View Full Version : Spybot Attacked
Toecutter
2007-03-20, 19:25
Spybot and Teatimer are deleted as well as anti virus software. A Firewall exception is generated for IPSEC when I connect to the Internet. Shortly thereafter, I am blessed with GOLDUN. I remove Goldun and IPSEC exception but it happens all over again. Below is my Hijack This log.
Your help here is GREATLY appreciated!
Logfile of HijackThis v1.99.1
Scan saved at 9:05:35 AM, on 3/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\AntiSpyware\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172864819000
O17 - HKLM\System\CCS\Services\Tcpip\..\{46FBE9A5-76FD-4B26-A46F-1F96DA3AFA26}: NameServer = 192.168.194.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
Angelfire777
2007-03-21, 01:26
Hi, welcome to Safer Networking Forums!
Download haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe)
and save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)
Toecutter
2007-03-21, 13:38
HAXFIX logfile - by Marckie
version 4.37
Wed 03/21/2007 7:36:39.82
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
checking iexplore.exe
iexplore.exe is not infected
Finished!
Angelfire777
2007-03-21, 17:40
Hi,
*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
Do not use it yet.
______________________
*We need to temporarily disable Spybot's TeaTimer, it may stop our fix.
Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
*You need To disable Windows Defender temporarily, it can stop our fix. Please Re-enable it after your system is clean.
Open Microsoft Windows Defender. Click Start > Programs > Windows Defender
Click on Tools > General Settings
Under Real-time Protection options, unselect the turn on real-time protection check box.
Click Save
After all of the fixes are complete it is very important that you enable Real-time Protection again.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Did you use Spybot to add the following policies? If not, please fix them..
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______________________
*You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Important: Make sure all your browsers are closed before running ATF Cleaner..
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
*Download combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log and the AVG Antispyware log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Toecutter
2007-03-23, 14:26
Ok, I've downloaded all the goods you told me to. When I try to run in Safe Mode, an option shows up: "Press esc to cancel loading SPTD.SYS" No matter if I hit esc or not my computer will reboot. No boot option except for Normal will work. Should I try and do this stuff in Normal anyway?
Thanks
Angelfire777
2007-03-23, 16:08
Hi,
Yes please do them in normal mode. Do you use daemon tools? Sptd.sys is related to that program..
Toecutter
2007-03-23, 17:14
Ok, I will use normal mode. Yes, I have installed Daemon tools. Could that be the root of my problems?
Angelfire777
2007-03-23, 19:24
Not root of your problems but if you google sptd.sys, you'll find that sptd.sys causes some trouble when botting to safe mode..
Toecutter
2007-03-23, 20:11
AVG REPORT:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:00:42 PM 3/23/2007
+ Scan result:
C:\System Volume Information\_restore{EBBCB49A-7643-4B03-9EA2-58CAC94219CD}\RP61\A0019676.dll -> Trojan.Zapchast : No action taken.
C:\System Volume Information\_restore{EBBCB49A-7643-4B03-9EA2-58CAC94219CD}\RP61\A0019675.dll -> Worm.Warezov.et : No action taken.
C:\WINDOWS\system32\wmdrtc32.dll -> Worm.Warezov.et : No action taken.
[1696] C:\WINDOWS\system32\wmdrtc32.dll -> Worm.Warezov.et : No action taken.
[1752] C:\WINDOWS\system32\wmdrtc32.dll -> Worm.Warezov.et : No action taken.
[1940] C:\WINDOWS\system32\wmdrtc32.dll -> Worm.Warezov.et : No action taken.
::Report end
Toecutter
2007-03-23, 20:15
PART 1
"JAM" - 07-03-23 14:01:39 Service Pack 2
ComboFix 07-03-22 - Running from: "C:\Documents and Settings\JAM\Desktop\Spyware Removal"
/wow section not completed - STAGE #6D
((((((((((((((((((((((((((((((( Files Created from 2007-02-23 to 2007-03-23 ))))))))))))))))))))))))))))))))))
2007-03-21 15:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-21 14:12 9,728 --a------ C:\WINDOWS\system32\mciservice.exe
2007-03-21 11:08 <DIR> d-------- C:\!KillBox
2007-03-21 11:00 <DIR> d--h----- C:\WINDOWS\PIF
2007-03-13 15:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-03-13 13:29 5,477 --a------ C:\WINDOWS\system32\drivers\okieon.sys
2007-03-13 11:34 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-03-13 11:30 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-03-13 11:11 <DIR> d-------- C:\VundoFix Backups
2007-03-13 10:50 <DIR> d-------- C:\AntiSpyware
2007-03-13 08:26 468,480 --a------ C:\WINDOWS\system32\win5584.dll
2007-03-12 12:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-12 12:13 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-03-12 12:13 8,234 --a------ C:\clean.bat
2007-03-12 12:13 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-03-12 12:13 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-12 12:13 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-03-12 12:13 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2007-03-12 11:10 468,480 --a------ C:\WINDOWS\system32\win61992.dll
2007-03-09 08:56 468,480 --a------ C:\WINDOWS\system32\win5654.dll
2007-03-08 16:05 468,480 --a------ C:\WINDOWS\system32\win15200.dll
2007-03-08 12:13 468,480 --a------ C:\WINDOWS\system32\win2495.dll
2007-03-07 14:37 468,480 --a------ C:\WINDOWS\system32\win36472.dll
2007-03-07 09:38 468,480 --a------ C:\WINDOWS\system32\win49689.dll
2007-03-06 16:26 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-03-06 14:06 468,480 --a------ C:\WINDOWS\system32\win39987.dll
2007-03-06 11:42 57,344 --a------ C:\WINDOWS\system32\CNARLMNT.DLL
2007-03-06 11:42 22,048 --a------ C:\WINDOWS\system32\cocpyinf.dll
2007-03-06 09:02 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-03-06 09:01 <DIR> d-------- C:\WINDOWS\ShellNew
2007-03-05 16:25 <DIR> d-------- C:\Program Files\Windows Defender
2007-03-05 16:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-03-05 16:01 <DIR> d--h----- C:\CanonMF
2007-03-02 16:30 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-02 16:30 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-03-02 16:17 468,992 --a------ C:\WINDOWS\system32\win39200.dll
2007-03-02 16:14 468,480 --a------ C:\WINDOWS\system32\win41261.dll
2007-03-02 15:55 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-03-02 15:55 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-03-02 15:46 <DIR> d--hs---- C:\DOCUME~1\JAM\UserData
2007-03-02 14:58 <DIR> d-------- C:\Program Files\QA
2007-03-02 14:49 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2007-03-02 14:30 <DIR> d-------- C:\DOCUME~1\JAM\APPLIC~1\Autodesk
2007-03-02 14:13 <DIR> d-------- C:\WINDOWS\SXS
2007-03-02 14:13 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-03-02 14:13 <DIR> d-------- C:\Program Files\Autodesk
2007-03-02 14:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-03-02 14:12 335,360 --a------ C:\WINDOWS\IsUninst.exe
2007-03-02 14:12 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-03-02 14:12 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-03-02 14:12 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-03-02 14:11 <DIR> d-------- C:\Program Files\Microsoft WSE
2007-03-02 14:09 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-03-02 12:30 40,960 --a------ C:\WINDOWS\system32\wmdrtc32.dll
2007-03-02 12:29 102,528 --a------ C:\WINDOWS\system32\drivers\SI3112r.sys
2007-03-02 12:29 10,368 --a------ C:\WINDOWS\system32\drivers\SiWinAcc.sys
2007-03-02 12:14 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-03-02 12:13 <DIR> d--hs---- C:\RECYCLER
2007-03-02 12:08 <DIR> d-------- C:\Program Files\Warcraft III
2007-03-02 12:08 <DIR> d-------- C:\Program Files\Lucas Arts
2007-03-02 12:06 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-03-02 12:06 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-03-02 12:06 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-03-02 12:06 363,520 --a------ C:\WINDOWS\system32\PsisDecd.dll
2007-03-02 12:06 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-03-02 12:06 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-03-02 12:06 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-03-02 12:06 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2007-03-02 12:06 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2007-03-02 12:06 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-03-02 12:06 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-03-02 12:02 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-03-02 12:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-03-02 12:01 <DIR> d-------- C:\ATI
2007-03-02 11:54 <DIR> d-------- C:\Program Files\Marvell
2007-03-02 11:53 98,304 -ra------ C:\WINDOWS\system32\SStrmSK.dll
2007-03-02 11:53 98,304 -ra------ C:\WINDOWS\system32\SStrmPTB.dll
2007-03-02 11:53 98,304 -ra------ C:\WINDOWS\system32\SStrmDA.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmTR.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmTH.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmSV.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmPT.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmNO.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmFI.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\sstrmenu.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmENG.dll
2007-03-02 11:53 94,208 -ra------ C:\WINDOWS\system32\SStrmCS.dll
2007-03-02 11:53 94,208 --a------ C:\WINDOWS\system32\NVUninst.exe
2007-03-02 11:53 90,112 -ra------ C:\WINDOWS\system32\SStrmSL.dll
2007-03-02 11:53 86,016 -ra------ C:\WINDOWS\system32\SStrmHE.dll
2007-03-02 11:53 86,016 -ra------ C:\WINDOWS\system32\SStrmAR.dll
2007-03-02 11:53 73,728 -ra------ C:\WINDOWS\system32\sstray.exe
2007-03-02 11:53 69,632 -ra------ C:\WINDOWS\system32\SStrmKO.dll
2007-03-02 11:53 69,632 -ra------ C:\WINDOWS\system32\SStrmJA.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SStrmZHT.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraZHT.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraZHC.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraTR.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraTH.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraSV.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraSL.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraSK.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraRU.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraPTB.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraPT.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraPL.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraNO.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraNL.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraKO.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraJA.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraIT.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraHU.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraHE.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraFR.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraFI.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraES.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraENG.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraEL.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraDE.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraDA.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraCS.dll
2007-03-02 11:53 61,440 -ra------ C:\WINDOWS\system32\SSTraAR.dll
2007-03-02 11:53 57,344 -ra------ C:\WINDOWS\system32\SStrmZHC.dll
2007-03-02 11:53 509,984 -ra------ C:\WINDOWS\50comupd.exe
2007-03-02 11:53 491,599 -ra------ C:\WINDOWS\system32\sndstorm.exe
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplZHT.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplZHC.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplTR.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplTH.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplSV.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplSL.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplSK.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplRU.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplPTB.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplPT.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplPL.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplNO.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplNL.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplKO.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplJA.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplIT.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplHU.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplHE.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplFR.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplFI.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplES.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplENG.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplEL.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplDE.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplDA.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplCS.dll
2007-03-02 11:53 36,864 -ra------ C:\WINDOWS\system32\SSCplAR.dll
2007-03-02 11:53 126,976 -ra------ C:\WINDOWS\system32\nvuautl.exe
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmRU.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmPL.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmNL.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmIT.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmHU.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmFR.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmES.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmEL.dll
2007-03-02 11:53 102,400 -ra------ C:\WINDOWS\system32\SStrmDE.dll
2007-03-02 11:53 1,589,248 -ra------ C:\WINDOWS\system32\sstrmres.dll
2007-03-02 11:52 962,560 --a------ C:\WINDOWS\system32\drivers\nvmcp.sys
2007-03-02 11:52 77,824 -ra------ C:\WINDOWS\system32\nvugart.exe
2007-03-02 11:52 77,824 -ra------ C:\WINDOWS\system32\nvuenet.exe
2007-03-02 11:52 77,824 --------- C:\WINDOWS\system32\nvusmb.exe
2007-03-02 11:52 70,656 -ra------ C:\WINDOWS\system32\drivers\NVENET.sys
2007-03-02 11:52 7,168 --a------ C:\WINDOWS\system32\nvack.dll
2007-03-02 11:52 66,688 --a------ C:\WINDOWS\system32\drivers\nvarm.sys
2007-03-02 11:52 53,760 --a------ C:\WINDOWS\system32\nvopenal.dll
2007-03-02 11:52 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-03-02 11:52 5,120 --a------ C:\WINDOWS\system32\ALut.dll
2007-03-02 11:52 48,640 --a------ C:\WINDOWS\system32\drivers\nvax.sys
2007-03-02 11:52 396,032 --a------ C:\WINDOWS\system32\drivers\nvapu.sys
2007-03-02 11:52 30,208 --a------ C:\WINDOWS\system32\nvasio.dll
2007-03-02 11:52 21,504 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-03-02 11:52 18,688 -ra------ C:\WINDOWS\system32\drivers\nv_agp.SYS
2007-03-02 11:52 172,032 --a------ C:\WINDOWS\system32\nvuaudio.exe
2007-03-02 11:52 126,976 -ra------ C:\WINDOWS\system32\nvuide.exe
2007-03-02 11:52 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-03-02 11:52 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-03-02 11:49 786,432 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-03-02 11:49 2,883,584 --ah----- C:\DOCUME~1\JAM\NTUSER.DAT
2007-03-02 11:49 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-03-02 11:49 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-02 11:48 786,432 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-03-02 11:45 225,280 ---h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-03-02 11:45 0 -rahs---- C:\MSDOS.SYS
2007-03-02 11:45 0 -rahs---- C:\IO.SYS
2007-03-02 11:45 0 --a------ C:\CONFIG.SYS
2007-03-02 11:45 0 --a------ C:\AUTOEXEC.BAT
2007-03-02 11:45 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-03-02 11:45 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-03-02 11:45 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-03-02 11:44 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2007-03-02 11:44 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-03-02 11:44 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-03-02 11:44 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-03-02 11:43 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2007-03-02 11:43 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2007-03-02 11:43 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2007-03-02 11:43 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-03-02 11:43 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-03-02 11:43 <DIR> d---s---- C:\WINDOWS\Tasks
2007-03-02 11:43 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-03-02 11:43 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-03-02 11:42 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-03-02 11:42 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-03-02 11:42 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-03-02 11:42 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-03-02 11:42 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-03-02 11:42 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-03-02 11:42 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-03-02 11:42 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-03-02 11:42 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-03-02 11:42 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-03-02 11:42 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-03-02 11:42 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-03-02 11:42 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-03-02 11:42 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-03-02 11:42 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-03-02 11:42 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-03-02 11:42 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-03-02 11:42 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-03-02 11:42 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-03-02 11:42 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-03-02 11:42 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-03-02 11:42 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-03-02 11:42 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-03-02 11:42 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-03-02 11:42 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-03-02 11:42 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-03-02 11:42 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-03-02 11:42 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-03-02 11:42 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-02 11:42 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-03-02 11:42 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-03-02 11:42 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-03-02 11:42 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2007-03-02 11:42 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-03-02 11:42 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-03-02 11:42 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-03-02 11:42 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2007-03-02 11:42 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-03-02 11:42 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-03-02 11:42 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-03-02 11:42 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-03-02 11:42 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
Toecutter
2007-03-23, 20:15
PART 2
2007-03-02 11:42 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-03-02 11:42 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-03-02 11:42 <DIR> d-------- C:\WINDOWS\srchasst
2007-03-02 11:42 <DIR> d-------- C:\Program Files\Movie Maker
2007-03-02 11:41 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-03-02 11:41 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-03-02 11:41 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-03-02 11:41 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-03-02 11:41 9,728 --a------ C:\WINDOWS\system32\reset.exe
2007-03-02 11:41 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-03-02 11:41 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-03-02 11:41 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-03-02 11:41 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-03-02 11:41 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-03-02 11:41 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-03-02 11:41 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-03-02 11:41 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-03-02 11:41 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-03-02 11:41 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-03-02 11:41 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2007-03-02 11:41 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-03-02 11:41 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-03-02 11:41 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-03-02 11:41 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-03-02 11:41 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-03-02 11:41 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2007-03-02 11:41 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-03-02 11:41 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-03-02 11:41 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2007-03-02 11:41 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2007-03-02 11:41 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-03-02 11:41 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-03-02 11:41 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-03-02 11:41 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-03-02 11:41 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2007-03-02 11:41 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2007-03-02 11:41 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-03-02 11:41 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-03-02 11:41 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2007-03-02 11:41 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-03-02 11:41 33,792 --a------ C:\WINDOWS\system32\regini.exe
2007-03-02 11:41 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-03-02 11:41 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2007-03-02 11:41 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2007-03-02 11:41 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-03-02 11:41 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2007-03-02 11:41 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2007-03-02 11:41 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-03-02 11:41 20,992 --a------ C:\WINDOWS\system32\msg.exe
2007-03-02 11:41 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-03-02 11:41 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2007-03-02 11:41 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-03-02 11:41 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-03-02 11:41 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-03-02 11:41 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2007-03-02 11:41 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2007-03-02 11:41 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2007-03-02 11:41 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-03-02 11:41 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2007-03-02 11:41 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2007-03-02 11:41 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2007-03-02 11:41 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-03-02 11:41 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2007-03-02 11:41 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-03-02 11:41 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2007-03-02 11:41 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2007-03-02 11:41 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2007-03-02 11:41 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-03-02 11:41 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-03-02 11:41 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-03-02 11:41 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-03-02 11:41 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-03-02 11:41 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-03-02 11:41 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-03-02 11:41 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-03-02 11:41 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-03-02 11:41 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-03-02 11:41 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-03-02 11:41 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2007-03-02 11:41 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-03-02 11:41 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-03-02 11:41 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2007-03-02 11:41 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2007-03-02 11:41 <DIR> d-------- C:\WINDOWS\system32\Com
2007-03-02 11:41 <DIR> d-------- C:\WINDOWS\Registration
2007-03-02 11:41 <DIR> d-------- C:\Program Files\Windows NT
2007-03-02 11:41 <DIR> d-------- C:\Program Files\Online Services
2007-03-02 11:41 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2007-03-02 11:41 <DIR> d-------- C:\Program Files\Messenger
2007-03-02 11:40 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2007-03-02 11:40 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-03-02 11:40 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-03-02 11:40 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-03-02 11:39 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-03-02 11:39 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-03-02 06:33 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-03-02 06:33 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-03-02 06:33 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-03-02 06:33 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-03-02 06:33 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-03-02 06:33 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-03-02 06:33 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-03-02 06:33 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-03-02 06:33 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-03-02 06:33 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-03-02 06:33 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-03-02 06:33 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-03-02 06:33 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-03-02 06:32 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-03-02 06:32 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-03-02 06:32 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-03-02 06:32 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-03-02 06:32 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys
2007-03-02 06:32 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-03-02 06:32 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2007-03-02 06:31 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-03-02 06:31 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2007-03-02 06:31 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2007-03-02 06:31 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2007-03-02 06:31 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2007-03-02 06:31 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2007-03-02 06:31 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2007-03-02 06:31 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2007-03-02 06:31 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2007-03-02 06:31 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2007-03-02 06:31 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2007-03-02 06:31 <DIR> dr------- C:\Program Files
2007-03-02 06:31 <DIR> d--hs---- C:\WINDOWS\Installer
2007-03-02 06:31 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2007-03-02 06:31 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-03-02 06:30 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2007-03-02 06:30 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-03-02 06:30 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-03-02 06:30 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-03-02 06:30 8,704 --a------ C:\WINDOWS\system32\batt.dll
2007-03-02 06:30 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-03-02 06:30 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2007-03-02 06:30 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2007-03-02 06:30 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2007-03-02 06:30 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2007-03-02 06:30 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2007-03-02 06:30 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-03-02 06:30 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2007-03-02 06:30 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2007-03-02 06:30 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2007-03-02 06:30 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2007-03-02 06:30 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-03-02 06:30 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2007-03-02 06:30 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-03-02 06:30 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2007-03-02 06:30 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2007-03-02 06:30 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-03-02 06:30 <DIR> d--hs---- C:\System Volume Information
2007-03-02 06:30 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-03-02 06:30 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-03-02 06:30 <DIR> d-------- C:\Documents and Settings
2007-03-02 06:23 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2007-03-02 06:23 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-03-02 06:23 <DIR> dr------- C:\WINDOWS\Web
2007-03-02 06:23 <DIR> d--h----- C:\WINDOWS\inf
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\WinSxS
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\twain_32
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\wins
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\wbem
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\usmt
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\spool
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\Setup
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\ras
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\oobe
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\npp
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\mui
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\IME
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\icsxml
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\ias
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\export
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\drivers
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\dhcp
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\config
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\3076
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\2052
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1054
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1042
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1041
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1037
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1033
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1031
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1028
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32\1025
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system32
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\system
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\security
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Resources
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\repair
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Provisioning
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\PeerNet
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\pchealth
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\mui
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\msapps
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\msagent
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Media
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\java
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\ime
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Help
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\ehome
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Driver Cache
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Debug
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Cursors
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Connection Wizard
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\Config
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\AppPatch
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS\addins
2007-03-02 06:23 <DIR> d-------- C:\WINDOWS
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-02 06:30 62 --ahs---- C:\DOCUME~1\JAM\APPLIC~1\desktop.ini
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{359ee1e9-c8d9-11db-9bba-0011d8029acd}]
Shell\AutoRun\command F:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1667a9e-d177-11db-9bee-0011d8029acd}]
Shell\AutoRun\command F:\autoplay.exe
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-23 14:02:29
C:\ComboFix2.txt ... 07-03-21 16:25
Toecutter
2007-03-23, 20:16
Logfile of HijackThis v1.99.1
Scan saved at 2:03:07 PM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\AntiSpyware\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172864819000
O17 - HKLM\System\CCS\Services\Tcpip\..\{46FBE9A5-76FD-4B26-A46F-1F96DA3AFA26}: NameServer = 192.168.194.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Angelfire777
2007-03-28, 18:55
Hi,
I apologize for the delay, I missed your email notification..
*Download avz4en.zip here (http://z-oleg.com/avz4en.zip)
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the file tab and then click on System recovery
Put a checkmark next to Restore SafeBoot registry keys
Click on Execute selected operations
*Download Killbox (http://www.bleepingcomputer.com/files/killbox.php)
Open Killbox.exe
Highlight all the entries in the quote box below and the Copy them.
C:\WINDOWS\system32\wmdrtc32.dll
Then in Killbox, click File>>Paste from Clipboard
Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
A second message will ask to Reboot now? You will need to click Yes to allow the reboot.
*I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
C:\WINDOWS\system32\drivers\okieon.sys
Then click submit.
Do the same for this file: C:\WINDOWS\system32\win5584.dll
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
On your next reply, please post a fresh HijackThis log, results of the jotti scan ad a description on how your machine is working.
Toecutter
2007-03-30, 17:29
I am having trouble loggin on to the two virus scan sites you directed me to (due to my connection speed I think). I will keep trying and post the results when I have completed the task. In the meantime, I do know that okieon.sys is one of my problems. I tried to delete it long ago but it always returns. If Windows Defender permits it to load, all hell breaks loose. At times, it will try to load for no reason and other times it will try to load upon the execution of a program such as AVG Anti-spyware or some other program. If I dont allow it to load(okieon.sys) I must re-boot. The other file wmdrtc32.dll contains worm.warezov.et according to AVG. That file always returns after deleting as well. Anyways, I will post the reports when I've competed the task.
Thanks
Toecutter
2007-03-30, 18:11
Ok, Here are the results from the Online virus scan.
Complete scanning result of "okieon.sys", received in VirusTotal at 03.30.2007, 16:42:13 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.3.30.0 03.30.2007 Win-Trojan/Sality.5477
AntiVir 7.3.1.46 03.30.2007 TR/Drop.Warezov.A.1
Authentium 4.93.8 03.30.2007 W32/Sality.AF
Avast 4.7.936.0 03.30.2007 Win32:Trojan-gen. {Other}
AVG 7.5.0.447 03.30.2007 Generic3.KXG
BitDefender 7.2 03.30.2007 Trojan.Rootkit.AF
CAT-QuickHeal 9.00 03.29.2007 Worm.Sality.s
ClamAV devel-20070312 03.30.2007 no virus found
DrWeb 4.33 03.30.2007 Trojan.Ipsof
eSafe 7.0.15.0 03.29.2007 Virus.Win32.Sality.s
eTrust-Vet 30.6.3524 03.30.2007 Win32/Sality.S
Ewido 4.0 03.30.2007 no virus found
FileAdvisor 1 03.30.2007 no virus found
Fortinet 2.85.0.0 03.30.2007 Rootkit.D!tr
F-Prot 4.3.1.45 03.30.2007 W32/Sality.AF
F-Secure 6.70.13030.0 03.30.2007 Virus.Win32.Sality.s
Ikarus T3.1.1.3 03.30.2007 Virus.Win32.Sality.s
Kaspersky 4.0.2.24 03.30.2007 Virus.Win32.Sality.s
McAfee 4995 03.29.2007 Generic Rootkit.d
Microsoft 1.2306 03.30.2007 VirTool:Win32/Rootkit.C
NOD32v2 2157 03.30.2007 Win32/Sality.NAM
Norman 5.80.02 03.30.2007 no virus found
Panda 9.0.0.4 03.30.2007 W32/Sality.X.drp
Prevx1 V2 03.30.2007 Trojan.VXGAME.n
Sophos 4.16.0 03.30.2007 W32/Sality-AD
Sunbelt 2.2.907.0 03.29.2007 Hacktool.Rootkit
Symantec 10 03.30.2007 Hacktool.Rootkit
TheHacker 6.1.6.083 03.30.2007 Trojan/Sality.s
UNA 1.83 03.16.2007 Win32.Sality.s
VBA32 3.11.3 03.29.2007 Trojan.Ipsof
VirusBuster 4.3.7:9 03.30.2007 Win32.Sality.AA
Webwasher-Gateway 6.0.1 03.30.2007 Trojan.Drop.Warezov.A.1
Aditional Information
File size: 5477 bytes
MD5: 3ecc72712703b51f3cd4bcefe38ea758
SHA1: 883ce7a65d759bfb23e56cb0ea30c50a0c1e2eda
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e31c68987880
Hijack Log
Logfile of HijackThis v1.99.1
Scan saved at 10:55:51 AM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\AntiSpyware\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172864819000
O17 - HKLM\System\CCS\Services\Tcpip\..\{46FBE9A5-76FD-4B26-A46F-1F96DA3AFA26}: NameServer = 192.168.194.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
In addition to the description of my computer behavior, when I do allow the okieon.sys to load, ipsec firewall exceptions are generated, and if I am connected to the internet, loads of executable files are placed in my C:\windows\temp folder. Shortly thereafter, I get goldun plus loads of other undesireables. I also believe now that this virus(s) prevented me from going to the virus scan web sites. I had to use my wife's computer. While trying to access the local network from my computer it took about 3 minutes. It is normally instant. At this point, her computer doesnt seem to be infected.
Thanks for your help
Angelfire777
2007-03-30, 18:35
Hi,
I have very bad news..Sality is a file infector that is very dangerous. It infects quite a lot of files and it could even infected very critical system files. Since we do not know how much it has infected by now, I canoot guarantee you a clean and healthy machine anymore. The fastest and safest way to get rid of this is to reformat your hard drive. Please advise me of your decision in your next post..
Toecutter
2007-03-30, 20:00
I dont have a problem formatting my computer. My primary concern is my wife's computer. She has massive amounts of family pics. Is there a way for me to verify that her system is not infected? If it is, is there a antivirus program that may help? Even if it comes with a price tag, I would rather take that approach on her computer versus loosing the family pics.
Thanks for your help.
Angelfire777
2007-03-30, 20:24
I'm sorry for your machine but it's the safest way to get rid of sality...
I wouldn't mind if we check your wife's computer..Please post a HijackThis log for your wife's machine.
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.