.dll
    C:\WINDOWS\system32\oechxg.dll
    C:\WINDOWS\system32\otegpahl.dll
    C:\WINDOWS\system32\rbomdsjd.dll
    C:\WINDOWS\system32\rqlwgcpt.ini
    C:\WINDOWS\system32\saddgymg.dll
    C:\WINDOWS\system32\slvbxldl.dll
    C:\WINDOWS\system32\svvpdhxo.dll
    C:\WINDOWS\system32\tlkelsui.dll
    C:\WINDOWS\system32\tmbkkmrd.dll
    C:\WINDOWS\system32\urqOGWOF.dll
    C:\WINDOWS\system32\uskgmrmx.dll
    C:\WINDOWS\system32\vkqcwy.dll
    C:\WINDOWS\system32\vuppjduk.dll
    C:\WINDOWS\system32\wnbvyxly.dll
    C:\WINDOWS\system32\wvopdakm.dll
    C:\WINDOWS\system32\ynpjeidi.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
    .

    2008-07-26 20:40 . 2008-07-26 20:40 105,472 --a------ C:\WINDOWS\system32\waodfr.dll
    2008-07-26 20:40 . 2008-07-26 20:40 105,472 --a------ C:\WINDOWS\system32\kfigpiwb.dll
    2008-07-26 20:40 . 2008-07-26 20:40 83,456 --a------ C:\WINDOWS\system32\xljqafea.dll
    2008-07-26 14:36 . 2008-07-26 14:36 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-25 23:13 . 2008-07-25 23:13 95 --a------ C:\WINDOWS\wininit.ini
    2008-07-25 20:48 . 2008-07-25 20:48 105,472 --a------ C:\WINDOWS\system32\ikdbuz.dll
    2008-07-25 20:48 . 2008-07-25 20:48 105,472 --a------ C:\WINDOWS\system32\hiyqapqq.dll
    2008-07-25 20:45 . 2008-07-25 20:45 83,456 --a------ C:\WINDOWS\system32\lrauetme.dll
    2008-07-25 16:45 . 2008-07-25 16:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-07-25 16:45 . 2008-07-25 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-24 21:04 . 2008-07-24 21:03 105,472 --a------ C:\WINDOWS\system32\usnwtc.dll
    2008-07-24 21:03 . 2008-07-24 21:03 105,472 --a------ C:\WINDOWS\system32\tspdbdwb.dll
    2008-07-24 20:59 . 2008-07-24 20:59 83,456 --a------ C:\WINDOWS\system32\nqurifih.dll
    2008-07-16 18:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
    2008-07-16 18:01 . 2008-07-16 18:01 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
    2008-07-16 13:57 . 2008-07-16 13:57 <DIR> d-------- C:\Program Files\Panda Security
    2008-07-16 09:07 . 2008-07-16 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2008-07-15 23:23 . 2008-07-16 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
    2008-07-13 23:43 . 2008-07-16 18:01 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2008-07-13 09:49 . 2008-07-13 09:52 <DIR> d-------- C:\WINDOWS\system32\olixds01
    2008-07-13 09:49 . 2008-07-13 09:49 <DIR> d-------- C:\Temp\stmpv4
    2008-07-13 09:49 . 2008-07-13 09:49 <DIR> d-------- C:\Temp
    2008-06-30 16:27 . 2008-06-30 16:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-06-30 16:27 . 2008-06-30 16:27 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-06-16 20:29 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
    2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Ipswitch
    2008-06-03 15:43 . 2008-06-03 15:43 173 --a------ C:\WINDOWS\hpbafd.ini
    2008-06-03 15:41 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\apftq10\Bluetooth Software
    2008-06-03 15:41 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Lavasoft
    2008-06-03 15:40 . 2008-06-03 15:40 <DIR> d--h----- C:\Documents and Settings\apftq10\WLANProfiles
    2008-06-03 15:40 . 2007-12-19 19:34 17,920 --a------ C:\Documents and Settings\apftq10\Application Data\GDIPFONTCACHEV1.DAT
    2008-06-03 15:39 . 2008-05-15 16:51 <DIR> d--h----- C:\Documents and Settings\apftq10\Voisinage r‚seau
    2008-06-03 15:39 . 2005-06-24 13:38 <DIR> d--h----- C:\Documents and Settings\apftq10\Voisinage d'impression
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d--hs---- C:\Documents and Settings\apftq10\UserData
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d--h----- C:\Documents and Settings\apftq10\ModŠles
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d-------- C:\Documents and Settings\apftq10\Mes documents
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> dr------- C:\Documents and Settings\apftq10\Menu D‚marrer
    2008-06-03 15:39 . 2008-06-03 15:41 <DIR> dr------- C:\Documents and Settings\apftq10\Favoris
    2008-06-03 15:39 . 2008-06-03 15:49 <DIR> d-------- C:\Documents and Settings\apftq10\Bureau
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Leadertech
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\InstallShield
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\HotSync
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\CyberLink
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\ATI
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Arcsoft
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Apple Computer
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\AdobeUM
    2008-06-03 15:39 . 2008-06-03 16:09 <DIR> d-------- C:\Documents and Settings\apftq10
    2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
    2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\Program Files\Reference Assemblies
    2008-06-02 16:27 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
    2008-06-02 09:27 . 2008-06-02 09:27 <DIR> d-------- C:\Program Files\Microsoft Visual SourceSafe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-22 19:19 187,888 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-14 03:37 --------- d-----w C:\Program Files\Dl_cats
    2008-06-14 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-06 13:26 --------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
    2008-06-06 13:25 --------- d-----w C:\Program Files\Common Files\Merge Modules
    2008-06-06 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-06-01 19:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
    2006-10-23 04:18 563,712 ----a-w C:\Documents and Settings\Administrator\gotomypc_370.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" [2004-06-17 12:12 409664]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2004-05-24 15:59 86016]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2004-09-16 16:15 538112]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 08:10 81990]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50 33792]
    "DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 14:38 69632]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
    BTTray.lnk - C:\Program Files\Dell\Bluetooth Software\BTTray.exe [2004-04-26 17:13:54 561213]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
    Source= C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html
    FriendlyName=

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
    2004-06-17 12:14 180290 C:\WINDOWS\system32\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-602162358-725345543-1175\Scripts\Logon\0\0]
    "Script"=map.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Wise-FTP Scheduler"=
    "DLCCCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    "WinampAgent"=C:\Program Files\Winamp\winampa.exe
    "mmtask"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\WINDOWS\\system32\\dlcccoms.exe"=
    "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
    "135:TCP"= 135:TCP:TCP Port 135
    "5000:TCP"= 5000:TCP:TCP Port 5000
    "5001:TCP"= 5001:TCP:TCP Port 5001
    "5002:TCP"= 5002:TCP:TCP Port 5002
    "5003:TCP"= 5003:TCP:TCP Port 5003
    "5004:TCP"= 5004:TCP:TCP Port 5004
    "5005:TCP"= 5005:TCP:TCP Port 5005
    "5006:TCP"= 5006:TCP:TCP Port 5006
    "5007:TCP"= 5007:TCP:TCP Port 5007
    "5008:TCP"= 5008:TCP:TCP Port 5008
    "5009:TCP"= 5009:TCP:TCP Port 5009
    "5010:TCP"= 5010:TCP:TCP Port 5010
    "5011:TCP"= 5011:TCP:TCP Port 5011
    "5012:TCP"= 5012:TCP:TCP Port 5012
    "5013:TCP"= 5013:TCP:TCP Port 5013
    "5014:TCP"= 5014:TCP:TCP Port 5014
    "5015:TCP"= 5015:TCP:TCP Port 5015
    "5016:TCP"= 5016:TCP:TCP Port 5016
    "5017:TCP"= 5017:TCP:TCP Port 5017
    "5018:TCP"= 5018:TCP:TCP Port 5018
    "5019:TCP"= 5019:TCP:TCP Port 5019
    "5020:TCP"= 5020:TCP:TCP Port 5020

    R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
    R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2002-12-24 19:52]
    R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2005-01-31 00:49]
    S3 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\CFusionMX\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent []
    S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2005-12-15 15:27]
    S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\system32\Drivers\Kazoo.sys [2002-05-08 11:56]
    S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 20:01]
    S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 04:44]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 08:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a351754e-cf48-11dc-8ce0-da30a7d0d9f3}]
    \Shell\AutoRun\command - E:\FOM07.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef45020-edc1-11d9-8c27-000f1f4312e0}]
    \Shell\AutoRun\command - D:\Autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff7b9f3c-47fc-11db-8c85-000f1f4312e0}]
    \Shell\AutoRun\command - D:\setupSNK.exe
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-MétéoIMédia - C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    HKLM-Run-mmtask - C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    HKLM-Run-Wise-FTP Scheduler - (no file)
    HKLM-RunOnce-dlccUninstallerRan - (no file)
    ShellExecuteHooks-{82336A8D-6CD0-4647-B791-75FCA8CF2B39} - C:\WINDOWS\system32\pmnoOFwU.dll
    Notify-pmnoOFwU - pmnoOFwU.dll


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://server/traxter/
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 -: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
    O17 -: HKLM\CCS\Interface\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11

    O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
    C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

    O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
    C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-30 02:10:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
    "ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\scardsvr.exe
    C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\WLTRYSVC.EXE
    C:\WINDOWS\system32\BCMWLTRY.EXE
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\1XConfig.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-30 2:18:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-07-30 06:18:36

    Pre-Run: 21,760,176,128 bytes free
    Post-Run: 21,646,348,288 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    289 --- E O F --- 2008-06-20 15:14:54

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Yes those are vundo files but there is more of them.

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    C:\WINDOWS\system32\waodfr.dll
    C:\WINDOWS\system32\kfigpiwb.dll
    C:\WINDOWS\system32\xljqafea.dll
    C:\WINDOWS\system32\ikdbuz.dll
    C:\WINDOWS\system32\hiyqapqq.dll
    C:\WINDOWS\system32\lrauetme.dll
    C:\WINDOWS\system32\usnwtc.dll
    C:\WINDOWS\system32\tspdbdwb.dll
    C:\WINDOWS\system32\nqurifih.dll
    
    Folder::
    C:\WINDOWS\system32\olixds01
    C:\Temp\stmpv4
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Jul 2008
    Posts
    7

    Default

    Hi Shaba, thanks for the quick reply. I can't wait to be rid of this little bastard!

    Here are my logs:


    COMBOFIX LOG #2
    ==========================================================
    ComboFix 08-07-21.2 - Administrator 2008-07-30 8:57:26.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.280 [GMT -4:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript
    * Created a new restore point

    FILE ::
    C:\WINDOWS\system32\hiyqapqq.dll
    C:\WINDOWS\system32\ikdbuz.dll
    C:\WINDOWS\system32\kfigpiwb.dll
    C:\WINDOWS\system32\lrauetme.dll
    C:\WINDOWS\system32\nqurifih.dll
    C:\WINDOWS\system32\tspdbdwb.dll
    C:\WINDOWS\system32\usnwtc.dll
    C:\WINDOWS\system32\waodfr.dll
    C:\WINDOWS\system32\xljqafea.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Temp\stmpv4
    C:\WINDOWS\system32\hiyqapqq.dll
    C:\WINDOWS\system32\ikdbuz.dll
    C:\WINDOWS\system32\kfigpiwb.dll
    C:\WINDOWS\system32\lrauetme.dll
    C:\WINDOWS\system32\nqurifih.dll
    C:\WINDOWS\system32\olixds01
    C:\WINDOWS\system32\tspdbdwb.dll
    C:\WINDOWS\system32\usnwtc.dll
    C:\WINDOWS\system32\waodfr.dll
    C:\WINDOWS\system32\xljqafea.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
    .

    2008-07-26 14:36 . 2008-07-26 14:36 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-25 23:13 . 2008-07-25 23:13 95 --a------ C:\WINDOWS\wininit.ini
    2008-07-25 16:45 . 2008-07-25 16:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-07-25 16:45 . 2008-07-25 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-16 18:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
    2008-07-16 18:01 . 2008-07-16 18:01 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
    2008-07-16 13:57 . 2008-07-16 13:57 <DIR> d-------- C:\Program Files\Panda Security
    2008-07-16 09:07 . 2008-07-16 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2008-07-15 23:23 . 2008-07-16 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
    2008-07-13 23:43 . 2008-07-16 18:01 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2008-07-13 09:49 . 2008-07-30 08:57 <DIR> d-------- C:\Temp
    2008-06-30 16:27 . 2008-06-30 16:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-06-30 16:27 . 2008-06-30 16:27 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-06-16 20:29 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
    2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Ipswitch
    2008-06-03 15:43 . 2008-06-03 15:43 173 --a------ C:\WINDOWS\hpbafd.ini
    2008-06-03 15:41 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\apftq10\Bluetooth Software
    2008-06-03 15:41 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Lavasoft
    2008-06-03 15:40 . 2008-06-03 15:40 <DIR> d--h----- C:\Documents and Settings\apftq10\WLANProfiles
    2008-06-03 15:40 . 2007-12-19 19:34 17,920 --a------ C:\Documents and Settings\apftq10\Application Data\GDIPFONTCACHEV1.DAT
    2008-06-03 15:39 . 2008-05-15 16:51 <DIR> d--h----- C:\Documents and Settings\apftq10\Voisinage réseau
    2008-06-03 15:39 . 2005-06-24 13:38 <DIR> d--h----- C:\Documents and Settings\apftq10\Voisinage d'impression
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d--hs---- C:\Documents and Settings\apftq10\UserData
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d--h----- C:\Documents and Settings\apftq10\Modèles
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d-------- C:\Documents and Settings\apftq10\Mes documents
    2008-06-03 15:39 . 2008-04-30 12:18 <DIR> dr------- C:\Documents and Settings\apftq10\Menu Démarrer
    2008-06-03 15:39 . 2008-06-03 15:41 <DIR> dr------- C:\Documents and Settings\apftq10\Favoris
    2008-06-03 15:39 . 2008-06-03 15:49 <DIR> d-------- C:\Documents and Settings\apftq10\Bureau
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Leadertech
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\InstallShield
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\HotSync
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\CyberLink
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\ATI
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Arcsoft
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Apple Computer
    2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\AdobeUM
    2008-06-03 15:39 . 2008-06-03 16:09 <DIR> d-------- C:\Documents and Settings\apftq10
    2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
    2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\Program Files\Reference Assemblies
    2008-06-02 16:27 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
    2008-06-02 09:27 . 2008-06-02 09:27 <DIR> d-------- C:\Program Files\Microsoft Visual SourceSafe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-22 19:19 187,888 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-14 03:37 --------- d-----w C:\Program Files\Dl_cats
    2008-06-14 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-06 13:26 --------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
    2008-06-06 13:25 --------- d-----w C:\Program Files\Common Files\Merge Modules
    2008-06-06 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-06-01 19:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2006-10-23 04:18 563,712 ----a-w C:\Documents and Settings\Administrator\gotomypc_370.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-30_ 2.18.16.83 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-07-06 02:14:42 7,168 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
    + 2008-07-30 07:22:14 8,192 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
    - 2005-07-06 02:14:40 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
    + 2008-07-30 07:22:16 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
    - 2005-07-06 02:14:32 716,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
    + 2008-07-30 07:22:25 720,896 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
    - 2005-07-06 02:14:32 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    + 2008-07-30 07:22:17 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    - 2005-07-06 02:14:43 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
    + 2008-07-30 07:22:23 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
    - 2005-07-06 02:14:43 299,008 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
    + 2008-07-30 07:22:20 303,104 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
    - 2005-07-06 02:14:41 1,290,240 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
    + 2008-07-30 07:22:23 1,294,336 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
    - 2005-07-06 02:14:41 1,699,840 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
    + 2008-07-30 07:22:15 1,703,936 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
    - 2005-07-06 02:14:41 86,016 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
    + 2008-07-30 07:22:25 90,112 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
    - 2005-07-06 02:14:41 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
    + 2008-07-30 07:22:20 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
    - 2005-07-06 02:14:41 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    + 2008-07-30 07:22:18 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    - 2005-07-06 02:14:41 64,000 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
    + 2008-07-30 07:22:18 66,560 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
    - 2005-07-06 02:14:42 368,640 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
    + 2008-07-30 07:22:22 372,736 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
    - 2005-07-06 02:14:42 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
    + 2008-07-30 07:22:26 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
    - 2005-07-06 02:14:42 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
    + 2008-07-30 07:22:21 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
    - 2005-07-06 02:14:42 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    + 2008-07-30 07:22:18 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    - 2005-07-06 02:14:42 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    + 2008-07-30 07:22:19 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    - 2005-07-06 02:14:42 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    + 2008-07-30 07:22:24 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    - 2005-07-06 02:14:43 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    + 2008-07-30 07:22:14 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    - 2005-07-06 02:14:42 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    + 2008-07-30 07:22:17 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    - 2005-07-06 02:14:42 569,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
    + 2008-07-30 07:22:16 573,440 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
    - 2005-07-06 02:14:42 1,245,184 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    + 2008-07-30 07:22:24 1,257,472 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    - 2005-07-06 02:14:42 2,039,808 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
    + 2008-07-30 07:22:19 2,052,096 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
    - 2005-07-06 02:14:42 1,335,296 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.Xml.dll
    + 2008-07-30 07:22:22 1,339,392 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
    - 2005-07-06 02:14:41 1,216,512 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    + 2008-07-30 07:22:26 1,224,704 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    + 2008-07-30 07:22:44 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_5ef6d76e\CustomMarshalers.dll
    + 2008-07-30 12:40:01 118,784 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_d8bb7b4a\CustomMarshalers.dll
    + 2008-07-30 07:23:25 3,379,200 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_22edc47d\mscorlib.dll
    + 2008-07-30 12:41:08 8,880,128 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_47acbdbe\mscorlib.dll
    + 2008-07-30 07:23:18 1,466,368 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_6468d037\System.Design.dll
    + 2008-07-30 12:40:57 3,395,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_8febabfa\System.Design.dll
    + 2008-07-30 12:40:15 192,512 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_8bf4a7a6\System.Drawing.Design.dll
    + 2008-07-30 07:22:48 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_e674e5b2\System.Drawing.Design.dll
    + 2008-07-30 07:23:21 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_1120da74\System.Drawing.dll
    + 2008-07-30 12:41:01 2,244,608 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_19a9dd72\System.Drawing.dll
    + 2008-07-30 07:22:58 3,014,656 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_70748ded\System.Windows.Forms.dll
    + 2008-07-30 12:40:33 7,880,704 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_8d6d4b8d\System.Windows.Forms.dll
    + 2008-07-30 12:40:44 5,505,024 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_2816df43\System.Xml.dll
    + 2008-07-30 07:23:08 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b9617644\System.Xml.dll
    + 2008-07-30 07:24:00 4,763,648 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_38baa337\System.dll
    + 2008-07-30 07:22:43 1,953,792 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_7a30a14d\System.dll
    + 2008-07-30 07:23:55 20,480 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_5317c6dd\vjscor.dll
    + 2008-07-30 12:41:24 18,432 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_93194753\vjscor.dll
    + 2008-07-30 07:23:30 69,632 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_4b214b60\VJSharpCodeProvider.dll
    + 2008-07-30 12:41:09 155,648 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_89959d33\VJSharpCodeProvider.dll
    + 2008-07-30 07:23:55 4,460,544 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_55255559\vjslib.dll
    + 2008-07-30 12:41:21 12,156,928 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_56825db2\vjslib.dll
    + 2008-07-30 07:23:36 32,768 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslibcw\1.0.5000.0__b03f5f7f11d50a3a_4639ff37\vjslibcw.dll
    + 2008-07-30 12:41:11 16,896 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_32cac001\VJSWfcBrowserStubLib.dll
    + 2008-07-30 07:23:35 10,240 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_c7a86857\VJSWfcBrowserStubLib.dll
    - 2003-02-20 23:19:32 253,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    + 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    - 2003-02-20 23:19:34 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
    + 2004-07-15 05:49:18 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
    - 2003-02-20 23:19:38 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    + 2004-07-15 05:49:26 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    - 2003-02-20 23:19:36 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    + 2004-07-15 05:49:22 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    - 2003-02-20 23:09:08 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    + 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    - 2003-02-21 14:20:44 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
    + 2004-07-15 15:23:28 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
    - 2003-02-21 14:21:00 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
    + 2004-07-15 15:23:44 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
    - 2003-02-20 23:06:20 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
    + 2004-07-15 04:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
    + 2003-10-08 18:30:14 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
    - 2003-02-21 11:24:38 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
    + 2004-07-15 18:31:00 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
    - 2003-02-21 11:24:40 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
    + 2004-07-15 18:31:04 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
    - 2003-02-20 23:09:40 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
    + 2004-07-15 04:35:30 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
    - 2003-02-21 11:26:36 716,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
    + 2004-07-15 18:28:58 720,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
    - 2003-02-21 11:26:38 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
    + 2004-07-15 18:28:56 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
    - 2003-02-21 11:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
    + 2004-07-15 18:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
    - 2003-02-21 11:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
    + 2004-07-15 18:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
    - 2003-02-20 23:09:12 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
    + 2004-07-15 04:32:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
    - 2003-02-20 23:09:12 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
    + 2004-07-15 04:32:46 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
    - 2003-02-20 23:06:32 311,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    + 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    - 2003-02-20 23:09:16 98,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    + 2004-07-15 04:33:04 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    - 2003-02-21 11:26:34 2,088,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    + 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    - 2003-02-20 23:09:18 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
    + 2004-07-15 04:33:22 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
    - 2003-02-20 23:09:18 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
    + 2004-07-15 04:33:24 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
    - 2003-02-20 23:07:34 2,494,464 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
    + 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
    - 2003-02-20 23:08:32 2,482,176 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    + 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    + 2004-08-10 20:20:00 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
    - 2003-02-20 23:09:30 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
    + 2004-07-15 04:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
    - 2003-02-21 11:26:46 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
    + 2004-07-15 18:28:48 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
    - 2003-02-20 23:09:34 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
    + 2004-07-15 04:35:04 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
    - 2003-02-21 11:26:38 1,290,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
    + 2004-07-15 18:32:00 1,294,336 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
    - 2003-02-21 11:25:42 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
    + 2004-07-15 18:31:14 303,104 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
    - 2003-02-21 11:26:42 1,699,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
    + 2004-07-15 18:29:02 1,703,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
    - 2003-02-21 11:26:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
    + 2004-07-15 18:28:54 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
    - 2003-02-21 11:26:46 1,216,512 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
    + 2004-07-15 18:31:16 1,224,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
    - 2003-02-21 11:26:50 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
    + 2004-07-15 18:28:58 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
    - 2003-02-21 11:26:50 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
    + 2004-07-15 18:28:56 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
    - 2003-02-20 23:09:36 64,000 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
    + 2004-07-15 04:35:12 66,560 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
    - 2003-02-21 11:26:52 368,640 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
    + 2004-07-15 18:31:58 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
    - 2003-02-21 11:26:54 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
    + 2004-07-15 18:31:12 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
    - 2003-02-21 11:26:56 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
    + 2004-07-15 18:28:58 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
    - 2003-02-21 11:26:56 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
    + 2004-07-15 18:31:54 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
    - 2003-02-21 11:26:58 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    + 2004-07-15 18:28:52 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    - 2003-02-21 11:27:00 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
    + 2004-07-15 18:28:54 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
    - 2003-02-21 11:27:02 1,245,184 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    + 2004-07-15 18:29:00 1,257,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    - 2003-02-21 11:27:06 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
    + 2004-07-15 18:28:58 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
    - 2003-02-21 11:24:18 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
    + 2004-07-15 18:28:52 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
    - 2003-02-21 11:27:06 569,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
    + 2004-07-15 18:31:16 573,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
    - 2003-02-21 11:27:08 2,039,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
    + 2004-07-15 18:32:02 2,052,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
    - 2003-02-21 11:27:10 1,335,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
    + 2004-07-15 18:29:00 1,339,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
    + 2004-06-22 17:51:38 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
    - 2003-02-21 14:20:38 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
    + 2004-07-15 15:23:20 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
    - 2003-02-21 09:04:18 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
    + 2004-07-15 12:15:14 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
    - 2003-02-21 00:10:40 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
    + 2004-07-15 06:11:56 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
    + 2008-07-30 07:19:04 3,312 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{6AEA628E-7320-4ECB-BC70-C81D0FDE7C03}.bin
    + 2006-10-04 08:48:36 72,704 -c----w C:\WINDOWS\system32\dllcache\magnify.exe
    + 2006-10-04 08:48:36 53,760 -c----w C:\WINDOWS\system32\dllcache\narrator.exe
    + 2006-10-04 08:48:37 215,552 -c----w C:\WINDOWS\system32\dllcache\osk.exe
    + 2006-10-04 13:33:38 35,840 -c----w C:\WINDOWS\system32\dllcache\umandlg.dll
    + 2006-10-04 08:48:37 50,176 -c----w C:\WINDOWS\system32\dllcache\utilman.exe
    - 2008-07-30 06:00:26 401,939 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-07-30 12:41:53 401,939 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    - 2004-08-04 07:56:50 72,704 ----a-w C:\WINDOWS\system32\magnify.exe
    + 2006-10-04 08:48:36 72,704 ----a-w C:\WINDOWS\system32\magnify.exe
    - 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
    + 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
    - 2004-08-04 07:56:54 53,760 ----a-w C:\WINDOWS\system32\narrator.exe
    + 2006-10-04 08:48:36 53,760 ----a-w C:\WINDOWS\system32\narrator.exe
    - 2004-08-04 07:56:55 215,552 ----a-w C:\WINDOWS\system32\osk.exe
    + 2006-10-04 08:48:37 215,552 ----a-w C:\WINDOWS\system32\osk.exe
    - 2008-06-02 20:30:00 135,008 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-07-30 07:21:57 135,144 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-06-02 20:30:00 621,500 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-07-30 07:21:57 621,636 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2004-08-04 07:56:46 35,840 ----a-w C:\WINDOWS\system32\umandlg.dll
    + 2006-10-04 13:33:38 35,840 ----a-w C:\WINDOWS\system32\umandlg.dll
    - 2004-08-04 07:56:57 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
    + 2006-10-04 08:48:37 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "MétéoIMédia"="C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe" [2008-05-30 14:45 4501912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" [2004-06-17 12:12 409664]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2004-05-24 15:59 86016]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2004-09-16 16:15 538112]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 08:10 81990]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50 33792]
    "DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 14:38 69632]
    "mmtask"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [BU]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
    "Wise-FTP Scheduler"="" [BU]

    C:\Documents and Settings\apftq10\Menu D‚marrer\Programmes\D‚marrage\
    palmOne Registration.lnk.disabled [2008-05-27 10:02:12 751]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
    BTTray.lnk - C:\Program Files\Dell\Bluetooth Software\BTTray.exe [2004-04-26 17:13:54 561213]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
    Source= C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html
    FriendlyName=

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
    2004-06-17 12:14 180290 C:\WINDOWS\system32\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-602162358-725345543-1175\Scripts\Logon\0\0]
    "Script"=map.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Wise-FTP Scheduler"=
    "DLCCCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    "WinampAgent"=C:\Program Files\Winamp\winampa.exe
    "mmtask"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\WINDOWS\\system32\\dlcccoms.exe"=
    "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
    "135:TCP"= 135:TCP:TCP Port 135
    "5000:TCP"= 5000:TCP:TCP Port 5000
    "5001:TCP"= 5001:TCP:TCP Port 5001
    "5002:TCP"= 5002:TCP:TCP Port 5002
    "5003:TCP"= 5003:TCP:TCP Port 5003
    "5004:TCP"= 5004:TCP:TCP Port 5004
    "5005:TCP"= 5005:TCP:TCP Port 5005
    "5006:TCP"= 5006:TCP:TCP Port 5006
    "5007:TCP"= 5007:TCP:TCP Port 5007
    "5008:TCP"= 5008:TCP:TCP Port 5008
    "5009:TCP"= 5009:TCP:TCP Port 5009
    "5010:TCP"= 5010:TCP:TCP Port 5010
    "5011:TCP"= 5011:TCP:TCP Port 5011
    "5012:TCP"= 5012:TCP:TCP Port 5012
    "5013:TCP"= 5013:TCP:TCP Port 5013
    "5014:TCP"= 5014:TCP:TCP Port 5014
    "5015:TCP"= 5015:TCP:TCP Port 5015
    "5016:TCP"= 5016:TCP:TCP Port 5016
    "5017:TCP"= 5017:TCP:TCP Port 5017
    "5018:TCP"= 5018:TCP:TCP Port 5018
    "5019:TCP"= 5019:TCP:TCP Port 5019
    "5020:TCP"= 5020:TCP:TCP Port 5020

    R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
    R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2002-12-24 19:52]
    R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2005-01-31 00:49]
    S3 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\CFusionMX\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent []
    S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2005-12-15 15:27]
    S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\system32\Drivers\Kazoo.sys [2002-05-08 11:56]
    S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 20:01]
    S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 04:44]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 08:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a351754e-cf48-11dc-8ce0-da30a7d0d9f3}]
    \Shell\AutoRun\command - E:\FOM07.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef45020-edc1-11d9-8c27-000f1f4312e0}]
    \Shell\AutoRun\command - D:\Autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff7b9f3c-47fc-11db-8c85-000f1f4312e0}]
    \Shell\AutoRun\command - D:\setupSNK.exe

    *Newly Created Service* - CATCHME
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-30 09:02:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
    "ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
    .
    Completion time: 2008-07-30 9:06:17
    ComboFix-quarantined-files.txt 2008-07-30 13:06:09
    ComboFix2.txt 2008-07-30 06:18:45

    Pre-Run: 22,374,047,744 bytes free
    Post-Run: 22,357,262,336 bytes free

    408 --- E O F --- 2008-07-30 07:23:51
    =====================================================



    HJT LOG #3
    =====================================================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:17:17 AM, on 7/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Dell\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\rad3tech.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server/traxter/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MétéoIMédia] C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://housecall65.trendmicro.com
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
    O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
    O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html

    --
    End of file - 6829 bytes
    ====================================================

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Please make sure that all programs are closed when installing Java.

    1. Click here to visit Java's website.
    2. Scroll down to Java Runtime Environment (JRE) 6 Update 7. Click on Download.
    3. Select Windows from the drop-down list for Platform.
    4. Select Multi-language from the drop-down list for Language.
    5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
    6. Click on jre-6u7-windows-i586-p.exe link to download it and save this to a convenient location.
    7. Double click on jre-6u7-windows-i586-p.exe to install Java.
    8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
    9. Read through the requirements and privacy statement and click on Accept button.
    10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    11. When the downloads have finished, click on Settings.
    12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
    13. Click on My Computer under Scan.
    14. Once the scan is complete, it will display the results. Click on View Scan Report.
    15. You will see a list of infected items there. Click on Save Report As....
    16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    17. Please post this log in your next reply along with a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Jul 2008
    Posts
    7

    Default

    Hi Shaba, here are the logs you requested:


    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Wednesday, July 30, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Wednesday, July 30, 2008 18:33:58
    Records in database: 1030144
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    Z:\

    Scan statistics:
    Files scanned: 144327
    Threat name: 5
    Infected objects: 7
    Suspicious objects: 0
    Duration of the scan: 05:12:39


    File name / Threat name / Threats count
    C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\setup.exe.bac_a01152 Infected: Trojan-Downloader.Win32.Zlob.buw 1
    C:\Documents and Settings\Administrator\My Documents\Apps\Make Your Windows Genuine - For XP,Server 2003, Vista - iNGEn\WINDOWS XP and Server 2003\2) XP-sp2 and Server 2003\iNGEn_XPsp2.exe Infected: not-a-virus:PSWTool.Win32.RAS.g 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\hiyqapqq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bty 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\idiejpny.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.abet 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\ikdbuz.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bty 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\kenmyxvc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aawg 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\mbxaqhgw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aawg 1

    The selected area was scanned.



    HJT LOG
    ===================================================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:48:02 PM, on 7/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Dell\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Administrator\Local Settings\temp\jkos-Administrator\binaries\ScanningProcess.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\rad3tech.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server/traxter/
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MétéoIMédia] C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://housecall65.trendmicro.com
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
    O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
    O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html

    --
    End of file - 6960 bytes

  10. #10
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Purpose of this?

    C:\Documents and Settings\Administrator\My Documents\Apps\Make Your Windows Genuine - For XP,Server 2003, Vista - iNGEn\WINDOWS XP and Server 2003\2) XP-sp2 and Server 2003\iNGEn_XPsp2.exe Infected: not-a-virus:PSWTool.Win32.RAS.g 1
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •