PDA

View Full Version : Virtumonde? Can't fix this stubborn thing!


kissels
2008-05-12, 21:38
My son (soon to be grounded) has done it this time. His computer (w/ Windows XP Home, Service Pack 2) is infected with a number of viruses, including (I believe) Virtumonde. I've run a few antispyware programs as well as Norton Antivirus; Spybot finds them, cleans everything up, and then they all reappear in a matter of minutes. Taskmanager is disabled; the desktop wallpaper is a virus warning to download some fake antivirus software, some antivirus websites won't come up, pop-ups for antivirus software and iternet sites for other things are connected to automatically every few minutes, and more.

Here's what I've done so far.... I've run HijackThis and deleted a few malicious items, then on the advice of another website (prior to reading the sticky notes here unfortunately), 1) ran ATF Cleaner, 2) ran ComboFix, and 3) re-ran HJT.

I've NEVER encountered something this stubborn! Please HELP!

Here is 1) the ComboFix log and 2) the latest HJT log, color is to simply help you differentiate:

COMBOFIX:
ComboFix 08-05-11.1 - Compaq_Owner 2008-05-12 12:17:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\ipttowsq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nWGNnUvw.ini
C:\WINDOWS\system32\nWGNnUvw.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\QpAdKkkj.ini
C:\WINDOWS\system32\QpAdKkkj.ini2
C:\WINDOWS\system32\qsYJmUtv.ini
C:\WINDOWS\system32\qsYJmUtv.ini2
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\TtvyyGgh.ini
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\ycpndrut.ini2
C:\WINDOWS\system32\ycpndrut.tmp
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 11:17 . 2008-05-12 11:17 83,008 --a------ C:\WINDOWS\system32\turdnpcy.dll
2008-05-12 11:13 . 2008-05-12 11:13 98,896 --a------ C:\WINDOWS\system32\ihuelyrg.dll
2008-05-12 11:13 . 2008-05-12 11:13 90,176 --a------ C:\WINDOWS\system32\weeaptot.dll
2008-05-12 11:13 . 2008-05-12 11:13 2,048 --a------ C:\WINDOWS\system32\thsokury.exe
2008-05-12 08:19 . 2008-05-12 08:19 <DIR> d-------- C:\VundoFix Backups
2008-05-12 08:08 . 2008-05-12 08:08 98,896 --a------ C:\WINDOWS\system32\ijgpcops.dll
2008-05-12 08:06 . 2008-05-12 08:06 90,176 --a------ C:\WINDOWS\system32\pjdjuvje.dll
2008-05-12 08:06 . 2008-05-12 08:06 83,008 --a------ C:\WINDOWS\system32\qswottpi.dll
2008-05-12 08:06 . 2008-05-12 08:06 2,048 --a------ C:\WINDOWS\system32\ecdmhspm.exe
2008-05-12 08:03 . 2008-05-12 08:03 98,896 --a------ C:\WINDOWS\system32\pshjimmt.dll
2008-05-12 08:01 . 2008-05-12 09:44 109,848 --a------ C:\WINDOWS\BM1f2566df.xml
2008-05-12 08:01 . 2008-05-12 08:01 90,176 --a------ C:\WINDOWS\system32\yiicwuuc.dll
2008-05-12 08:01 . 2008-05-12 08:01 2,048 --a------ C:\WINDOWS\system32\jbjhtixs.exe
2008-05-11 22:36 . 2008-05-12 11:08 324 --a------ C:\WINDOWS\wininit.ini
2008-05-11 21:54 . 2008-05-11 21:54 316,464 --a------ C:\WINDOWS\system32\wvUnNGWn.dll_old
2008-05-11 21:43 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-11 21:43 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-11 21:43 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-11 12:35 . 2008-05-11 12:35 316,464 --a------ C:\WINDOWS\system32\vtUmJYsq.dll_old
2008-05-11 12:31 . 2008-05-11 12:31 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 12:31 . 2008-05-11 12:31 <DIR> d-------- C:\temp\tmpvc14
2008-05-11 12:31 . 2008-05-11 12:31 578 --a------ C:\WINDOWS\index.html
2008-05-11 12:29 . 2008-05-11 12:29 25,728 --a------ C:\WINDOWS\system32\ssqNEwTk.dll
2008-05-11 12:29 . 2008-05-11 12:29 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-10 22:37 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-10 22:36 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-10 22:36 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2008-05-10 22:36 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt13.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata13.sqm
2008-04-26 14:18 . 2008-04-26 14:18 <DIR> d-------- C:\WINDOWS\system32\pnVes06
2008-04-26 14:18 . 2008-04-26 14:18 <DIR> d-------- C:\temp\zvebs14

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 17:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-12 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 03:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-12 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 02:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-12 02:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-12 02:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-12 02:40 --------- d-----w C:\Program Files\Symantec
2008-05-12 02:39 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-11 16:29 3,694 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-03-30 23:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-30 21:23 --------- d-----w C:\Program Files\Shockwave.com
2008-03-24 01:43 --------- d-----w C:\Program Files\The Weather Channel FW
2008-03-21 16:40 --------- d-----w C:\Program Files\echospin
2008-03-21 16:37 15,172 ----a-w C:\WINDOWS\system32\drivers\PzWDM.sys
2005-10-12 15:23 355,488 --sha-w C:\WINDOWS\system\pxelitu.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11000AE4-6CED-4A34-A393-C8D326E499A0}]
C:\WINDOWS\system32\vtUmJYsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48D20AC5-51D5-470D-B466-7099D791C73E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b09d5b1-0970-46dd-9e04-a3bfb2df0bdd}]
2008-05-12 11:13 98896 --a------ C:\WINDOWS\system32\ihuelyrg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA54DB4A-186C-4138-B8C1-D659612E4AC0}]
2008-05-12 12:43 314480 --a------ C:\WINDOWS\system32\qoMgdcyY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 12:29 25728 --a------ C:\WINDOWS\system32\ssqNEwTk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D562B55A-99DF-4076-8BF8-E4477D7FA851}]
C:\WINDOWS\system32\jkkKdApQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [ ]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-12-20 08:10 715888]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 08:24 68856]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-04-10 10:15 868352]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-11-17 04:42 53341]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Creative Software Update"="C:\Program Files\Creative\Shared Files\Software Update\AutoUpdate.exe" [2007-01-04 16:18 481200]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 11:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43 233472]
"SiSPower"="SiSPower.dll" [2005-04-12 11:31 49152 C:\WINDOWS\system32\SiSPower.dll]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-26 09:52 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-26 10:00 98304]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 14:13 98304]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 21:05 116328]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 00:00 771440]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2006-07-11 15:27 49152]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 04:56 544768 C:\WINDOWS\sm56hlpr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 12:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"1c165543"="C:\WINDOWS\system32\turdnpcy.dll" [2008-05-12 11:17 83008]
"BM1f2566df"="C:\WINDOWS\system32\weeaptot.dll" [2008-05-12 11:13 90176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-17 20:10:37 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\ssqNEwTk.dll [2008-05-11 12:29 25728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNEwTk]
ssqNEwTk.dll 2008-05-11 12:29 25728 C:\WINDOWS\system32\ssqNEwTk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\qoMgdcyY

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\1124734592\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\1124734592\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1124734592\\ee\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2008-03-21 11:37]
S3 WMP11;Instant Wireless PCI Card Driver;C:\WINDOWS\system32\DRIVERS\WMP11NDS.sys [2002-05-16 16:41]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f345e08-8694-11d9-a32a-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 11:10:56 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-05-12 17:47:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 12:29:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqNEwTk.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\turdnpcy.dll
-> C:\WINDOWS\system32\tcbygfub.dll
-> C:\WINDOWS\system32\qoMgdcyY.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-12 12:47:42 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-05-12 17:47:17

Pre-Run: 92,306,862,080 bytes free
Post-Run: 94,727,122,944 bytes free

299 --- E O F --- 2008-04-09 08:06:03


HIJACK THIS:
Logfile of HijackThis v1.99.1
Scan saved at 1:31:24 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BM1f2566df] Rundll32.exe "C:\WINDOWS\system32\tcbygfub.dll",s
O4 - HKLM\..\Run: [1c165543] rundll32.exe "C:\WINDOWS\system32\ukjheajk.dll",b
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Software Update] "C:\Program Files\Creative\Shared Files\Software Update\AutoUpdate.exe" /Silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3912] command /c del "C:\WINDOWS\system32\hgGyyvtT.dll_old"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} -
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://xsatinsilence.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Blade81
2008-05-13, 09:14
Hi

Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Start hjt, do a system scan, check (if found):
O4 - HKCU\..\RunOnce: [SpybotDeletingB3912] command /c del "C:\WINDOWS\system32\hgGyyvtT.dll_old"
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\turdnpcy.dll
C:\WINDOWS\system32\ihuelyrg.dll
C:\WINDOWS\system32\weeaptot.dll
C:\WINDOWS\system32\thsokury.exe
C:\WINDOWS\system32\ijgpcops.dll
C:\WINDOWS\system32\pjdjuvje.dll
C:\WINDOWS\system32\qswottpi.dll
C:\WINDOWS\system32\ecdmhspm.exe
C:\WINDOWS\system32\pshjimmt.dll
C:\WINDOWS\BM1f2566df.xml
C:\WINDOWS\system32\yiicwuuc.dll
C:\WINDOWS\system32\jbjhtixs.exe
C:\WINDOWS\system32\wvUnNGWn.dll_old
C:\WINDOWS\system32\vtUmJYsq.dll_old
C:\WINDOWS\index.html
C:\WINDOWS\system32\ssqNEwTk.dll
C:\WINDOWS\b2new.exe
C:\WINDOWS\system\pxelitu.bak2
C:\WINDOWS\system32\tcbygfub.dll
C:\WINDOWS\system32\qoMgdcyY.dll

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\dFrnx06
C:\temp\tmpvc14
C:\WINDOWS\system32\pnVes06
C:\temp\zvebs14

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11000AE4-6CED-4A34-A393-C8D326E499A0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48D20AC5-51D5-470D-B466-7099D791C73E}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b09d5b1-0970-46dd-9e04-a3bfb2df0bdd}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA54DB4A-186C-4138-B8C1-D659612E4AC0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D562B55A-99DF-4076-8BF8-E4477D7FA851}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1c165543"=-
"BM1f2566df"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNEwTk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
Authentication Packages=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too (without forgetting above meantioned ComboFix resultant log).
If the results of the anti virus scan itself will take more than one post to contain, you may upload it to http://rapidshare.com


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
kissels
2008-05-17, 05:41
Hi Blade... and thanks for the help.

I followed your instructions, but was not able to provide a CF log. CF would run, reboot, but then never finish with the log; I tried it twice. None of the processes you mentioned (find, findstr, etc...) appeared in the TaskManager. Maybe other programs that auto-run on start up interfered?

Anyway, here's the Kaspersky log (problems in the C:\System Volume Information\... files) and the new HJT log:

Kaspersky
--------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-16 21:25
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/05/2008
Kaspersky Anti-Virus database records: 779486
--------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 136166
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:24:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-16_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A2D7DD71.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\C6D6A98C.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP11\A0010163.exe Infected: Trojan-Downloader.Win32.Agent.otg skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP15\change.log Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000117.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000118.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000120.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000120.exe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C87EEC93-0126-42CA-96F8-2FB65D3AE5FD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP15\change.log Object is locked skipped

Scan process completed.


HJT log
Logfile of HijackThis v1.99.1
Scan saved at 21:32, on 2008-05-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BF56E23-D23A-4905-B8D1-91EA20463260} - C:\WINDOWS\system32\xxyyvwVP.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} -
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://xsatinsilence.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


Looking forward to your reply.... Thanks again
Blade81
2008-05-17, 14:01
Hi

Please check if you can find ComboFix.txt in root of c: drive (if not there search in c:\combofix folder). Post its contents. Also, you should have Hijackthis in permanent location.

HJT in it's own folder
------------------------

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.
kissels
2008-05-18, 22:32
Hi Blade... I moved the HJT to the folder under the C drive and also found the ComboFix.txt file; here it is:

ComboFix 08-05-15.3 - Compaq_Owner 2008-05-16 19:12:41.3 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\b2new.exe
C:\WINDOWS\BM1f2566df.xml
C:\WINDOWS\index.html
C:\WINDOWS\system\pxelitu.bak2
C:\WINDOWS\system32\ecdmhspm.exe
C:\WINDOWS\system32\ihuelyrg.dll
C:\WINDOWS\system32\ijgpcops.dll
C:\WINDOWS\system32\jbjhtixs.exe
C:\WINDOWS\system32\pjdjuvje.dll
C:\WINDOWS\system32\pshjimmt.dll
C:\WINDOWS\system32\qoMgdcyY.dll
C:\WINDOWS\system32\qswottpi.dll
C:\WINDOWS\system32\ssqNEwTk.dll
C:\WINDOWS\system32\tcbygfub.dll
C:\WINDOWS\system32\thsokury.exe
C:\WINDOWS\system32\turdnpcy.dll
C:\WINDOWS\system32\vtUmJYsq.dll_old
C:\WINDOWS\system32\weeaptot.dll
C:\WINDOWS\system32\wvUnNGWn.dll_old
C:\WINDOWS\system32\yiicwuuc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\temp\tmpvc14
C:\temp\zvebs14
C:\WINDOWS\BM1f2566df.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\pxelitu.bak2
C:\WINDOWS\system32\awtsTLFw.dll
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\fgfLmnnn.ini2
C:\WINDOWS\system32\fPrsYJlm.ini
C:\WINDOWS\system32\fPrsYJlm.ini2
C:\WINDOWS\system32\kjaehjku.ini
C:\WINDOWS\system32\mlJYsrPf.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\odjpppnq.dll
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pshjimmt.dll
C:\WINDOWS\system32\PVwvyyxx.ini
C:\WINDOWS\system32\PVwvyyxx.ini2
C:\WINDOWS\system32\qqduwuwv.ini
C:\WINDOWS\system32\tlwgtrvf.dll
C:\WINDOWS\system32\vwuwudqq.dll
C:\WINDOWS\system32\wdlkfyba.ini
C:\WINDOWS\system32\wFLTstwa.ini
C:\WINDOWS\system32\wFLTstwa.ini2
C:\WINDOWS\system32\YycdgMoq.ini
C:\WINDOWS\system32\YycdgMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-16 18:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-16 18:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-14 21:09 . 2008-05-15 06:33 414 ---hs---- C:\WINDOWS\system32\chrlarkg.ini
2008-05-12 20:52 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2008-05-12 20:52 . 2008-05-12 21:01 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-05-12 20:52 . 2008-05-16 18:21 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-12 20:29 . 2008-05-12 20:29 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-12 20:29 . 2008-05-12 20:29 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-12 20:21 . 2008-05-12 20:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-12 19:53 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-05-12 19:51 . 2004-07-17 11:36 64,352 --------- C:\WINDOWS\system32\drivers\ativmc20.cod
2008-05-12 19:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-12 18:56 . 2008-05-12 18:58 <DIR> d-------- C:\Program Files\Java
2008-05-12 18:55 . 2008-05-12 18:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-12 16:37 . 2008-05-12 16:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-12 12:39 . 2008-05-12 12:47 354 --ahs---- C:\WINDOWS\system32\ycpndrut.ini
2008-05-11 22:36 . 2008-05-12 15:41 774 --a------ C:\WINDOWS\wininit.ini
2008-05-11 21:43 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-11 21:43 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-11 21:43 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-10 22:37 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-10 22:36 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-10 22:36 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2008-05-10 22:36 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt13.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 23:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 22:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-12 23:20 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2008-05-12 21:18 --------- d-----w C:\Program Files\QuickTime
2008-05-12 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 02:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-12 02:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-12 02:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-12 02:40 --------- d-----w C:\Program Files\Symantec
2008-05-12 02:39 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-11 16:29 3,694 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-03-30 23:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-30 21:23 --------- d-----w C:\Program Files\Shockwave.com
2008-03-24 01:43 --------- d-----w C:\Program Files\The Weather Channel FW
2008-03-21 16:40 --------- d-----w C:\Program Files\echospin
2008-03-21 16:37 15,172 ----a-w C:\WINDOWS\system32\drivers\PzWDM.sys
.
Blade81
2008-05-19, 07:59
Hi


Start hjt, do a system scan, check:
O2 - BHO: (no name) - {0BF56E23-D23A-4905-B8D1-91EA20463260} - C:\WINDOWS\system32\xxyyvwVP.dll (file missing)

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



KILLALL::

File::
C:\WINDOWS\system32\chrlarkg.ini
C:\WINDOWS\system32\ycpndrut.ini



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
kissels
2008-05-22, 01:44
Hi Blade,

Here's are the new CF and HJT logs:

CF

ComboFix 08-05-15.3 - Compaq_Owner 2008-05-20 5:16:10.4 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\chrlarkg.ini
C:\WINDOWS\system32\ycpndrut.ini
.
The following files were disabled during the run:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
C:\WINDOWS\system32\chrlarkg.ini
C:\WINDOWS\system32\ycpndrut.ini
.
---- Previous Run -------
.
C:\temp\tmpvc14
C:\temp\zvebs14
C:\WINDOWS\BM1f2566df.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\pxelitu.bak2
C:\WINDOWS\system32\awtsTLFw.dll
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\fgfLmnnn.ini2
C:\WINDOWS\system32\fPrsYJlm.ini
C:\WINDOWS\system32\fPrsYJlm.ini2
C:\WINDOWS\system32\kjaehjku.ini
C:\WINDOWS\system32\mlJYsrPf.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\odjpppnq.dll
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pshjimmt.dll
C:\WINDOWS\system32\PVwvyyxx.ini
C:\WINDOWS\system32\PVwvyyxx.ini2
C:\WINDOWS\system32\qqduwuwv.ini
C:\WINDOWS\system32\tlwgtrvf.dll
C:\WINDOWS\system32\vwuwudqq.dll
C:\WINDOWS\system32\wdlkfyba.ini
C:\WINDOWS\system32\wFLTstwa.ini
C:\WINDOWS\system32\wFLTstwa.ini2
C:\WINDOWS\system32\YycdgMoq.ini
C:\WINDOWS\system32\YycdgMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-16 19:34 . 2008-05-16 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 19:34 . 2008-05-16 19:34 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-05-16 19:34 . 2008-05-16 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 18:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-16 18:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-12 20:52 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2008-05-12 20:52 . 2008-05-12 21:01 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-05-12 20:52 . 2008-05-16 18:21 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-12 20:29 . 2008-05-12 20:29 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-12 20:29 . 2008-05-12 20:29 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-12 20:21 . 2008-05-12 20:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-12 19:53 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-05-12 19:51 . 2004-07-17 11:36 64,352 --------- C:\WINDOWS\system32\drivers\ativmc20.cod
2008-05-12 19:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-12 18:56 . 2008-05-12 18:58 <DIR> d-------- C:\Program Files\Java
2008-05-12 18:55 . 2008-05-12 18:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-12 16:37 . 2008-05-12 16:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-11 22:36 . 2008-05-12 15:41 774 --a------ C:\WINDOWS\wininit.ini
2008-05-11 21:43 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-11 21:43 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-11 21:43 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-10 22:37 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-10 22:36 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-10 22:36 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2008-05-10 22:36 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt13.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 16:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-20 03:57 4,322 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-05-17 02:57 --------- d-----w C:\Program Files\QuickTime
2008-05-16 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 22:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-12 23:20 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2008-05-12 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 02:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-12 02:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-12 02:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-12 02:40 --------- d-----w C:\Program Files\Symantec
2008-05-12 02:39 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-30 23:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-30 21:23 --------- d-----w C:\Program Files\Shockwave.com
2008-03-24 01:43 --------- d-----w C:\Program Files\The Weather Channel FW
2008-03-21 16:40 --------- d-----w C:\Program Files\echospin
2008-03-21 16:37 15,172 ----a-w C:\WINDOWS\system32\drivers\PzWDM.sys
.


HJT

Logfile of HijackThis v1.99.1
Scan saved at 05:42, on 2008-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} -
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://xsatinsilence.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Blade81
2008-05-22, 07:29
Hi

Of some reason ComboFix log doesn't look like a complete one. It gets cut off from same part as previous one. I want to make sure it's not a bug. So, please delete old ComboFix.exe and download a fresh one to your desktop from one of the following links:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Reboot into safe mode (http://www.computerhope.com/issues/chsafe.htm#02) and run this new ComboFix again there. Reboot into normal mode and post ComboFix log.
kissels
2008-05-24, 20:54
Hi Blade.... This time it did finish the log file; the date is wrong, however. It was run today, 5/24, at 12:42pm. Here it is:


ComboFix 08-05-21.3 - Compaq_Owner 2008-05-21 12:32:18.5 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.279 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
C:\temp\tmpvc14
C:\temp\zvebs14
C:\WINDOWS\BM1f2566df.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\pxelitu.bak2
C:\WINDOWS\system32\awtsTLFw.dll
C:\WINDOWS\system32\chrlarkg.ini
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\fgfLmnnn.ini2
C:\WINDOWS\system32\fPrsYJlm.ini
C:\WINDOWS\system32\fPrsYJlm.ini2
C:\WINDOWS\system32\kjaehjku.ini
C:\WINDOWS\system32\mlJYsrPf.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\odjpppnq.dll
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pshjimmt.dll
C:\WINDOWS\system32\PVwvyyxx.ini
C:\WINDOWS\system32\PVwvyyxx.ini2
C:\WINDOWS\system32\qqduwuwv.ini
C:\WINDOWS\system32\tlwgtrvf.dll
C:\WINDOWS\system32\vwuwudqq.dll
C:\WINDOWS\system32\wdlkfyba.ini
C:\WINDOWS\system32\wFLTstwa.ini
C:\WINDOWS\system32\wFLTstwa.ini2
C:\WINDOWS\system32\ycpndrut.ini
C:\WINDOWS\system32\YycdgMoq.ini
C:\WINDOWS\system32\YycdgMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 12:27 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ\WINDOWS
2008-05-21 12:27 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ\Application Data\Symantec
2008-05-21 12:27 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ\Application Data\SampleView
2008-05-21 12:27 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ\Application Data\InterMute
2008-05-21 12:27 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ\Application Data\Apple Computer
2008-05-21 12:27 . 2008-05-21 12:27 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ
2008-05-16 19:34 . 2008-05-16 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 19:34 . 2008-05-16 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 18:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-16 18:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-12 20:52 . 2005-02-26 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2008-05-12 20:52 . 2008-05-12 21:01 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-05-12 20:29 . 2008-05-12 20:29 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-12 20:29 . 2008-05-12 20:29 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-12 20:21 . 2008-05-12 20:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-12 19:53 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-05-12 19:51 . 2004-07-17 11:36 64,352 --------- C:\WINDOWS\system32\drivers\ativmc20.cod
2008-05-12 19:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-12 18:56 . 2008-05-12 18:58 <DIR> d-------- C:\Program Files\Java
2008-05-12 18:55 . 2008-05-12 18:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-12 16:37 . 2008-05-12 16:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-11 22:36 . 2008-05-12 15:41 774 --a------ C:\WINDOWS\wininit.ini
2008-05-11 21:43 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-11 21:43 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-11 21:43 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-10 22:37 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-10 22:36 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-10 22:36 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2008-05-10 22:36 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-10 22:36 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 244 --ah----- C:\sqmnoopt13.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata15.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata14.sqm
2008-05-03 20:49 . 2008-05-03 20:49 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 10:51 4,322 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-05-20 16:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 02:57 --------- d-----w C:\Program Files\QuickTime
2008-05-16 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 22:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-13 01:36 77,824 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\FDIWrapper.dll
2008-05-13 01:36 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\msxmlwrapper.dll
2008-05-13 01:36 49,152 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHI18N.dll
2008-05-13 01:36 44,032 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\LocalContent\Attachments\devcon.exe
2008-05-13 01:36 40,960 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ScDmi.dll
2008-05-13 01:36 307,200 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchnotify.exe
2008-05-13 01:36 3,072 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchealthde.exe
2008-05-13 01:36 26,572 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\INV16.dll
2008-05-13 01:36 213,089 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\motive.zip
2008-05-13 01:36 159,744 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
2008-05-13 01:36 139,264 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ContentUpdater.exe
2008-05-12 23:20 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2008-05-12 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 02:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-12 02:40 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-12 02:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-12 02:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-12 02:40 --------- d-----w C:\Program Files\Symantec
2008-05-12 02:39 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-03-30 23:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst
2008-03-30 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-30 21:23 --------- d-----w C:\Program Files\Shockwave.com
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-24 01:43 --------- d-----w C:\Program Files\The Weather Channel FW
2008-03-21 16:40 --------- d-----w C:\Program Files\echospin
2008-03-21 16:37 15,172 ----a-w C:\WINDOWS\system32\drivers\PzWDM.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_12.46.06.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
+ 2006-10-04 14:05:26 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc(3).dll
- 2008-05-12 17:27:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:27:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer(2).exe
+ 2004-08-04 11:00:00 38,912 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\pchsvc(3).dll
- 2005-02-26 15:05:56 82,435 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
+ 2008-05-13 01:36:50 82,435 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
- 2005-02-26 15:05:56 3,510 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-05-13 01:36:50 3,880 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
- 2005-02-26 15:04:59 110,592 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\DSAPI4.dll
+ 2008-05-13 01:35:59 110,592 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\DSAPI4.dll
- 2005-02-26 15:04:50 287,310 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\HPBasicDetection.dll
+ 2008-05-13 01:35:50 287,310 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\HPBasicDetection.dll
- 2005-02-26 15:04:35 28,672 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\InetWrap.dll
+ 2008-05-13 01:35:34 28,672 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\InetWrap.dll
- 2005-02-26 15:04:38 344,064 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\api.dll
+ 2008-05-13 01:35:37 344,064 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\api.dll
- 2005-02-26 15:04:33 114,688 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\asst_ui.dll
+ 2008-05-13 01:35:31 114,688 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\asst_ui.dll
- 2005-02-26 15:04:35 356,352 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\client_motkt.dll
+ 2008-05-13 01:35:34 356,352 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\client_motkt.dll
- 2005-02-26 15:04:36 282,624 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\clientutil52.dll
+ 2008-05-13 01:35:34 282,624 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\clientutil52.dll
- 2005-02-26 15:04:31 36,864 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\gnu.dll
+ 2008-05-13 01:35:29 36,864 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\gnu.dll
- 2005-02-26 15:04:48 5,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\GUI.dll
+ 2008-05-13 01:35:48 5,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\GUI.dll
- 2005-02-26 15:04:33 49,152 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\hwinv.dll
+ 2008-05-13 01:35:31 49,152 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\hwinv.dll
- 2005-02-26 15:04:31 212,992 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\jsharpinterp.dll
+ 2008-05-13 01:35:29 212,992 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\jsharpinterp.dll
- 2005-02-26 15:04:43 434,176 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\motivede.dll
+ 2008-05-13 01:35:42 434,176 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\motivede.dll
- 2005-02-26 15:04:37 24,576 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pcdapi.dll
+ 2008-05-13 01:35:36 24,576 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pcdapi.dll
- 2005-02-26 15:04:44 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchapi.dll
+ 2008-05-13 01:35:43 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchapi.dll
- 2005-02-26 15:04:33 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchmsxml.dll
+ 2008-05-13 01:35:31 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchmsxml.dll
- 2005-02-26 15:04:36 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\util.dll
+ 2008-05-13 01:35:34 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\util.dll
- 2005-02-26 15:04:49 114,688 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\ZipLib.dll
+ 2008-05-13 01:35:49 114,688 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\ZipLib.dll
- 2005-02-26 15:04:48 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\msxmlwrapper.dll
+ 2008-05-13 01:35:48 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\msxmlwrapper.dll
- 2005-02-26 15:04:35 102,400 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCDrAccess.dll
+ 2008-05-13 01:35:33 102,400 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCDrAccess.dll
- 2005-02-26 15:04:30 307,200 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchealthplugin.dll
+ 2008-05-13 01:35:28 307,200 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchealthplugin.dll
- 2005-02-26 15:04:42 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchmsxml.dll
+ 2008-05-13 01:35:41 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchmsxml.dll
- 2005-02-26 15:04:51 98,304 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PluginCtrl.dll
+ 2008-05-13 01:35:52 98,304 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PluginCtrl.dll
- 2005-02-26 15:04:32 126,976 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\SearchCtrl.dll
+ 2008-05-13 01:35:30 126,976 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\SearchCtrl.dll
- 2005-02-26 15:04:38 77,824 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\WinVerifyTrust.dll
+ 2008-05-13 01:35:37 77,824 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\WinVerifyTrust.dll
- 2005-02-26 15:04:31 4,096 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\winverifytrustwrapper.dll
+ 2008-05-13 01:35:29 4,096 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\winverifytrustwrapper.dll
+ 2008-04-14 00:25:26 1,804 ------w C:\WINDOWS\ServicePackFiles\i386\dcache.bin
+ 2006-12-31 12:57:08 4,569 ------w C:\WINDOWS\ServicePackFiles\i386\secupd.dat
+ 2004-08-04 11:00:00 194,048 ----a-w C:\WINDOWS\system32\activeds(2).dll
+ 2004-08-04 11:00:00 101,888 ----a-w C:\WINDOWS\system32\actxprxy(2).dll
+ 2004-08-04 11:00:00 143,360 ----a-w C:\WINDOWS\system32\adsldpc(2).dll
+ 2004-08-04 11:00:00 44,544 ----a-w C:\WINDOWS\system32\alg(2).exe
+ 2004-08-04 11:00:00 58,880 ----a-w C:\WINDOWS\system32\atl(3).dll
+ 2004-08-04 11:00:00 285,696 ----a-w C:\WINDOWS\system32\atmfd(2).dll
+ 2004-08-04 11:00:00 42,496 ----a-w C:\WINDOWS\system32\audiosrv(2).dll
+ 2005-03-02 18:09:29 56,832 ----a-w C:\WINDOWS\system32\authz(3).dll
+ 2004-08-04 11:00:00 28,672 ----a-w C:\WINDOWS\system32\batmeter(2).dll
+ 2004-08-04 11:00:00 77,312 ----a-w C:\WINDOWS\system32\browser(2).dll
+ 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINDOWS\system32\browseui(2).dll
+ 2004-08-04 18:00:00 59,904 ----a-w C:\WINDOWS\system32\cabinet(3).dll
+ 2005-07-26 04:39:42 225,792 ----a-w C:\WINDOWS\system32\catsrv(3).dll
+ 2005-07-26 04:39:43 625,152 ----a-w C:\WINDOWS\system32\catsrvut(3).dll
+ 2004-08-04 11:00:00 194,560 ----a-w C:\WINDOWS\system32\certcli(3).dll
+ 2004-08-04 11:00:00 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32(2).dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq(3).dll
+ 2004-08-04 11:00:00 57,856 ----a-w C:\WINDOWS\system32\clusapi(3).dll
+ 2004-08-04 18:00:00 47,104 ----a-w C:\WINDOWS\system32\cnbjmon(2).dll
+ 2005-07-26 04:39:43 60,416 ----a-w C:\WINDOWS\system32\colbact(3).dll
+ 2004-08-04 11:00:00 792,064 ----a-w C:\WINDOWS\system32\comres(3).dll
+ 2005-07-26 04:39:44 1,267,200 ----a-w C:\WINDOWS\system32\comsvcs(3).dll
+ 2007-08-14 00:42:54 17,408 ----a-w C:\WINDOWS\system32\corpol(2).dll
+ 2004-08-04 11:00:00 163,840 ----a-w C:\WINDOWS\system32\credui(2).dll
+ 2004-08-04 11:00:00 597,504 ----a-w C:\WINDOWS\system32\crypt32(3).dll
+ 2004-08-04 11:00:00 33,280 ----a-w C:\WINDOWS\system32\cryptdll(3).dll
+ 2004-08-04 11:00:00 63,488 ----a-w C:\WINDOWS\system32\cryptnet(3).dll
+ 2004-08-04 11:00:00 60,416 ----a-w C:\WINDOWS\system32\cryptsvc(3).dll
+ 2004-08-04 11:00:00 512,512 ----a-w C:\WINDOWS\system32\cryptui(3).dll
+ 2004-08-04 11:00:00 101,888 ----a-w C:\WINDOWS\system32\cscdll(3).dll
+ 2004-08-04 11:00:00 326,656 ----a-w C:\WINDOWS\system32\cscui(2).dll
+ 2004-08-04 11:00:00 6,144 ----a-w C:\WINDOWS\system32\csrss(3).exe
+ 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon(2).exe
+ 2004-08-04 11:00:00 24,576 ----a-w C:\WINDOWS\system32\davclnt(3).dll
+ 2004-08-04 18:00:00 640,000 ----a-w C:\WINDOWS\system32\dbghelp(2).dll
+ 2004-08-04 11:00:00 8,704 ----a-w C:\WINDOWS\system32\dciman32(2).dll
+ 2004-08-04 11:00:00 266,240 ----a-w C:\WINDOWS\system32\ddraw(2).dll
+ 2004-08-04 11:00:00 27,136 ----a-w C:\WINDOWS\system32\ddrawex(2).dll
- 2004-08-04 11:00:00 561,179 ----a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 ----a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2004-08-04 11:00:00 512,029 ----a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 11:00:00 319,517 ----a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2004-08-04 11:00:00 1,507,356 ----a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-04 04:00:00 358,976 ----a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 11:00:00 53,279 ----a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 11:00:00 241,693 ----a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 11:00:00 213,023 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 11:00:00 348,189 ----a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-04 11:00:00 421,919 ----a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 11:00:00 315,423 ----a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 11:00:00 552,989 ----a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 11:00:00 258,077 ----a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-04 11:00:00 831,519 ----a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-04 11:00:00 614,429 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 11:00:00 348,189 ----a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi(3).dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr(2).dll
+ 2004-08-04 11:00:00 14,336 ----a-w C:\WINDOWS\system32\drprov(3).dll
+ 2004-08-04 11:00:00 367,616 ----a-w C:\WINDOWS\system32\dsound(2).dll
+ 2004-08-04 04:00:00 137,216 ----a-w C:\WINDOWS\system32\dssenh(2).dll
+ 2004-08-04 11:00:00 23,040 ----a-w C:\WINDOWS\system32\ersvc(2).dll
+ 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\system32\es(2).dll
+ 2005-10-20 22:20:03 1,082,368 ----a-w C:\WINDOWS\system32\esent(3).dll
+ 2004-08-04 11:00:00 55,808 ----a-w C:\WINDOWS\system32\eventlog(3).dll
- 2008-04-09 08:13:22 167,504 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-13 02:15:11 167,504 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2004-08-04 04:00:00 452,096 ----a-w C:\WINDOWS\system32\fxsapi(2).dll
+ 2004-08-04 04:00:00 55,296 ----a-w C:\WINDOWS\system32\fxsevent(2).dll
+ 2004-08-04 04:00:00 23,552 ----a-w C:\WINDOWS\system32\fxsmon(2).dll
+ 2004-08-04 04:00:00 562,176 ----a-w C:\WINDOWS\system32\fxsst(2).dll
+ 2004-08-04 18:00:00 20,992 ----a-w C:\WINDOWS\system32\hid(2).dll
+ 2004-08-04 11:00:00 344,064 ----a-w C:\WINDOWS\system32\hnetcfg(3).dll
+ 2004-08-04 11:00:00 24,576 ----a-w C:\WINDOWS\system32\httpapi(2).dll
+ 2004-08-04 11:00:00 11,264 ----a-w C:\WINDOWS\system32\icaapi(2).dll
+ 2004-08-04 11:00:00 75,264 ----a-w C:\WINDOWS\system32\inetpp(2).dll
+ 2006-05-19 12:59:41 94,720 ----a-w C:\WINDOWS\system32\iphlpapi(3).dll
+ 2004-08-04 11:00:00 331,264 ----a-w C:\WINDOWS\system32\ipnathlp(2).dll
+ 2004-08-04 11:00:00 182,784 ----a-w C:\WINDOWS\system32\ipsecsvc(2).dll
+ 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript(2).dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2005-06-15 17:49:30 295,936 ----a-w C:\WINDOWS\system32\kerberos(3).dll
+ 2005-09-01 01:41:53 19,968 ----a-w C:\WINDOWS\system32\linkinfo(2).dll
+ 2004-08-04 11:00:00 97,280 ----a-w C:\WINDOWS\system32\loadperf(2).dll
+ 2004-08-04 11:00:00 13,312 ----a-w C:\WINDOWS\system32\lsass(3).exe
+ 2004-08-04 11:00:00 1,028,096 ----a-w C:\WINDOWS\system32\mfc42(2).dll
+ 2004-08-04 11:00:00 22,528 ----a-w C:\WINDOWS\system32\mfcsubs(3).dll
+ 2004-08-04 11:00:00 18,944 ----a-w C:\WINDOWS\system32\midimap(2).dll
+ 2004-08-04 11:00:00 586,240 ----a-w C:\WINDOWS\system32\mlang(2).dll
+ 2004-08-04 11:00:00 59,904 ----a-w C:\WINDOWS\system32\mpr(3).dll
+ 2004-08-04 11:00:00 87,040 ----a-w C:\WINDOWS\system32\mprapi(2).dll
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2004-08-04 11:00:00 71,680 ----a-w C:\WINDOWS\system32\msacm32(3).dll
+ 2004-08-04 11:00:00 57,344 ----a-w C:\WINDOWS\system32\msasn1(3).dll
+ 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\system32\mscms(2).dll
+ 2004-08-04 11:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF(2).dll
- 2004-08-04 11:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 11:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2004-08-04 11:00:00 6,656 ----a-w C:\WINDOWS\system32\msidle(2).dll
+ 2004-08-04 11:00:00 4,608 ----a-w C:\WINDOWS\system32\msimg32(3).dll
+ 2004-08-04 11:00:00 159,232 ----a-w C:\WINDOWS\system32\MSIMTF(2).dll
- 2004-08-04 11:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 18:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 11:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 11:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 11:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2004-08-04 11:00:00 30,208 ----a-w C:\WINDOWS\system32\mspatcha(2).dll
- 2004-08-04 11:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2004-08-04 11:00:00 48,128 ----a-w C:\WINDOWS\system32\msprivs(3).dll
- 2004-08-04 11:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 11:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 11:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2004-08-04 11:00:00 274,944 ----a-w C:\WINDOWS\system32\mstask(2).dll
- 2004-08-04 11:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2004-08-04 11:00:00 115,712 ----a-w C:\WINDOWS\system32\mstlsapi(2).dll
+ 2004-08-04 11:00:00 195,072 ----a-w C:\WINDOWS\system32\msutb(2).dll
+ 2004-08-04 11:00:00 413,696 ----a-w C:\WINDOWS\system32\msvcp60(3).dll
+ 2004-08-04 11:00:00 343,040 ----a-w C:\WINDOWS\system32\msvcrt(3).dll
+ 2004-08-04 11:00:00 120,832 ----a-w C:\WINDOWS\system32\msvfw32(2).dll
- 2004-08-04 11:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2004-08-04 11:00:00 245,248 ----a-w C:\WINDOWS\system32\mswsock(3).dll
- 2004-08-04 11:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 11:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2006-03-01 19:42:42 66,560 ----a-w C:\WINDOWS\system32\mtxclu(3).dll
+ 2004-08-04 11:00:00 90,624 ----a-w C:\WINDOWS\system32\mydocs(2).dll
+ 2004-08-04 11:00:00 17,920 ----a-w C:\WINDOWS\system32\nddeapi(3).dll
+ 2006-08-17 12:28:27 332,288 ----a-w C:\WINDOWS\system32\netapi32(3).dll
+ 2004-08-04 11:00:00 622,080 ----a-w C:\WINDOWS\system32\netcfgx(2).dll
+ 2004-08-04 11:00:00 407,040 ----a-w C:\WINDOWS\system32\netlogon(3).dll
+ 2005-08-22 18:29:46 197,632 ----a-w C:\WINDOWS\system32\netman(2).dll
+ 2004-08-04 11:00:00 12,288 ----a-w C:\WINDOWS\system32\netrap(3).dll
+ 2004-08-04 11:00:00 1,708,032 ----a-w C:\WINDOWS\system32\netshell(2).dll
+ 2004-08-04 11:00:00 80,896 ----a-w C:\WINDOWS\system32\netui0(3).dll
+ 2004-08-04 11:00:00 245,760 ----a-w C:\WINDOWS\system32\netui1(3).dll
+ 2004-08-12 17:50:01 247,808 ----a-w C:\WINDOWS\system32\newdev(2).dll
+ 2004-08-04 11:00:00 67,072 ----a-w C:\WINDOWS\system32\ntdsapi(3).dll
+ 2004-08-04 11:00:00 43,520 ----a-w C:\WINDOWS\system32\ntlanman(3).dll
+ 2004-08-04 11:00:00 118,784 ----a-w C:\WINDOWS\system32\ntmarta(3).dll
+ 2004-08-04 11:00:00 143,872 ----a-w C:\WINDOWS\system32\ntshrui(2).dll
+ 2004-08-04 11:00:00 266,752 ----a-w C:\WINDOWS\system32\oakley(2).dll
+ 2004-08-04 11:00:00 60,928 ----a-w C:\WINDOWS\system32\ocmanage(2).dll
+ 2005-07-26 04:39:48 1,285,120 ----a-w C:\WINDOWS\system32\ole32(3).dll
+ 2005-07-26 04:39:48 74,752 ----a-w C:\WINDOWS\system32\olecli32(3).dll
+ 2006-10-16 16:15:00 122,880 ----a-w C:\WINDOWS\system32\oledlg(2).dll
+ 2004-08-04 11:00:00 83,456 ----a-w C:\WINDOWS\system32\olepro32(2).dll
- 2008-05-12 15:09:06 54,484 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-17 00:02:21 54,484 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-12 15:09:07 384,926 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-17 00:02:21 384,926 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-08-04 18:00:00 15,360 ----a-w C:\WINDOWS\system32\pjlmon(2).dll
+ 2004-08-04 11:00:00 17,408 ----a-w C:\WINDOWS\system32\powrprof(3).dll
+ 2004-08-04 11:00:00 27,648 ----a-w C:\WINDOWS\system32\profmap(3).dll
+ 2004-08-04 11:00:00 23,040 ----a-w C:\WINDOWS\system32\psapi(3).dll
+ 2004-08-04 11:00:00 96,768 ----a-w C:\WINDOWS\system32\psbase(2).dll
+ 2004-08-04 11:00:00 34,304 ----a-w C:\WINDOWS\system32\pstorsvc(2).dll
+ 2006-06-26 17:37:10 8,192 ----a-w C:\WINDOWS\system32\rasadhlp(3).dll
+ 2004-08-04 11:00:00 69,632 ----a-w C:\WINDOWS\system32\raschap(2).dll
+ 2006-06-22 10:47:18 181,248 ----a-w C:\WINDOWS\system32\rasmans(2).dll
+ 2004-08-04 11:00:00 206,336 ----a-w C:\WINDOWS\system32\rasppp(2).dll
+ 2004-08-04 11:00:00 112,128 ----a-w C:\WINDOWS\system32\rastls(2).dll
+ 2004-08-04 11:00:00 49,664 ----a-w C:\WINDOWS\system32\regapi(3).dll
+ 2008-05-17 00:06:33 42,880 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2004-08-04 11:00:00 58,880 ----a-w C:\WINDOWS\system32\resutils(3).dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\system32\rpcrt4(3).dll
+ 2005-07-26 04:39:49 397,824 ----a-w C:\WINDOWS\system32\rpcss(3).dll
+ 2004-08-04 04:00:00 152,576 ----a-w C:\WINDOWS\system32\rsaenh(3).dll
+ 2004-08-04 11:00:00 44,032 ----a-w C:\WINDOWS\system32\rtutils(3).dll
+ 2004-08-04 11:00:00 180,224 ----a-w C:\WINDOWS\system32\scecli(3).dll
+ 2004-08-04 11:00:00 313,856 ----a-w C:\WINDOWS\system32\scesrv(3).dll
+ 2004-08-04 11:00:00 190,976 ----a-w C:\WINDOWS\system32\schedsvc(2).dll
+ 2004-08-04 11:00:00 18,944 ----a-w C:\WINDOWS\system32\seclogon(2).dll
+ 2004-08-04 11:00:00 55,808 ----a-w C:\WINDOWS\system32\secur32(3).dll
+ 2004-08-04 11:00:00 38,912 ----a-w C:\WINDOWS\system32\sens(2).dll
+ 2004-08-04 11:00:00 6,656 ----a-w C:\WINDOWS\system32\sensapi(3).dll
+ 2004-08-04 11:00:00 259,584 ----a-w C:\WINDOWS\system32\Setup\comsetup(2).dll
+ 2004-08-04 11:00:00 32,828 ----a-w C:\WINDOWS\system32\Setup\fp40ext(2).dll
+ 2004-08-04 11:00:00 132,608 ----a-w C:\WINDOWS\system32\Setup\fxsocm(2).dll
+ 2004-08-04 11:00:00 505,344 ----a-w C:\WINDOWS\system32\Setup\iis(2).dll
+ 2004-08-04 11:00:00 115,712 ----a-w C:\WINDOWS\system32\Setup\imsinsnt(2).dll
+ 2004-08-04 11:00:00 82,432 ----a-w C:\WINDOWS\system32\Setup\msdtcstp(2).dll
+ 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\Setup\msgrocm(2).dll
+ 2004-08-04 11:00:00 77,312 ----a-w C:\WINDOWS\system32\Setup\netoc(2).dll
+ 2004-08-04 11:00:00 62,976 ----a-w C:\WINDOWS\system32\Setup\ntoc(2).dll
+ 2004-08-04 11:00:00 15,872 ----a-w C:\WINDOWS\system32\Setup\ocgen(2).dll
+ 2004-08-04 11:00:00 17,408 ----a-w C:\WINDOWS\system32\Setup\ocmsn(2).dll
+ 2004-08-04 11:00:00 101,376 ----a-w C:\WINDOWS\system32\Setup\setupqry(2).dll
+ 2004-08-04 11:00:00 22,016 ----a-w C:\WINDOWS\system32\Setup\startoc(2).dll
+ 2004-08-04 11:00:00 121,856 ----a-w C:\WINDOWS\system32\Setup\tsoc(2).dll
+ 2004-08-04 11:00:00 5,120 ----a-w C:\WINDOWS\system32\sfc(3).dll
+ 2004-08-04 11:00:00 140,288 ----a-w C:\WINDOWS\system32\sfc_os(3).dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32(3).dll
+ 2004-08-04 11:00:00 25,088 ----a-w C:\WINDOWS\system32\shfolder(2).dll
+ 2004-08-04 11:00:00 438,272 ----a-w C:\WINDOWS\system32\shimgvw(2).dll
+ 2007-12-07 01:07:13 474,112 ----a-w C:\WINDOWS\system32\shlwapi(3).dll
+ 2006-12-19 21:52:18 134,656 ----a-w C:\WINDOWS\system32\shsvcs(3).dll
+ 2004-08-04 18:26:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI(2).DLL
+ 2004-08-04 11:00:00 74,752 ----a-w C:\WINDOWS\system32\spoolss(2).dll
+ 2005-06-10 23:53:32 57,856 ----a-w C:\WINDOWS\system32\spoolsv(2).exe
+ 2004-08-04 11:00:00 67,584 ----a-w C:\WINDOWS\system32\srclient(3).dll
+ 2004-08-04 11:00:00 170,496 ----a-w C:\WINDOWS\system32\srsvc(3).dll
+ 2004-08-04 11:00:00 34,816 ----a-w C:\WINDOWS\system32\ssdpapi(2).dll
+ 2004-08-04 11:00:00 71,680 ----a-w C:\WINDOWS\system32\ssdpsrv(2).dll
+ 2004-08-04 11:00:00 121,856 ----a-w C:\WINDOWS\system32\stobject(2).dll
+ 2004-08-04 11:00:00 75,776 ----a-w C:\WINDOWS\system32\strmfilt(2).dll
+ 2004-08-04 11:00:00 14,336 ----a-w C:\WINDOWS\system32\svchost(3).exe
+ 2006-10-19 13:56:32 713,216 ----a-w C:\WINDOWS\system32\sxs(3).dll
+ 2004-08-04 11:00:00 181,760 ----a-w C:\WINDOWS\system32\tapi32(3).dll
+ 2005-07-08 16:27:56 249,344 ----a-w C:\WINDOWS\system32\tapisrv(2).dll
+ 2004-08-04 11:00:00 45,568 ----a-w C:\WINDOWS\system32\tcpmon(2).dll
+ 2004-08-04 11:00:00 295,424 ----a-w C:\WINDOWS\system32\termsrv(2).dll
+ 2004-08-04 11:00:00 385,536 ----a-w C:\WINDOWS\system32\themeui(2).dll
+ 2004-08-04 11:00:00 90,624 ----a-w C:\WINDOWS\system32\trkwks(2).dll
+ 2005-08-23 03:35:42 123,392 ----a-w C:\WINDOWS\system32\umpnpmgr(3).dll
- 2005-03-01 17:27:04 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2004-12-07 14:11:00 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2004-08-04 11:00:00 132,608 ----a-w C:\WINDOWS\system32\upnp(2).dll
+ 2004-08-04 11:00:00 16,896 ----a-w C:\WINDOWS\system32\usbmon(2).dll
+ 2004-08-04 11:00:00 218,624 ----a-w C:\WINDOWS\system32\uxtheme(3).dll
+ 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript(2).dll
+ 2004-08-04 11:00:00 18,944 ----a-w C:\WINDOWS\system32\version(3).dll
+ 2004-08-04 11:00:00 430,592 ----a-w C:\WINDOWS\system32\vssapi(3).dll
+ 2004-08-04 11:00:00 174,592 ----a-w C:\WINDOWS\system32\w32time(3).dll
+ 2004-08-04 11:00:00 15,872 ----a-w C:\WINDOWS\system32\w3ssl(2).dll
+ 2004-08-04 11:00:00 185,856 ----a-w C:\WINDOWS\system32\wbem\framedyn(3).dll
+ 2004-08-04 11:00:00 18,944 ----a-w C:\WINDOWS\system32\wbem\wbemprox(2).dll
+ 2004-08-04 11:00:00 49,152 ----a-w C:\WINDOWS\system32\wdigest(3).dll
+ 2004-08-04 08:56:58 23,552 ----a-w C:\WINDOWS\system32\wdmaud(2).drv
+ 2006-01-04 03:35:05 68,096 ----a-w C:\WINDOWS\system32\webclnt(2).dll
+ 2006-12-19 18:16:47 333,824 ----a-w C:\WINDOWS\system32\wiaservc(2).dll
+ 2004-08-04 11:00:00 351,232 ----a-w C:\WINDOWS\system32\winhttp(3).dll
+ 2004-08-04 11:00:00 32,768 ----a-w C:\WINDOWS\system32\winipsec(2).dll
+ 2004-08-04 11:00:00 176,128 ----a-w C:\WINDOWS\system32\winmm(3).dll
+ 2004-08-04 11:00:00 16,896 ----a-w C:\WINDOWS\system32\winrnr(3).dll
+ 2004-08-04 11:00:00 99,328 ----a-w C:\WINDOWS\system32\winscard(3).dll
+ 2004-08-04 11:00:00 176,640 ----a-w C:\WINDOWS\system32\wintrust(3).dll
+ 2004-08-04 11:00:00 172,032 ----a-w C:\WINDOWS\system32\wldap32(3).dll
+ 2004-08-04 11:00:00 92,672 ----a-w C:\WINDOWS\system32\wlnotify(3).dll
+ 2004-08-04 11:00:00 5,632 ----a-w C:\WINDOWS\system32\wmi(3).dll
+ 2004-08-04 11:00:00 264,192 ----a-w C:\WINDOWS\system32\wow32(3).dll
+ 2004-08-04 11:00:00 82,944 ----a-w C:\WINDOWS\system32\ws2_32(3).dll
+ 2004-08-04 11:00:00 19,968 ----a-w C:\WINDOWS\system32\ws2help(3).dll
+ 2004-08-04 11:00:00 19,968 ----a-w C:\WINDOWS\system32\wshtcpip(3).dll
+ 2004-08-04 11:00:00 22,528 ----a-w C:\WINDOWS\system32\wsock32(3).dll
+ 2004-08-04 11:00:00 18,432 ----a-w C:\WINDOWS\system32\wtsapi32(3).dll
+ 2004-08-04 11:00:00 6,656 ----a-w C:\WINDOWS\system32\wuauserv(2).dll
+ 2004-08-04 18:00:00 51,712 ----a-w C:\WINDOWS\system32\wzcsapi(2).dll
+ 2004-08-04 18:00:00 359,936 ----a-w C:\WINDOWS\system32\wzcsvc(2).dll
+ 2006-09-11 15:56:00 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
+ 2006-12-21 19:18:00 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
+ 2006-07-14 15:51:51 121,856 ----a-w C:\WINDOWS\system32\xmllite(2).dll
+ 2004-08-04 11:00:00 50,176 ----a-w C:\WINDOWS\system32\xmlprovi(2).dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [ ]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-12-20 08:10 715888]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 08:24 68856]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-04-10 10:15 868352]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-11-17 04:42 53341]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43 233472]
"SiSPower"="SiSPower.dll" [2005-04-12 11:31 49152 C:\WINDOWS\system32\SiSPower.dll]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-26 09:52 180269]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 14:13 98304]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 21:05 116328]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 00:00 771440]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 04:56 544768 C:\WINDOWS\sm56hlpr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 12:06 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2006-07-11 15:27 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\1124734592\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\1124734592\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1124734592\\ee\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2008-03-21 11:37]
S3 WMP11;Instant Wireless PCI Card Driver;C:\WINDOWS\system32\DRIVERS\WMP11NDS.sys [2002-05-16 16:41]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f345e08-8694-11d9-a32a-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 17:42:37 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-05-19 14:30:04 C:\WINDOWS\Tasks\SpyHunter Scanner.job"
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-05-21 17:22:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 12:36:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-05-21 12:42:07
ComboFix-quarantined-files.txt 2008-05-21 17:42:00
ComboFix2.txt 2008-05-12 17:47:44

Pre-Run: 94,124,302,336 bytes free
Post-Run: 94,158,213,120 bytes free

591 --- E O F --- 2008-05-18 08:01:54
Blade81
2008-05-24, 22:14
Hi

Is your clock adjusted to correct date? If it isn't please do adjust it and then run ComboFix again and post its log & a fresh hjt log. With current date setting ComboFix doesn't list files created/modified after 5/21/2008.
Blade81
2008-05-30, 19:05
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.