PDA

View Full Version : Virtumonde (Is eating my soul)



Lazyjim77
2008-01-15, 16:26
Alright, yesterday I took leave of my senses and downloaded something from an extremely dodgy gaming website, the predictable result was that my poor little laptop recieved a ton of unwanted new desktop icons and some toolbar icons that are persistantly trying to get me to download some fake anti-spyware software.

After running Spybot SD I found out I had got around 40 different problems, all but one of which Spybot dutifully killed. The offending entry was of course Virtumonde, the accompanying description told me I should come to the forum for help in removing it, which I have obediently done.

As requested here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:04, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TEMP\win1206.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\James\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Lch - {5A3700EE-5330-4DE3-A9B6-D9B56E9791F6} - C:\WINDOWS\system32\lch.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byxwwts.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100408} - C:\WINDOWS\system32\d3dxim.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper9.dll (file missing)
O2 - BHO: (no name) - {FB6CEFFA-A4AA-4E28-AD7A-4BA25ABC25Ef} - C:\WINDOWS\system32\lqttdgcx.dll (file missing)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lguwlvcti] c:\windows\system32\lguwlvcti.exe lguwlvcti
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1206.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [EasySpywareCleaner] C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: byxwwts - C:\WINDOWS\SYSTEM32\byxwwts.dll
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O20 - Winlogon Notify: winzwr32 - winzwr32.dll (file missing)
O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)
O22 - SharedTaskScheduler: za - {D1159422-16E3-462F-A93D-FB718E100408} - C:\WINDOWS\system32\d3dxim.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 6965 bytes


I have the Kapersky log but it was too long to fit into a single post...

Help would be much appreciated, and if we manage to remove the little blighter, I will erect some kind of shrine from which you and your comrades may be eternally worshipped. :D:

Shaba
2008-01-16, 12:26
Hi Lazyjim77 and welcome to Safer Networking Forums :)

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

Lazyjim77
2008-01-16, 16:07
Combofix report:

ComboFix 08-01-16.4 - James 2008-01-16 12:56:20.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1558 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\James\Application Data\DOBE~1
C:\Documents and Settings\James\Application Data\ICROSO~1
C:\Documents and Settings\James\Application Data\macromedia\Flash Player\iforex.com
C:\Documents and Settings\James\Application Data\macromedia\Flash Player\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\James\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\James\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\James\Application Data\printer.exe
C:\Documents and Settings\James\Application Data\ultra
C:\Documents and Settings\James\Application Data\ultra\uninstall.bat
C:\WINDOWS\gc_407.cnf
C:\WINDOWS\gsc_407.cnf
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\accdd.bak1
C:\WINDOWS\system32\accdd.ini
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\byxwwts.dll
C:\WINDOWS\system32\digmkrkp.dll
C:\WINDOWS\system32\drvvidr.dll
C:\WINDOWS\system32\epwnkiak.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\gfquqcjt.dll
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkjhfd.dll
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\klikalka.exe
C:\WINDOWS\system32\lguwlvcti.dat
c:\WINDOWS\system32\lguwlvcti_nav.dat
C:\WINDOWS\system32\lguwlvcti_navps.dat
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcrupdate.exe
C:\WINDOWS\system32\oitxaacx.dll
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\prutv.ini
C:\WINDOWS\system32\qfmabvjs.dll
C:\WINDOWS\system32\ttvwa.bak2
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\tuvsspm.dll
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\vvvwa.tmp
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\yayvuss.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\nm


((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 12:55 . 2000-08-31 08:00 58,368 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 10:51 . 2008-01-16 10:51 <DIR> d-------- C:\Documents and Settings\James\Application Data\Apple Computer
2008-01-15 16:11 . 2008-01-15 17:34 26,050 ---hs---- C:\WINDOWS\system32\qqtwa.ini
2008-01-15 16:05 . 2008-01-15 16:05 <DIR> d--hs---- C:\FOUND.000
2008-01-15 12:50 . 2008-01-15 12:50 <DIR> d-------- C:\971e7e9f2ef07952d40303f5956e1a2b
2008-01-15 12:39 . 2008-01-15 12:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-15 12:39 . 2008-01-15 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 12:34 . 2008-01-15 12:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-15 12:27 . 2008-01-15 12:27 266,304 --------- C:\WINDOWS\system32\mljgd.dll_tobedeleted_old
2008-01-15 12:27 . 2008-01-15 12:27 433 ---hs---- C:\WINDOWS\system32\dgjlm.ini
2008-01-15 11:01 . 2008-01-15 11:01 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-01-14 21:29 . 2008-01-14 21:29 <DIR> d-------- C:\9f3881141d946b21e4eb61bc552e686b
2008-01-14 20:28 . 2008-01-14 20:28 433 ---hs---- C:\WINDOWS\system32\yccdd.ini
2008-01-14 19:44 . 2008-01-14 19:44 <DIR> d-------- C:\Documents and Settings\James\Application Data\EasySpywareCleaner.com
2008-01-14 19:32 . 2008-01-14 19:32 103,424 --a------ C:\WINDOWS\system32\drvvid.dll
2008-01-14 17:25 . 2008-01-14 17:25 24,576 --a------ C:\WINDOWS\system32\bjn
2008-01-10 16:02 . 2008-01-10 16:02 <DIR> d-------- C:\Documents and Settings\James\Application Data\DAEMON Tools
2008-01-10 16:01 . 2008-01-10 16:01 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-10 13:33 . 2008-01-10 13:34 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-19 21:17 . 2007-12-19 21:17 288,768 --a------ C:\WINDOWS\system32\lguwlvcti.exe~
2007-12-17 22:27 . 2007-12-17 22:27 <DIR> d-------- C:\Documents and Settings\James\Application Data\acccore
2007-12-17 22:16 . 2007-12-17 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Program Files\AIM6
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-17 22:15 . 2007-12-17 22:21 446 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 20:56 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-07 14:19 --------- d-----w C:\Program Files\Yahoo!
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A3700EE-5330-4DE3-A9B6-D9B56E9791F6}]
2007-06-02 13:07 35840 --a------ C:\WINDOWS\system32\lch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1159422-16E3-462F-A93D-FB718E100408}]
C:\WINDOWS\system32\d3dxim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB6CEFFA-A4AA-4E28-AD7A-4BA25ABC25Ef}]
C:\WINDOWS\system32\lqttdgcx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 00:01 50176]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 13:54 495048]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winupdate Engine"="C:\WINDOWS\system32\wupeng.exe" [ ]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-08 22:25 185632]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk.disabled [2007-03-18 16:38:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{D1159422-16E3-462F-A93D-FB718E100408}"= C:\WINDOWS\system32\d3dxim.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwts]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrzf32]
winrzf32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzwr32]
winzwr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb]
C:\WINDOWS\system32\wudb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EasySpywareCleaner"=C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
"avp"=C:\WINDOWS\TEMP\win1206.exe
"smgr"=mgrs.exe
"SManager"=smanager.7.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Printer"=C:\WINDOWS\system32\printer.exe
"emMON"=HCWemMON.exe

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 16:14]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
S3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29]
S3 SI15CI;SI15CI;c:\elements\1stboot\SI15CI.SYS []
S3 USB28xxBGA;WinTV HVR-900;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-09-13 17:21]
S3 USB28xxOEM;WinTV OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-09-13 17:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{562eb472-dea2-11db-b093-0016cf4b55e5}]
\Shell\AutoRun\command - F:\Startup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 12:18:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 14:03:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 14:04:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 14:04:38
.
2008-01-15 13:54:31 --- E O F ---

Lazyjim77
2008-01-16, 16:09
2nd HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07:47, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Lch - {5A3700EE-5330-4DE3-A9B6-D9B56E9791F6} - C:\WINDOWS\system32\lch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100408} - C:\WINDOWS\system32\d3dxim.dll (file missing)
O2 - BHO: (no name) - {FB6CEFFA-A4AA-4E28-AD7A-4BA25ABC25Ef} - C:\WINDOWS\system32\lqttdgcx.dll (file missing)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.1.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O20 - Winlogon Notify: winzwr32 - winzwr32.dll (file missing)
O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)
O22 - SharedTaskScheduler: za - {D1159422-16E3-462F-A93D-FB718E100408} - C:\WINDOWS\system32\d3dxim.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 5556 bytes

Shaba
2008-01-16, 16:36
Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

After that:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that:

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\mljgd.dll_tobedeleted_old
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\drvvid.dll
C:\WINDOWS\system32\bjn
C:\WINDOWS\system32\lguwlvcti.exe~
C:\WINDOWS\system32\lch.dll

Folder::
C:\WINDOWS\system32\bjn
C:\Documents and Settings\James\Application Data\EasySpywareCleaner.com
C:\Program Files\EasySpywareCleaner


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A3700EE-5330-4DE3-A9B6-D9B56E9791F6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1159422-16E3-462F-A93D-FB718E100408}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB6CEFFA-A4AA-4E28-AD7A-4BA25ABC25Ef}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winupdate Engine"=-
"ctfmona"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{D1159422-16E3-462F-A93D-FB718E100408}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwts]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrzf32]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzwr32]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EasySpywareCleaner"=-
"avp"=-
"smgr"=-
"SManager"=-
"Printer"=-



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Lazyjim77
2008-01-16, 23:52
Combofix log:
ComboFix 08-01-16.4 - James 2008-01-16 21:22:48.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1339 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\bjn
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\drvvid.dll
C:\WINDOWS\system32\lch.dll
C:\WINDOWS\system32\lguwlvcti.exe~
C:\WINDOWS\system32\mljgd.dll_tobedeleted_old
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\yccdd.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James\Application Data\EasySpywareCleaner.com
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\lch.dll
C:\WINDOWS\system32\lguwlvcti.exe~
C:\WINDOWS\system32\mljgd.dll_tobedeleted_old
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\yccdd.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 14:43 . 2008-01-16 14:43 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-16 14:43 . 2008-01-16 14:43 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-16 14:42 . 2008-01-16 14:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-16 14:42 . 2008-01-16 14:42 <DIR> d-------- C:\kav
2008-01-16 14:42 . 2008-01-16 21:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-16 14:42 . 2008-01-16 21:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-16 14:42 . 2008-01-16 21:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-16 14:42 . 2008-01-16 21:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-16 12:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 10:51 . 2008-01-16 10:51 <DIR> d-------- C:\Documents and Settings\James\Application Data\Apple Computer
2008-01-15 16:05 . 2008-01-15 16:05 <DIR> d--hs---- C:\FOUND.000
2008-01-15 12:50 . 2008-01-15 12:50 <DIR> d-------- C:\971e7e9f2ef07952d40303f5956e1a2b
2008-01-15 12:39 . 2008-01-15 12:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-15 12:39 . 2008-01-15 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 12:34 . 2008-01-15 12:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-15 11:01 . 2008-01-15 11:01 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-01-14 21:29 . 2008-01-14 21:29 <DIR> d-------- C:\9f3881141d946b21e4eb61bc552e686b
2008-01-10 16:02 . 2008-01-10 16:02 <DIR> d-------- C:\Documents and Settings\James\Application Data\DAEMON Tools
2008-01-10 16:01 . 2008-01-10 16:01 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-10 13:33 . 2008-01-10 13:34 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 00:44 . 2007-12-18 00:44 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2007-12-18 00:43 . 2007-12-18 00:43 23,396 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2007-12-17 22:27 . 2007-12-17 22:27 <DIR> d-------- C:\Documents and Settings\James\Application Data\acccore
2007-12-17 22:16 . 2007-12-17 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Program Files\AIM6
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-17 22:15 . 2007-12-17 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-17 22:15 . 2007-12-17 22:21 446 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 21:04 258,048 ----a-w C:\WINDOWS\system32\Uninstall_eRecovery.exe
2008-01-16 21:04 146,432 ----a-w C:\WINDOWS\system32\WudfHost.exe
2008-01-16 21:02 61,952 ----a-w C:\WINDOWS\system32\HdAShCut.exe
2008-01-16 21:00 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-01-16 20:35 9,712,640 ----a-w C:\WINDOWS\RTLCPL.exe
2008-01-16 20:35 86,016 ----a-w C:\WINDOWS\SoundMan.exe
2008-01-16 20:35 8,704 ----a-w C:\WINDOWS\system32\wdfmgr.exe
2008-01-16 20:35 69,632 ----a-w C:\WINDOWS\Alcmtr.exe
2008-01-16 20:35 53,248 ----a-w C:\WINDOWS\XMLAUNCH.EXE
2008-01-16 20:35 51,712 ----a-w C:\WINDOWS\system32\migpwd.exe
2008-01-16 20:35 49,152 ----a-w C:\WINDOWS\XMLforLaunch.exe
2008-01-16 20:35 40,960 ----a-w C:\WINDOWS\RUNXMLPL.EXE
2008-01-16 20:35 4,296,704 ----a-w C:\WINDOWS\una2setup.exe
2008-01-16 20:35 356,352 ----a-w C:\WINDOWS\RtlUpd.exe
2008-01-16 20:35 306,688 ----a-w C:\WINDOWS\IsUninst.exe
2008-01-16 20:35 20,480 ----a-w C:\WINDOWS\system32\cliconfg.exe
2008-01-16 20:35 2,811,904 ----a-w C:\WINDOWS\alcwzrd.exe
2008-01-16 20:35 2,159,616 ----a-w C:\WINDOWS\MicCal.exe
2008-01-16 20:35 191,488 ----a-w C:\WINDOWS\Acer.scr
2008-01-16 20:35 163,840 ----a-w C:\WINDOWS\LaunApp.exe
2008-01-16 20:35 159,744 ----a-w C:\WINDOWS\EMEAPAGE.exe
2008-01-16 20:35 15,963,648 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-01-16 20:35 15,360 ----a-w C:\WINDOWS\system32\taskman.exe
2008-01-16 20:35 147,456 ----a-w C:\WINDOWS\UNINST32.EXE
2008-01-16 15:42 59,392 ----a-w C:\WINDOWS\system32\logman.exe
2008-01-16 15:42 58,368 ----a-w C:\WINDOWS\system32\packager.exe
2008-01-16 15:42 4,096 ----a-w C:\WINDOWS\system32\nddeapir.exe
2008-01-16 15:42 18,432 ----a-w C:\WINDOWS\system32\dpnsvr.exe
2008-01-16 15:41 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
2008-01-16 15:41 47,104 ----a-w C:\WINDOWS\system32\cmdl32.exe
2008-01-16 15:41 25,088 ----a-w C:\WINDOWS\system32\defrag.exe
2008-01-16 15:40 9,728 ----a-w C:\WINDOWS\system32\sfc.exe
2008-01-16 15:40 9,216 ----a-w C:\WINDOWS\system32\subst.exe
2008-01-16 15:40 9,216 ----a-w C:\WINDOWS\system32\print.exe
2008-01-16 15:40 33,792 ----a-w C:\WINDOWS\system32\vssadmin.exe
2008-01-16 15:40 3,072 ----a-w C:\WINDOWS\system32\systray.exe
2008-01-16 15:40 20,480 ----a-w C:\WINDOWS\system32\nbtstat.exe
2008-01-16 15:40 15,360 ----a-w C:\WINDOWS\system32\pentnt.exe
2008-01-16 15:40 11,776 ----a-w C:\WINDOWS\system32\winmsd.exe
2008-01-16 15:40 11,264 ----a-w C:\WINDOWS\system32\rasdial.exe
2008-01-16 15:39 25,600 ----a-w C:\WINDOWS\twunk_32.exe
2008-01-16 15:08 44,544 ----a-w C:\WINDOWS\system32\alg.exe
2008-01-16 15:08 405,504 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-01-16 15:08 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-01-16 15:08 13,824 ----a-w C:\WINDOWS\system32\wscntfy.exe
2008-01-16 15:08 1,033,216 ----a-w C:\WINDOWS\explorer.exe
2008-01-16 14:54 123,392 ----a-w C:\WINDOWS\system32\mplay32.exe
2008-01-16 14:53 8,704 ----a-w C:\WINDOWS\system32\uwdf.exe
2008-01-16 14:52 95,744 ----a-w C:\WINDOWS\system32\scardsvr.exe
2008-01-16 14:52 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2008-01-16 14:52 815,104 ----a-w C:\WINDOWS\system32\mmc.exe
2008-01-16 14:52 8,192 ----a-w C:\WINDOWS\system32\winhlp32.exe
2008-01-16 14:52 768,512 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
2008-01-16 14:52 75,264 ----a-w C:\WINDOWS\system32\locator.exe
2008-01-16 14:52 6,144 ----a-w C:\WINDOWS\system32\msdtc.exe
2008-01-16 14:52 56,832 ----a-w C:\WINDOWS\system32\rasphone.exe
2008-01-16 14:52 5,632 ----a-w C:\WINDOWS\system32\cisvc.exe
2008-01-16 14:52 45,568 ----a-w C:\WINDOWS\system32\drwtsn32.exe
2008-01-16 14:52 42,496 ----a-w C:\WINDOWS\system32\shmgrate.exe
2008-01-16 14:52 33,280 ----a-w C:\WINDOWS\system32\clipsrv.exe
2008-01-16 14:52 32,768 ----a-w C:\WINDOWS\system32\mnmsrvc.exe
2008-01-16 14:52 32,256 ----a-w C:\WINDOWS\system32\wpnpinst.exe
2008-01-16 14:52 31,744 ----a-w C:\WINDOWS\system32\ntsd.exe
2008-01-16 14:52 289,792 ----a-w C:\WINDOWS\system32\vssvc.exe
2008-01-16 14:52 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-01-16 14:52 25,088 ----a-w C:\WINDOWS\system32\at.exe
2008-01-16 14:52 224,768 ----a-w C:\WINDOWS\system32\dmadmin.exe
2008-01-16 14:52 220,672 ----a-w C:\WINDOWS\system32\logon.scr
2008-01-16 14:52 20,992 ----a-w C:\WINDOWS\system32\fontview.exe
2008-01-16 14:52 18,432 ----a-w C:\WINDOWS\system32\ups.exe
2008-01-16 14:52 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-01-16 14:52 15,872 ----a-w C:\WINDOWS\system32\perfmon.exe
2008-01-16 14:52 140,800 ----a-w C:\WINDOWS\system32\sessmgr.exe
2008-01-16 14:52 132,608 ----a-w C:\WINDOWS\system32\rsvp.exe
2008-01-16 14:52 114,688 ----a-w C:\WINDOWS\system32\wscript.exe
2008-01-16 14:52 111,104 ----a-w C:\WINDOWS\system32\netdde.exe
2008-01-16 14:52 11,776 ----a-w C:\WINDOWS\system32\regsvr32.exe
2008-01-16 14:52 109,568 ----a-w C:\WINDOWS\system32\progman.exe
2008-01-16 14:52 102,912 ----a-w C:\WINDOWS\system32\clipbrd.exe
2008-01-16 14:50 75,776 ----a-w C:\WINDOWS\system32\telnet.exe
2008-01-16 14:50 69,120 ----a-w C:\WINDOWS\system32\notepad.exe
2008-01-16 14:50 56,832 ----a-w C:\WINDOWS\system32\sol.exe
2008-01-16 14:50 538,624 ----a-w C:\WINDOWS\system32\spider.exe
2008-01-16 14:50 53,760 ----a-w C:\WINDOWS\system32\narrator.exe
2008-01-16 14:50 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
2008-01-16 14:50 433,664 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
2008-01-16 14:50 419,840 ----a-w C:\WINDOWS\system32\ntvdm.exe
2008-01-16 14:50 407,552 ----a-w C:\WINDOWS\system32\mstsc.exe
2008-01-16 14:50 35,840 ----a-w C:\WINDOWS\system32\rcimlby.exe
2008-01-16 14:50 347,136 ----a-w C:\WINDOWS\system32\tourstart.exe
2008-01-16 14:50 32,768 ----a-w C:\WINDOWS\system32\odbcad32.exe
2008-01-16 14:50 32,256 ----a-w C:\WINDOWS\system32\wupdmgr.exe
2008-01-16 14:50 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
2008-01-16 14:50 28,672 ----a-w C:\WINDOWS\system32\verclsid.exe
2008-01-16 14:50 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-01-16 14:50 215,552 ----a-w C:\WINDOWS\system32\osk.exe
2008-01-16 14:50 15,360 ----a-w C:\WINDOWS\TASKMAN.EXE
2008-01-16 14:50 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-01-16 14:50 138,752 ----a-w C:\WINDOWS\system32\sndvol32.exe
2008-01-16 14:50 131,584 ----a-w C:\WINDOWS\system32\sndrec32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-16_14.04.21.31 )))))))))))))))))))))))))))))))))))))))))
.

Lazyjim77
2008-01-16, 23:52
- 2007-08-19 14:12:34 482,816 ----a-w C:\WINDOWS\Driving Test Complete\uninstall.exe
+ 2008-01-16 14:49:04 475,648 ----a-w C:\WINDOWS\Driving Test Complete\uninstall.exe
- 2000-08-31 08:00:00 174,080 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2008-01-16 12:55:44 1,134,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 21:22:22 1,134,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 12:55:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 21:22:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 12:55:44 1,138,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 21:22:22 1,138,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 12:55:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 21:22:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 12:55:44 6,844,416 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-16 21:22:22 6,860,800 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-16 12:55:44 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 21:22:24 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
- 2006-05-31 17:24:20 69,632 ----a-r C:\WINDOWS\HCWemMON.exe
+ 2008-01-16 14:49:04 61,440 ----a-r C:\WINDOWS\HCWemMON.exe
- 2005-05-26 23:22:02 17,920 ----a-w C:\WINDOWS\hh.exe
+ 2008-01-16 14:49:04 10,752 ----a-w C:\WINDOWS\hh.exe
- 2007-06-26 22:10:26 324,608 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2008-01-16 14:49:04 317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
- 2007-03-15 02:31:48 61,440 ----a-r C:\WINDOWS\Installer\{15B70821-7893-4607-805A-BB80F3EA8279}\NewShortcut1_15B7082178934607805ABB80F3EA8279.exe
+ 2008-01-16 14:49:06 53,248 ----a-r C:\WINDOWS\Installer\{15B70821-7893-4607-805A-BB80F3EA8279}\NewShortcut1_15B7082178934607805ABB80F3EA8279.exe
- 2007-03-18 16:07:08 118,784 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\sbase.exe
+ 2008-01-16 14:49:06 110,592 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\sbase.exe
- 2007-03-18 16:07:08 118,784 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\scalc.exe
+ 2008-01-16 14:49:08 110,592 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\scalc.exe
- 2007-03-18 16:07:08 118,784 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\sdraw.exe
+ 2008-01-16 14:49:10 110,592 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\sdraw.exe
- 2007-03-18 16:07:08 118,784 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\simpress.exe
+ 2008-01-16 14:49:08 110,592 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\simpress.exe
- 2007-03-18 16:07:08 118,784 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\smath.exe
+ 2008-01-16 14:49:10 110,592 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\smath.exe
- 2007-03-18 16:07:08 118,784 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\swriter.exe
+ 2008-01-16 14:49:12 110,592 ----a-r C:\WINDOWS\Installer\{43983EB4-43DC-4C3D-9712-1EF592A31CA8}\swriter.exe
- 2007-03-15 02:34:48 73,728 ----a-r C:\WINDOWS\Installer\{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}\NewShortcut3_DC0106287AC64543B2D8FA87561F542B.exe
+ 2008-01-16 14:49:12 65,536 ----a-r C:\WINDOWS\Installer\{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}\NewShortcut3_DC0106287AC64543B2D8FA87561F542B.exe
- 2007-03-30 10:08:32 49,152 ----a-r C:\WINDOWS\Installer\{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}\NewShortcut3_96B87C3D64854A7D96EBB2C8CB752619.exe
+ 2008-01-16 14:49:14 40,960 ----a-r C:\WINDOWS\Installer\{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}\NewShortcut3_96B87C3D64854A7D96EBB2C8CB752619.exe
- 2007-03-15 02:35:08 73,728 ----a-r C:\WINDOWS\Installer\{DEE08946-40F0-4890-853E-60A6C3306041}\NewShortcut3_5679A8AE6E244B23958051CEC54A71E7.exe
+ 2008-01-16 14:49:14 65,536 ----a-r C:\WINDOWS\Installer\{DEE08946-40F0-4890-853E-60A6C3306041}\NewShortcut3_5679A8AE6E244B23958051CEC54A71E7.exe
- 2007-03-15 02:35:44 77,824 ----a-r C:\WINDOWS\Installer\{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}\NewShortcut3_E1A36723AF8C4677B7EDA10CA8CBC0A6.exe
+ 2008-01-16 14:49:14 69,632 ----a-r C:\WINDOWS\Installer\{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}\NewShortcut3_E1A36723AF8C4677B7EDA10CA8CBC0A6.exe
- 2007-08-19 18:10:58 61,440 ----a-r C:\WINDOWS\Installer\{E7391464-6939-413C-B427-32F33FE13484}\Comrade.exe_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2008-01-16 14:49:16 53,248 ----a-r C:\WINDOWS\Installer\{E7391464-6939-413C-B427-32F33FE13484}\Comrade.exe_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
- 2007-08-19 18:10:58 61,440 ----a-r C:\WINDOWS\Installer\{E7391464-6939-413C-B427-32F33FE13484}\NewShortcut7_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2008-01-16 15:07:32 53,248 ----a-r C:\WINDOWS\Installer\{E7391464-6939-413C-B427-32F33FE13484}\NewShortcut7_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
- 2003-02-21 07:24:32 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe
+ 2008-01-16 14:49:16 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe
- 2006-10-12 11:09:54 263,680 ----a-w C:\WINDOWS\msagent\agentsvr.exe
+ 2006-10-12 11:09:54 256,512 ----a-w C:\WINDOWS\msagent\agentsvr.exe
- 2004-08-04 05:00:00 76,288 ----a-w C:\WINDOWS\NOTEPAD.EXE
+ 2008-01-16 14:49:16 69,120 ----a-w C:\WINDOWS\NOTEPAD.EXE
- 2004-08-04 05:00:00 190,976 ----a-w C:\WINDOWS\system32\accwiz.exe
+ 2008-01-16 14:49:18 183,808 ----a-w C:\WINDOWS\system32\accwiz.exe
- 2004-08-04 05:00:00 11,264 ----a-w C:\WINDOWS\system32\actmovie.exe
+ 2004-08-04 05:00:00 4,096 ----a-w C:\WINDOWS\system32\actmovie.exe
- 2004-08-04 05:00:00 26,624 ----a-w C:\WINDOWS\system32\arp.exe
+ 2004-08-04 05:00:00 19,456 ----a-w C:\WINDOWS\system32\arp.exe
- 2004-08-04 05:00:00 18,432 ----a-w C:\WINDOWS\system32\atmadm.exe
+ 2004-08-04 05:00:00 11,264 ----a-w C:\WINDOWS\system32\atmadm.exe
- 2004-08-04 05:00:00 18,432 ----a-w C:\WINDOWS\system32\attrib.exe
+ 2004-08-04 05:00:00 11,264 ----a-w C:\WINDOWS\system32\attrib.exe
- 2004-08-04 05:00:00 21,504 ----a-w C:\WINDOWS\system32\auditusr.exe
+ 2004-08-04 05:00:00 14,336 ----a-w C:\WINDOWS\system32\auditusr.exe
- 2004-08-04 05:00:00 11,776 ----a-w C:\WINDOWS\system32\bootok.exe
+ 2004-08-04 05:00:00 4,608 ----a-w C:\WINDOWS\system32\bootok.exe
- 2004-08-04 05:00:00 12,288 ----a-w C:\WINDOWS\system32\bootvrfy.exe
+ 2004-08-04 05:00:00 5,120 ----a-w C:\WINDOWS\system32\bootvrfy.exe
- 2004-08-04 05:00:00 25,600 ----a-w C:\WINDOWS\system32\cacls.exe
+ 2004-08-04 05:00:00 18,432 ----a-w C:\WINDOWS\system32\cacls.exe
- 2004-08-04 05:00:00 121,856 ----a-w C:\WINDOWS\system32\calc.exe
+ 2008-01-16 14:49:22 114,688 ----a-w C:\WINDOWS\system32\calc.exe
- 2004-08-04 05:00:00 87,552 ----a-w C:\WINDOWS\system32\charmap.exe
+ 2008-01-16 14:49:20 80,384 ----a-w C:\WINDOWS\system32\charmap.exe
- 2004-08-04 05:00:00 18,944 ----a-w C:\WINDOWS\system32\chkdsk.exe
+ 2004-08-04 05:00:00 11,776 ----a-w C:\WINDOWS\system32\chkdsk.exe
- 2004-08-04 05:00:00 18,432 ----a-w C:\WINDOWS\system32\chkntfs.exe
+ 2004-08-04 05:00:00 11,264 ----a-w C:\WINDOWS\system32\chkntfs.exe
- 2004-08-04 05:00:00 15,360 ----a-w C:\WINDOWS\system32\cidaemon.exe
+ 2004-08-04 05:00:00 8,192 ----a-w C:\WINDOWS\system32\cidaemon.exe
- 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\ckcnv.exe
+ 2004-08-04 05:00:00 7,680 ----a-w C:\WINDOWS\system32\ckcnv.exe
- 2004-08-04 05:00:00 71,168 ----a-w C:\WINDOWS\system32\cleanmgr.exe
+ 2008-01-16 14:49:24 64,000 ----a-w C:\WINDOWS\system32\cleanmgr.exe
- 2004-08-04 05:00:00 395,776 ----a-w C:\WINDOWS\system32\cmd.exe
+ 2008-01-16 14:49:32 388,608 ----a-w C:\WINDOWS\system32\cmd.exe
- 2004-08-04 05:00:00 47,104 ----a-w C:\WINDOWS\system32\cmmon32.exe
+ 2004-08-04 05:00:00 39,936 ----a-w C:\WINDOWS\system32\cmmon32.exe
- 2004-08-04 05:00:00 70,656 ----a-w C:\WINDOWS\system32\cmstp.exe
+ 2004-08-04 05:00:00 63,488 ----a-w C:\WINDOWS\system32\cmstp.exe
- 2004-08-04 05:00:00 23,040 ----a-w C:\WINDOWS\system32\comp.exe
+ 2004-08-04 05:00:00 15,872 ----a-w C:\WINDOWS\system32\comp.exe
- 2004-08-04 05:00:00 24,576 ----a-w C:\WINDOWS\system32\compact.exe
+ 2004-08-04 05:00:00 17,408 ----a-w C:\WINDOWS\system32\compact.exe
- 2008-01-16 13:03:06 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-16 21:06:18 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-16 13:03:06 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-16 21:06:18 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-16 13:03:06 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-16 21:06:18 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-04 05:00:00 34,816 ----a-w C:\WINDOWS\system32\conime.exe
+ 2004-08-04 05:00:00 27,648 ----a-w C:\WINDOWS\system32\conime.exe
- 2004-08-04 05:00:00 15,360 ----a-w C:\WINDOWS\system32\control.exe
+ 2004-08-04 05:00:00 8,192 ----a-w C:\WINDOWS\system32\control.exe
- 2004-08-04 05:00:00 20,992 ----a-w C:\WINDOWS\system32\convert.exe
+ 2004-08-04 05:00:00 13,824 ----a-w C:\WINDOWS\system32\convert.exe
- 2004-08-04 05:00:00 106,496 ----a-w C:\WINDOWS\system32\cscript.exe
+ 2004-08-04 05:00:00 98,304 ----a-w C:\WINDOWS\system32\cscript.exe
- 2004-08-04 05:00:00 12,288 ----a-w C:\WINDOWS\system32\dcomcnfg.exe
+ 2004-08-04 05:00:00 5,120 ----a-w C:\WINDOWS\system32\dcomcnfg.exe
- 2004-08-04 05:00:00 37,376 ----a-w
C:\WINDOWS\system32\ddeshare.exe
+ 2004-08-04 05:00:00 30,208 ----a-w C:\WINDOWS\system32\ddeshare.exe
- 2004-08-04 05:00:00 89,600 ----a-w C:\WINDOWS\system32\dfrgfat.exe
+ 2004-08-04 05:00:00 82,432 ----a-w C:\WINDOWS\system32\dfrgfat.exe
- 2004-08-04 05:00:00 112,128 ----a-w C:\WINDOWS\system32\dfrgntfs.exe
+ 2004-08-04 05:00:00 104,960 ----a-w C:\WINDOWS\system32\dfrgntfs.exe
- 2004-08-04 05:00:00 92,672 ----a-w C:\WINDOWS\system32\diantz.exe
+ 2004-08-04 05:00:00 85,504 ----a-w C:\WINDOWS\system32\diantz.exe
- 2004-08-04 05:00:00 171,008 ----a-w C:\WINDOWS\system32\diskpart.exe
+ 2004-08-04 05:00:00 163,840 ----a-w C:\WINDOWS\system32\diskpart.exe
- 2004-08-04 05:00:00 25,088 ----a-w C:\WINDOWS\system32\diskperf.exe
+ 2004-08-04 05:00:00 17,920 ----a-w C:\WINDOWS\system32\diskperf.exe
+ 2001-08-17 22:36:42 55,296 ----a-w C:\WINDOWS\system32\dllcache\dvdplay.exe
+ 2004-08-04 00:56:50 193,024 ----a-w C:\WINDOWS\system32\dllcache\fsquirt.exe
+ 2004-08-04 00:56:52 152,576 ----a-w C:\WINDOWS\system32\dllcache\irftp.exe
- 2004-08-04 05:00:00 77,824 ----a-w C:\WINDOWS\system32\dllcache\odbcconf.exe
+ 2004-08-04 05:00:00 69,632 ----a-w C:\WINDOWS\system32\dllcache\odbcconf.exe
+ 2001-08-17 22:37:00 77,891 ----a-w C:\WINDOWS\system32\dllcache\usrmlnka.exe
+ 2001-08-17 22:37:00 61,508 ----a-w C:\WINDOWS\system32\dllcache\usrprbda.exe
+ 2001-08-17 22:37:00 69,700 ----a-w C:\WINDOWS\system32\dllcache\usrshuta.exe
- 2004-08-04 05:00:00 12,288 ----a-w C:\WINDOWS\system32\dllhost.exe
+ 2008-01-16 14:52:20 5,120 ----a-w C:\WINDOWS\system32\dllhost.exe
- 2004-08-04 05:00:00 11,776 ----a-w C:\WINDOWS\system32\dllhst3g.exe
+ 2004-08-04 05:00:00 4,608 ----a-w C:\WINDOWS\system32\dllhst3g.exe
- 2004-08-04 05:00:00 23,040 ----a-w C:\WINDOWS\system32\dmremote.exe
+ 2004-08-04 05:00:00 15,872 ----a-w C:\WINDOWS\system32\dmremote.exe
- 2004-08-04 05:00:00 17,920 ----a-w C:\WINDOWS\system32\doskey.exe
+ 2004-08-04 05:00:00 10,752 ----a-w C:\WINDOWS\system32\doskey.exe
- 2004-08-04 05:00:00 37,376 ----a-w C:\WINDOWS\system32\dplaysvr.exe
+ 2004-08-04 05:00:00 30,208 ----a-w C:\WINDOWS\system32\dplaysvr.exe
- 2004-08-04 05:00:00 90,624 ----a-w C:\WINDOWS\system32\dpvsetup.exe
+ 2004-08-04 05:00:00 83,456 ----a-w C:\WINDOWS\system32\dpvsetup.exe
+ 2007-10-31 13:41:16 110,096 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-19 14:49:38 194,832 ----a-w
C:\WINDOWS\system32\drivers\klif.sys
+ 2007-12-13 13:28:40 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
- 2004-08-04 05:00:00 17,920 ----a-w C:\WINDOWS\system32\dumprep.exe
+ 2004-08-04 05:00:00 10,752 ----a-w C:\WINDOWS\system32\dumprep.exe
- 2004-08-04 05:00:00 62,464 ----a-w C:\WINDOWS\system32\dvdplay.exe
+ 2001-08-17 22:36:42 55,296 ----a-w C:\WINDOWS\system32\dvdplay.exe
- 2004-08-04 05:00:00 25,088 ----a-w C:\WINDOWS\system32\dvdupgrd.exe
+ 2004-08-04 05:00:00 17,920 ----a-w C:\WINDOWS\system32\dvdupgrd.exe
- 2004-08-04 05:00:00 188,416 ----a-w C:\WINDOWS\system32\dwwin.exe
+ 2004-08-04 05:00:00 180,224 ----a-w C:\WINDOWS\system32\dwwin.exe
- 2004-08-04 05:00:00 1,306,624 ----a-w C:\WINDOWS\system32\dxdiag.exe
+ 2004-08-04 05:00:00 1,298,432 ----a-w C:\WINDOWS\system32\dxdiag.exe
- 2004-08-04 05:00:00 46,592 ----a-w C:\WINDOWS\system32\esentutl.exe
+ 2004-08-04 05:00:00 39,424 ----a-w C:\WINDOWS\system32\esentutl.exe
- 2004-08-04 05:00:00 200,192 ----a-w C:\WINDOWS\system32\eudcedit.exe
+ 2004-08-04 05:00:00 193,024 ----a-w C:\WINDOWS\system32\eudcedit.exe
- 2004-08-04 05:00:00 15,872 ----a-w C:\WINDOWS\system32\eventvwr.exe
+ 2004-08-04 05:00:00 8,704 ----a-w C:\WINDOWS\system32\eventvwr.exe
- 2004-08-04 05:00:00 23,040 ----a-w C:\WINDOWS\system32\expand.exe
+ 2004-08-04 05:00:00 15,872 ----a-w C:\WINDOWS\system32\expand.exe
- 2004-08-04 05:00:00 52,736 ----a-w C:\WINDOWS\system32\extrac32.exe
+ 2004-08-04 05:00:00 45,568 ----a-w C:\WINDOWS\system32\extrac32.exe
- 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\fc.exe
+ 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\fc.exe
- 2004-08-04 05:00:00 16,384 ----a-w C:\WINDOWS\system32\find.exe
+ 2004-08-04 05:00:00 9,216 ----a-w C:\WINDOWS\system32\find.exe
- 2004-08-04 05:00:00 34,304 ----a-w C:\WINDOWS\system32\findstr.exe
+ 2004-08-04 05:00:00 27,136 ----a-w C:\WINDOWS\system32\findstr.exe
- 2004-08-04 05:00:00 16,384 ----a-w C:\WINDOWS\system32\finger.exe
+ 2004-08-04 05:00:00 9,216 ----a-w C:\WINDOWS\system32\finger.exe
- 2004-08-04 05:00:00 10,240 ----a-w C:\WINDOWS\system32\fixmapi.exe
+ 2004-08-04 05:00:00 3,072 ----a-w C:\WINDOWS\system32\fixmapi.exe
- 2006-08-21 09:14:58 30,208 ----a-w C:\WINDOWS\system32\fltMc.exe
+ 2006-08-21 09:14:58 23,040 ----a-w C:\WINDOWS\system32\fltmc.exe
- 2004-08-04 05:00:00 14,336 ----a-w C:\WINDOWS\system32\forcedos.exe
+ 2004-08-04 05:00:00 7,168 ----a-w C:\WINDOWS\system32\forcedos.exe
- 2004-08-04 05:00:00 62,464 ----a-w C:\WINDOWS\system32\freecell.exe
+ 2008-01-16 14:49:32 55,296 ----a-w C:\WINDOWS\system32\freecell.exe
- 2004-08-04 05:00:00 200,192 ----a-w C:\WINDOWS\system32\fsquirt.exe
+ 2004-08-04 00:56:50 193,024 ----a-w C:\WINDOWS\system32\fsquirt.exe
- 2004-08-04 05:00:00 63,488 ----a-w C:\WINDOWS\system32\fsutil.exe
+ 2004-08-04 05:00:00 56,320 ----a-w C:\WINDOWS\system32\fsutil.exe
- 2004-08-04 05:00:00 49,664 ----a-w C:\WINDOWS\system32\ftp.exe
+ 2004-08-04 05:00:00 42,496 ----a-w C:\WINDOWS\system32\ftp.exe
- 2004-08-04 05:00:00 150,528 ----a-w C:\WINDOWS\system32\fxsclnt.exe
+ 2004-08-04 05:00:00 143,360 ----a-w C:\WINDOWS\system32\fxsclnt.exe
- 2004-08-04 05:00:00 236,544 ----a-w C:\WINDOWS\system32\fxscover.exe
+ 2008-01-16 14:49:34 229,376 ----a-w C:\WINDOWS\system32\fxscover.exe
- 2004-08-04 05:00:00 18,432 ----a-w C:\WINDOWS\system32\fxssend.exe
+ 2008-01-16 14:49:32 11,264 ----a-w C:\WINDOWS\system32\fxssend.exe
- 2004-08-04 05:00:00 46,592 ----a-w C:\WINDOWS\system32\grpconv.exe
+ 2004-08-04 05:00:00 39,424 ----a-w C:\WINDOWS\system32\grpconv.exe
- 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\help.exe
+ 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\help.exe
- 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\hostname.exe
+ 2004-08-04 05:00:00 7,680 ----a-w C:\WINDOWS\system32\hostname.exe
- 2004-08-04 05:00:00 41,472 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-01-16 14:52:24 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2004-08-04 05:00:00 121,856 ----a-w C:\WINDOWS\system32\iexpress.exe
+ 2004-08-04 05:00:00 114,688 ----a-w C:\WINDOWS\system32\iexpress.exe
- 2004-08-04 05:00:00 157,184 ----a-w C:\WINDOWS\system32\imapi.exe
+ 2008-01-16 14:49:34 150,016 ----a-w C:\WINDOWS\system32\imapi.exe
- 2004-08-04 05:00:00 62,976 ----a-w C:\WINDOWS\system32\ipconfig.exe
+ 2004-08-04 05:00:00 55,808 ----a-w C:\WINDOWS\system32\ipconfig.exe
- 2004-08-04 05:00:00 51,200 ----a-w C:\WINDOWS\system32\ipsec6.exe
+ 2004-08-04 05:00:00 44,032 ----a-w C:\WINDOWS\system32\ipsec6.exe
- 2004-08-04 05:00:00 60,416 ----a-w C:\WINDOWS\system32\ipv6.exe
+ 2004-08-04 05:00:00 53,248 ----a-w

Lazyjim77
2008-01-16, 23:53
C:\WINDOWS\system32\ipv6.exe
- 2004-08-04 05:00:00 30,720 ----a-w C:\WINDOWS\system32\ipxroute.exe
+ 2004-08-04 05:00:00 23,552 ----a-w C:\WINDOWS\system32\ipxroute.exe
- 2004-08-04 00:56:52 159,744 ----a-w C:\WINDOWS\system32\irftp.exe
+ 2004-08-04 00:56:52 152,576 ----a-w C:\WINDOWS\system32\irftp.exe
- 2007-03-14 00:31:24 143,360 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-01-16 14:52:30 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-14 00:31:28 143,360 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-01-16 21:02:20 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 02:04:46 147,456 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-01-16 21:02:22 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2004-08-04 05:00:00 16,896 ----a-w C:\WINDOWS\system32\label.exe
+ 2004-08-04 05:00:00 9,728 ----a-w C:\WINDOWS\system32\label.exe
- 2004-08-04 05:00:00 36,864 ----a-w C:\WINDOWS\system32\lights.exe
+ 2004-08-04 05:00:00 29,696 ----a-w C:\WINDOWS\system32\lights.exe
- 2004-08-04 05:00:00 32,256 ----a-w C:\WINDOWS\system32\lnkstub.exe
+ 2004-08-04 05:00:00 25,088 ----a-w C:\WINDOWS\system32\lnkstub.exe
- 2004-08-04 05:00:00 12,288 ----a-w C:\WINDOWS\system32\lodctr.exe
+ 2004-08-04 05:00:00 5,120 ----a-w C:\WINDOWS\system32\lodctr.exe
- 2004-08-04 05:00:00 521,728 ----a-w C:\WINDOWS\system32\logonui.exe
+ 2008-01-16 14:49:44 514,560 ----a-w C:\WINDOWS\system32\logonui.exe
- 2004-08-04 05:00:00 13,312 ----a-w C:\WINDOWS\system32\lpq.exe
+ 2004-08-04 05:00:00 6,144 ----a-w C:\WINDOWS\system32\lpq.exe
- 2004-08-04 05:00:00 15,360 ----a-w C:\WINDOWS\system32\lpr.exe
+ 2004-08-04 05:00:00 8,192 ----a-w C:\WINDOWS\system32\lpr.exe
- 2004-08-04 05:00:00 79,872 ----a-w C:\WINDOWS\system32\magnify.exe
+ 2008-01-16 14:49:36 72,704 ----a-w C:\WINDOWS\system32\magnify.exe
- 2004-08-04 05:00:00 92,672 ----a-w C:\WINDOWS\system32\makecab.exe
+ 2004-08-04 05:00:00 85,504 ----a-w C:\WINDOWS\system32\makecab.exe
- 2004-08-04 05:00:00 150,528 ----a-w C:\WINDOWS\system32\mobsync.exe
+ 2008-01-16 14:49:38 143,360 ----a-w C:\WINDOWS\system32\mobsync.exe
- 2004-08-04 05:00:00 15,360 ----a-w C:\WINDOWS\system32\mountvol.exe
+ 2004-08-04 05:00:00 8,192 ----a-w C:\WINDOWS\system32\mountvol.exe
- 2004-08-04 05:00:00 29,184 ----a-w C:\WINDOWS\system32\mpnotify.exe
+ 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\mpnotify.exe
- 2004-08-04 05:00:00 19,968 ----a-w C:\WINDOWS\system32\mrinfo.exe
+ 2004-08-04 05:00:00 12,800 ----a-w C:\WINDOWS\system32\mrinfo.exe
- 2004-08-04 05:00:00 28,160 ----a-w C:\WINDOWS\system32\msg.exe
+ 2004-08-04 05:00:00 20,992 ----a-w C:\WINDOWS\system32\msg.exe
- 2004-08-04 05:00:00 134,144 ----a-w C:\WINDOWS\system32\mshearts.exe
+ 2008-01-16 14:49:38 126,976 ----a-w C:\WINDOWS\system32\mshearts.exe
- 2005-05-03 12:58:36 86,016 ----a-w C:\WINDOWS\system32\msiexec.exe
+ 2008-01-16 14:49:40 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
- 2004-08-04 05:00:00 350,208 ----a-w C:\WINDOWS\system32\mspaint.exe
+ 2008-01-16 14:49:48 343,040 ----a-w C:\WINDOWS\system32\mspaint.exe
- 2004-08-04 05:00:00 13,824 ----a-w C:\WINDOWS\system32\msswchx.exe
+ 2004-08-04 05:00:00 6,656 ----a-w C:\WINDOWS\system32\msswchx.exe
- 2004-08-04 05:00:00 49,664 ----a-w C:\WINDOWS\system32\net.exe
+ 2004-08-04 05:00:00 42,496 ----a-w C:\WINDOWS\system32\net.exe
- 2004-08-04 05:00:00 132,096 ----a-w C:\WINDOWS\system32\net1.exe
+ 2004-08-04 05:00:00 124,928 ----a-w C:\WINDOWS\system32\net1.exe
- 2004-08-04 05:00:00 338,944 ----a-w C:\WINDOWS\system32\netsetup.exe
+ 2004-08-04 05:00:00 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
- 2004-08-04 05:00:00 93,184 ----a-w C:\WINDOWS\system32\netsh.exe
+ 2004-08-04 05:00:00 86,016 ----a-w C:\WINDOWS\system32\netsh.exe
- 2004-08-04 05:00:00 44,032 ----a-w C:\WINDOWS\system32\netstat.exe
+ 2004-08-04 05:00:00 36,864 ----a-w C:\WINDOWS\system32\netstat.exe
- 2004-08-04 05:00:00 83,968 ----a-w C:\WINDOWS\system32\nslookup.exe
+ 2004-08-04 05:00:00 76,800 ----a-w C:\WINDOWS\system32\nslookup.exe
- 2004-08-04 05:00:00 77,824 ----a-w C:\WINDOWS\system32\odbcconf.exe
+ 2004-08-04 05:00:00 69,632 ----a-w C:\WINDOWS\system32\odbcconf.exe
- 2004-08-04 05:00:00 47,616 ----a-w C:\WINDOWS\system32\osuninst.exe
+ 2004-08-04 05:00:00 40,448 ----a-w C:\WINDOWS\system32\osuninst.exe
- 2004-08-04 05:00:00 28,672 ----a-w C:\WINDOWS\system32\pathping.exe
+ 2004-08-04 05:00:00 21,504 ----a-w C:\WINDOWS\system32\pathping.exe
- 2004-08-04 05:00:00 25,088 ----a-w C:\WINDOWS\system32\ping.exe
+ 2004-08-04 05:00:00 17,920 ----a-w C:\WINDOWS\system32\ping.exe
- 2004-08-04 05:00:00 40,448 ----a-w C:\WINDOWS\system32\ping6.exe
+ 2004-08-04 05:00:00 33,280 ----a-w C:\WINDOWS\system32\ping6.exe
- 2004-08-04 05:00:00 56,320 ----a-w C:\WINDOWS\system32\powercfg.exe
+ 2004-08-04 05:00:00 49,152 ----a-w C:\WINDOWS\system32\powercfg.exe
- 2004-08-04 05:00:00 57,344 ----a-w C:\WINDOWS\system32\proquota.exe
+ 2004-08-04 05:00:00 50,176 ----a-w C:\WINDOWS\system32\proquota.exe
- 2004-08-04 05:00:00 16,384 ----a-w C:\WINDOWS\system32\proxycfg.exe
+ 2004-08-04 05:00:00 9,216 ----a-w C:\WINDOWS\system32\proxycfg.exe
- 2004-08-04 05:00:00 24,064 ----a-w C:\WINDOWS\system32\qappsrv.exe
+ 2004-08-04 05:00:00 16,896 ----a-w C:\WINDOWS\system32\qappsrv.exe
- 2004-08-04 05:00:00 27,648 ----a-w C:\WINDOWS\system32\qprocess.exe
+ 2004-08-04 05:00:00 20,480 ----a-w C:\WINDOWS\system32\qprocess.exe
- 2004-08-04 05:00:00 29,184 ----a-w C:\WINDOWS\system32\qwinsta.exe
+ 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\qwinsta.exe
- 2004-08-04 05:00:00 18,944 ----a-w C:\WINDOWS\system32\rasautou.exe
+ 2004-08-04 05:00:00 11,776 ----a-w C:\WINDOWS\system32\rasautou.exe
- 2004-08-04 05:00:00 28,672 ----a-w C:\WINDOWS\system32\rcp.exe
+ 2004-08-04 05:00:00 21,504 ----a-w C:\WINDOWS\system32\rcp.exe
- 2004-08-04 05:00:00 69,632 ----a-w C:\WINDOWS\system32\rdpclip.exe
+ 2004-08-04 05:00:00 62,464 ----a-w C:\WINDOWS\system32\rdpclip.exe
- 2004-08-04 05:00:00 20,992 ----a-w C:\WINDOWS\system32\rdsaddin.exe
+ 2004-08-04 05:00:00 13,824 ----a-w C:\WINDOWS\system32\rdsaddin.exe
- 2004-08-04 05:00:00 74,240 ----a-w C:\WINDOWS\system32\rdshost.exe
+ 2004-08-04 05:00:00 67,072 ----a-w C:\WINDOWS\system32\rdshost.exe
- 2004-08-04 05:00:00 14,336 ----a-w C:\WINDOWS\system32\recover.exe
+ 2004-08-04 05:00:00 7,168 ----a-w C:\WINDOWS\system32\recover.exe
- 2004-08-04 05:00:00 57,344 ----a-w C:\WINDOWS\system32\reg.exe
+ 2004-08-04 05:00:00 50,176 ----a-w C:\WINDOWS\system32\reg.exe
- 2004-08-04 05:00:00 10,752 ----a-w C:\WINDOWS\system32\regedt32.exe
+ 2004-08-04 05:00:00 3,584 ----a-w C:\WINDOWS\system32\regedt32.exe
- 2004-08-04 05:00:00 40,960 ----a-w C:\WINDOWS\system32\regini.exe
+ 2004-08-04 05:00:00 33,792 ----a-w C:\WINDOWS\system32\regini.exe
- 2004-08-04 05:00:00 11,776 ----a-w C:\WINDOWS\system32\regwiz.exe
+ 2004-08-04 05:00:00 4,608 ----a-w C:\WINDOWS\system32\regwiz.exe
- 2004-08-04 05:00:00 19,968 ----a-w C:\WINDOWS\system32\replace.exe
+ 2004-08-04 05:00:00 12,800 ----a-w C:\WINDOWS\system32\replace.exe
- 2004-08-04 05:00:00 16,896 ----a-w C:\WINDOWS\system32\reset.exe
+ 2004-08-04 05:00:00 9,728 ----a-w C:\WINDOWS\system32\reset.exe
- 2004-08-04 05:00:00 387,584 ----a-w C:\WINDOWS\system32\Restore\rstrui.exe
+ 2008-01-16 14:50:24 380,416 ----a-w C:\WINDOWS\system32\Restore\rstrui.exe
- 2004-08-04 05:00:00 20,992 ----a-w C:\WINDOWS\system32\rexec.exe
+ 2004-08-04 05:00:00 13,824 ----a-w C:\WINDOWS\system32\rexec.exe
- 2004-08-04 05:00:00 27,136 ----a-w C:\WINDOWS\system32\route.exe
+ 2004-08-04 05:00:00 19,968 ----a-w C:\WINDOWS\system32\route.exe
- 2004-08-04 05:00:00 32,768 ----a-w C:\WINDOWS\system32\routemon.exe
+ 2004-08-04 05:00:00 25,600 ----a-w C:\WINDOWS\system32\routemon.exe
- 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\rsh.exe
+ 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\rsh.exe
- 2004-08-04 05:00:00 56,320 ----a-w C:\WINDOWS\system32\rsm.exe
+ 2004-08-04 05:00:00 49,152 ----a-w C:\WINDOWS\system32\rsm.exe
- 2004-08-04 05:00:00 31,744 ----a-w C:\WINDOWS\system32\rsmsink.exe
+ 2004-08-04 05:00:00 24,576 ----a-w C:\WINDOWS\system32\rsmsink.exe
- 2004-08-04 05:00:00 56,320 ----a-w C:\WINDOWS\system32\rsmui.exe
+ 2004-08-04 05:00:00 49,152 ----a-w C:\WINDOWS\system32\rsmui.exe
- 2004-08-04 05:00:00 84,480 ----a-w C:\WINDOWS\system32\rtcshare.exe
+ 2004-08-04 05:00:00 77,312 ----a-w C:\WINDOWS\system32\rtcshare.exe
- 2004-08-04 05:00:00 23,552 ----a-w C:\WINDOWS\system32\runas.exe
+ 2004-08-04 05:00:00 16,384 ----a-w C:\WINDOWS\system32\runas.exe
+ 2004-08-04 05:00:00 33,280 ----a-w C:\WINDOWS\system32\rundll32.exe
- 2004-08-04 05:00:00 21,504 ----a-w C:\WINDOWS\system32\runonce.exe
+ 2004-08-04 05:00:00 14,336 ----a-w C:\WINDOWS\system32\runonce.exe
- 2004-08-04 05:00:00 23,040 ----a-w C:\WINDOWS\system32\rwinsta.exe
+ 2004-08-04 05:00:00 15,872 ----a-w C:\WINDOWS\system32\rwinsta.exe
- 2004-08-04 05:00:00 20,480 ----a-w C:\WINDOWS\system32\savedump.exe
+ 2004-08-04 05:00:00 13,312 ----a-w C:\WINDOWS\system32\savedump.exe
- 2004-08-04 05:00:00 38,400 ----a-w C:\WINDOWS\system32\sc.exe
+ 2004-08-04 05:00:00 31,232 ----a-w C:\WINDOWS\system32\sc.exe
- 2004-08-04 05:00:00 16,384 ----a-w C:\WINDOWS\system32\scrnsave.scr
+ 2004-08-04 05:00:00 9,216 ----a-w C:\WINDOWS\system32\scrnsave.scr
- 2004-08-04 05:00:00 84,480 ----a-w C:\WINDOWS\system32\sdbinst.exe
+ 2004-08-04 05:00:00 77,312 ----a-w C:\WINDOWS\system32\sdbinst.exe
- 2004-08-04 05:00:00 38,400 ----a-w C:\WINDOWS\system32\sethc.exe
+ 2004-08-04 05:00:00 31,232 ----a-w C:\WINDOWS\system32\sethc.exe
- 2004-08-04 05:00:00 30,208 ----a-w C:\WINDOWS\system32\setup.exe
+ 2004-08-03 22:00:00 23,040 ----a-w C:\WINDOWS\system32\setup.exe
- 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\shadow.exe
+ 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\shadow.exe
- 2004-08-04 05:00:00 84,992 ----a-w C:\WINDOWS\system32\shrpubw.exe
+ 2004-08-04 05:00:00 77,824 ----a-w C:\WINDOWS\system32\shrpubw.exe
- 2004-08-04 05:00:00 26,624 ----a-w C:\WINDOWS\system32\shutdown.exe
+ 2004-08-04 05:00:00 19,456 ----a-w C:\WINDOWS\system32\shutdown.exe
- 2004-08-04 05:00:00 77,312 ----a-w C:\WINDOWS\system32\sigverif.exe
+ 2004-08-04 05:00:00 70,144 ----a-w C:\WINDOWS\system32\sigverif.exe
- 2004-08-04 05:00:00 33,280 ----a-w C:\WINDOWS\system32\skeys.exe
+ 2004-08-04 05:00:00 26,112 ----a-w C:\WINDOWS\system32\skeys.exe
- 2004-08-04 05:00:00 15,360 ----a-w C:\WINDOWS\system32\smbinst.exe
+ 2004-08-04 05:00:00 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
- 2004-08-04 05:00:00 30,720 ----a-w C:\WINDOWS\system32\sort.exe
+ 2004-08-04 05:00:00 23,552 ----a-w C:\WINDOWS\system32\sort.exe
- 2004-08-04 05:00:00 18,944 ----a-w C:\WINDOWS\system32\spnpinst.exe
+ 2004-08-04 05:00:00 11,776 ----a-w C:\WINDOWS\system32\spnpinst.exe
- 2004-08-04 05:00:00 712,704 ----a-w C:\WINDOWS\system32\ss3dfo.scr
+ 2004-08-04 05:00:00 704,512 ----a-w C:\WINDOWS\system32\ss3dfo.scr
- 2004-08-04 05:00:00 27,136 ----a-w C:\WINDOWS\system32\ssbezier.scr
+ 2004-08-04 05:00:00 19,968 ----a-w C:\WINDOWS\system32\ssbezier.scr
- 2004-08-04 05:00:00 401,408 ----a-w C:\WINDOWS\system32\ssflwbox.scr
+ 2004-08-04 05:00:00 393,216 ----a-w C:\WINDOWS\system32\ssflwbox.scr
- 2004-08-04 05:00:00 28,160 ----a-w C:\WINDOWS\system32\ssmarque.scr
+ 2004-08-04 05:00:00 20,992 ----a-w C:\WINDOWS\system32\ssmarque.scr
- 2004-08-04 05:00:00 54,272 ----a-w C:\WINDOWS\system32\ssmypics.scr
+ 2004-08-04 05:00:00 47,104 ----a-w C:\WINDOWS\system32\ssmypics.scr
- 2004-08-04 05:00:00 26,112 ----a-w C:\WINDOWS\system32\ssmyst.scr
+ 2004-08-04 05:00:00 18,944 ----a-w C:\WINDOWS\system32\ssmyst.scr
- 2004-08-04 05:00:00 618,496 ----a-w C:\WINDOWS\system32\sspipes.scr
+ 2004-08-04 05:00:00 610,304 ----a-w C:\WINDOWS\system32\sspipes.scr
- 2004-08-04 05:00:00 21,504 ----a-w C:\WINDOWS\system32\ssstars.scr
+ 2004-08-04 05:00:00 14,336 ----a-w C:\WINDOWS\system32\ssstars.scr
- 2004-08-04 05:00:00 688,128 ----a-w C:\WINDOWS\system32\sstext3d.scr
+ 2004-08-04 05:00:00 679,936 ----a-w C:\WINDOWS\system32\sstext3d.scr
- 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\stimon.exe
+ 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\stimon.exe
- 2000-08-31 08:00:00 163,840 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 08:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2000-08-31 08:00:00 144,896 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2008-01-16 20:50:34 137,728 ----a-w C:\WINDOWS\system32\swsc.exe
- 2000-08-31 08:00:00 219,648 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2008-01-16 20:50:34 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
- 2004-08-04 05:00:00 58,368 ----a-w C:\WINDOWS\system32\syncapp.exe
+ 2004-08-04 05:00:00 51,200 ----a-w C:\WINDOWS\system32\syncapp.exe
- 2004-08-04 05:00:00 44,032 ----a-w C:\WINDOWS\system32\syskey.exe
+ 2004-08-04 05:00:00 36,864 ----a-w C:\WINDOWS\system32\syskey.exe
- 2004-08-04 05:00:00 113,152 ----a-w C:\WINDOWS\system32\sysocmgr.exe
+ 2004-08-04 05:00:00 105,984 ----a-w C:\WINDOWS\system32\sysocmgr.exe
- 2004-08-04 05:00:00 142,848 ----a-w C:\WINDOWS\system32\taskmgr.exe
+ 2004-08-04 05:00:00 135,680 ----a-w C:\WINDOWS\system32\taskmgr.exe
- 2004-08-04 05:00:00 19,456 ----a-w C:\WINDOWS\system32\tcmsetup.exe
+ 2004-08-04 05:00:00 12,288 ----a-w C:\WINDOWS\system32\tcmsetup.exe
- 2004-08-04 05:00:00 26,624 ----a-w C:\WINDOWS\system32\tcpsvcs.exe
+ 2004-08-04 05:00:00 19,456 ----a-w C:\WINDOWS\system32\tcpsvcs.exe
- 2004-08-04 05:00:00 24,064 ----a-w C:\WINDOWS\system32\tftp.exe
+ 2004-08-04 05:00:00 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
- 2004-08-04 05:00:00 19,456 ----a-w C:\WINDOWS\system32\tracert.exe
+ 2004-08-04 05:00:00 12,288 ----a-w C:\WINDOWS\system32\tracert.exe
- 2004-08-04 05:00:00 38,912 ----a-w C:\WINDOWS\system32\tracert6.exe
+ 2004-08-04 05:00:00 31,744 ----a-w C:\WINDOWS\system32\tracert6.exe
- 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\tscon.exe
+ 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\tscon.exe
- 2004-08-04 05:00:00 51,712 ----a-w C:\WINDOWS\system32\tscupgrd.exe
+ 2004-08-04 05:00:00 44,544 ----a-w C:\WINDOWS\system32\tscupgrd.exe
- 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\tsdiscon.exe
+ 2004-08-04 05:00:00 14,848 ----a-w C:\WINDOWS\system32\tsdiscon.exe
- 2004-08-04 05:00:00 23,552 ----a-w C:\WINDOWS\system32\tskill.exe
+ 2004-08-04 05:00:00 16,384 ----a-w C:\WINDOWS\system32\tskill.exe
- 2004-08-04 05:00:00 24,064 ----a-w C:\WINDOWS\system32\tsshutdn.exe
+ 2004-08-04 05:00:00 16,896 ----a-w C:\WINDOWS\system32\tsshutdn.exe
- 2007-11-13 11:31:12 67,584 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-01-16 21:04:06 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2004-08-04 05:00:00 11,264 ----a-w C:\WINDOWS\system32\unlodctr.exe
+ 2004-08-04 05:00:00 4,096 ----a-w C:\WINDOWS\system32\unlodctr.exe
- 2004-08-04 05:00:00 24,064 ----a-w C:\WINDOWS\system32\upnpcont.exe
+ 2004-08-04 05:00:00 16,896 ----a-w C:\WINDOWS\system32\upnpcont.exe
- 2004-08-04 05:00:00 247,296 ----a-w C:\WINDOWS\system32\usmt\migwiz.exe
+ 2008-01-16 14:50:38 240,128 ----a-w C:\WINDOWS\system32\usmt\migwiz.exe
- 2004-08-04 05:00:00 86,083 ----a-w C:\WINDOWS\system32\usrmlnka.exe
+ 2001-08-17 22:37:00 77,891 ----a-w C:\WINDOWS\system32\usrmlnka.exe
- 2004-08-04 05:00:00 69,700 ----a-w C:\WINDOWS\system32\usrprbda.exe
+ 2001-08-17 22:37:00 61,508 ----a-w C:\WINDOWS\system32\usrprbda.exe
- 2004-08-04 05:00:00 77,892 ----a-w C:\WINDOWS\system32\usrshuta.exe
+ 2001-08-17 22:37:00 69,700 ----a-w C:\WINDOWS\system32\usrshuta.exe
- 2004-08-04 05:00:00 105,472 ----a-w C:\WINDOWS\system32\verifier.exe
+ 2004-08-04 05:00:00 98,304 ----a-w C:\WINDOWS\system32\verifier.exe
- 2000-08-31 08:00:00 60,996 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2008-01-16 20:51:06 53,248 ----a-w C:\WINDOWS\system32\VFind.exe
- 2004-08-04 05:00:00 56,832 ----a-w C:\WINDOWS\system32\w32tm.exe
+ 2004-08-04 05:00:00 49,664 ----a-w C:\WINDOWS\system32\w32tm.exe
- 2004-08-04 05:00:00 126,464 ----a-w C:\WINDOWS\system32\wbem\wmiapsrv.exe
+ 2008-01-16 14:52:22 126,464 ----a-w C:\WINDOWS\system32\wbem\wmiapsrv.exe
- 2004-08-04 05:00:00 225,280 ----a-w C:\WINDOWS\system32\wbem\wmiprvse.exe
+ 2008-01-16 15:08:14 218,112 ----a-w C:\WINDOWS\system32\wbem\wmiprvse.exe
- 2004-08-04 05:00:00 72,704 ----a-w C:\WINDOWS\system32\wextract.exe
+ 2004-08-04 05:00:00 65,536 ----a-w C:\WINDOWS\system32\wextract.exe
- 2004-08-04 05:00:00 126,976 ----a-w C:\WINDOWS\system32\winmine.exe
+ 2008-01-16 14:50:56 119,808 ----a-w C:\WINDOWS\system32\winmine.exe
- 2004-08-04 05:00:00 12,800 ----a-w C:\WINDOWS\system32\winver.exe
+ 2004-08-04 05:00:00 5,632 ----a-w C:\WINDOWS\system32\winver.exe
- 2004-08-04 05:00:00 39,424 ----a-w C:\WINDOWS\system32\wpabaln.exe
+ 2004-08-04 05:00:00 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
- 2004-08-04 05:00:00 12,800 ----a-w C:\WINDOWS\system32\write.exe
+ 2004-08-04 05:00:00 5,632 ----a-w C:\WINDOWS\system32\write.exe
- 2004-08-04 05:00:00 37,888 ----a-w C:\WINDOWS\system32\xcopy.exe
+ 2004-08-04 05:00:00 30,720 ----a-w C:\WINDOWS\system32\xcopy.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2008-01-16 15:08 43008]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-16 14:48 483328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-08 22:25 185632]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk.disabled [2007-03-18 16:38:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"emMON"=HCWemMON.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{562eb472-dea2-11db-b093-0016cf4b55e5}]
\Shell\AutoRun\command - F:\Startup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 12:18:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 21:37:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 21:40:42
ComboFix-quarantined-files.txt 2008-01-16 21:40:38
ComboFix2.txt 2008-01-16 14:04:44
.
2008-01-15 13:54:31 --- E O F ---

Lazyjim77
2008-01-17, 00:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:47, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - Startup: OpenOffice.org 2.1.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 5417 bytes

Shaba
2008-01-17, 12:16
Hi

Run a scan with Kaspersky and post back its findings along with a fresh HijackThis log, please :)

Lazyjim77
2008-01-20, 02:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:57:23, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - Startup: OpenOffice.org 2.1.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 5365 bytes


The Kaspersky Scan is absolutely huge and will need 20+ posts to put it up...

Shaba
2008-01-20, 12:18
Hi

Try to remove all entries with object locked skipped.

If that doesn't help, upload it to eg. rapidshare.com and post back link here, please :)

Lazyjim77
2008-01-20, 12:53
The Kaspersky AV Scan

http://rapidshare.de/files/38355847/Kaspersky_Scan.txt.html

Shaba
2008-01-20, 13:11
Hi

Doesn't look very promising as you have some virut there, hopefully kaspersky can disinfect it properly or you might end up formatting.

Scan again with kaspersky and post back a fresh kaspersky report.

Shaba
2008-01-25, 11:41
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.