PDA

View Full Version : Virtumonde and others ect..



Madnezz
2009-01-19, 14:14
I have found virtumonde and other various trojans infecting my computer, I have run Spybot, maulwarebytes anti-maulware and adaware 2008, all of wich said they removed the trojans with no luck. Presently the infected machine has no internet connection <it says the cord is unplugged> also it will get half way through startup then lock up every other time I reboot.

I am truely at a loss. plz help?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42, on 1/18/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE network
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA116] command /c del "C:\WINDOWS\system32\uniq.tll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3463] cmd /c del "C:\WINDOWS\system32\uniq.tll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\RunOnce: [SpybotDeletingB5264] command /c del "C:\WINDOWS\system32\uniq.tll"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Windows Search.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZKfox000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FreshDownload - {7BC71F9B-6EFE-4A17-8606-2615BEFB541C} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Open Last Closed Tab - {e15e75e9-a653-42a3-8d05-f2f7e309bdca} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: vod.adameve.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: hrxwju.dll nwtqlx.dll drwmwc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 8849 bytes

sorry here is the log with TeaTimer turned off


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:42, on 1/21/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE network
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {F62D52D2-FDEE-4991-BC7D-85A3CE5F6E08} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZKfox000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FreshDownload - {7BC71F9B-6EFE-4A17-8606-2615BEFB541C} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Open Last Closed Tab - {e15e75e9-a653-42a3-8d05-f2f7e309bdca} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: vod.adameve.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: hrxwju.dll nwtqlx.dll drwmwc.dll
O20 - Winlogon Notify: ddcCRHBU - C:\WINDOWS\
O20 - Winlogon Notify: iiffCTlL - iiffCTlL.dll (file missing)
O20 - Winlogon Notify: rqRHaXQh - C:\WINDOWS\
O20 - Winlogon Notify: yaywtUnL - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 9469 bytes

I re-ran mauluware anti-maulware and here is the log file, all threats were removed it said, so I re-ran hjt, both logs are posted here.

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3, v.5657

1/22/2009 7:48:25 AM
mbam-log-2009-01-22 (07-48-25).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 237708
Time elapsed: 3 hour(s), 37 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Now for HJT:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:51, on 1/22/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE network
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {F62D52D2-FDEE-4991-BC7D-85A3CE5F6E08} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZKfox000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FreshDownload - {7BC71F9B-6EFE-4A17-8606-2615BEFB541C} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Open Last Closed Tab - {e15e75e9-a653-42a3-8d05-f2f7e309bdca} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: vod.adameve.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: hrxwju.dll nwtqlx.dll drwmwc.dll
O20 - Winlogon Notify: ddcCRHBU - C:\WINDOWS\
O20 - Winlogon Notify: iiffCTlL - iiffCTlL.dll (file missing)
O20 - Winlogon Notify: rqRHaXQh - C:\WINDOWS\
O20 - Winlogon Notify: yaywtUnL - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 9432 bytes







Thnx for your help, in advance. Yall rock! :angel:

--------------------------------------

:)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts if there is time but please do not count on it.

Mr_JAk3
2009-01-23, 16:46
Hello Madnezz and welcome to the Forums :)
Sorry for the wait.

You're infected.

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus.

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)

Rename HijackThis.exe to skanneri.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer Local Disk C: C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to skanneri.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Madnezz
2009-01-23, 21:31
Bad things happend. :lip: I installed Antivir, it found a few files that were infected I clicked the default remedies for them, and it made a log, I then Ctrl-alt-delete and stopped all processes I thought were associated.

Then I ran combo-fix. During the scan, a window popped up saying something to the effect of, "You have removed windows system files, please insert your SP3 CD and hit ok." I didnt click onb anything seeing that combo-fix wasnt finished running. Another window pops up "You have chosen to continue on without restoring original windows files." Click on if you want to contine" Agai8n I clicked nothing.

Combo-fix starts to reboot my machine, it logs off fine, restarts and gets to Windows log-on screen, and as soon as I click Madnezz <my user acct.> it starts to log on, then imediatly saves settings and logs off. I tried to start in safe mode with command prompt but to no avail.. did same thing....

Now I cant even get in my PC slightly... What am I to do know bro?

Madnezz
2009-01-24, 00:11
Just for the record I cant figure out hoe to edit my own posts, but I believe that the system file error was from Antivir removing said trojans and not combo-fix. I cant seem to find a way to get to my C:/combo-fix.txt so I can post it? Any ideas?

Mr_JAk3
2009-01-24, 11:32
Hello :)

Okay that's not good. Some system files were infected and got removed.
Let's try to restore them...

Try if you can start your computer in "Last known good configuration" (http://support.microsoft.com/kb/307852)

Let me know how it goes :bigthumb:

Madnezz
2009-01-24, 22:24
Nope, I tried that yesterday, same thing login screen comes up with my user accounts I click on any of them and it starts to log on, then imediatly logs off. :sad:

Madnezz
2009-01-25, 01:25
I found that if I put in my winxp cd and boot from CD I can get to C:WINDOWS after choosing "repair" option. but I have no clue what to do from there.

Madnezz
2009-01-25, 09:21
crap look at this http://forums.spybot.info/blog.php?b=14&page=3#comments

Madnezz
2009-01-25, 18:04
Ok, I have tried safe mode, I have tried "Last know good config" I have tried the recovery console, c:\windows\system32\userinit.exe is missing.

I have renamed software to software.old and recopied it without any luck, then I reinstalled windows...

I STILL CAN NOT LOG IN.


One of the programs you told me to run effectively crippled my pc. not saying its your fault, but I could have at least backed up my software and run simple programs before the login issue. I will be gone most of the day and it looks like I am online alot more than you, so if you could, please put more than one possable solution <if you have more than one> seeing as I had tried the Last known good configuration before you ever replied.


<sigh> this is very frustraiting. :hair:

Mr_JAk3
2009-01-26, 17:38
Hi :)

OKay I see that you gone solo here. That's not good.

Here are instructions for a repair install -> Please follow carefully (http://www.michaelstevenstech.com/XPrepairinstall.htm)

Then
One of the programs you told me to run effectively crippled my pc.To be exact, it was one program that you ran:

From MBAM's log:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Also please notice this (http://forums.spybot.info/showpost.php?p=1092&postcount=1);

"That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure."


Try that repair install by those instructions that I gave and let me know how it goes.

Madnezz
2009-01-28, 05:09
:slap: U are absolutely right, upon re-reading my last post I am ashamed of myself, I am so greatfull for you even trying to help me, even more so after I read the pompas reply I wrote sugesting that my problems were somehow your fault. <Even when I know I have broken the process, acording to the sticky you guys have> About posting to your own posts and
OKay I see that you gone solo here. That's not good.. :nono:

But you yourself are professional enough to still try to help me.


Mr_JAk3 you rock. U absolutely rock. If it were litteral you would be everast.

I will now go and try your sugestions. even if my machine bursts into flames now, I am in your debt my friend. :beerbeerb:

I will post the results ASAP if my actions are eventfull I will run a new HJT and post here. renaming it before hand to skanneri.exe.

Again thank you for being so cool. :cool:

Madnezz
2009-01-28, 22:11
Well I did it again. Instead of doing a repair install, I removed my hard drive and set it up as a slave on another machine and copied the userinit.exe to the correct file re-installed my hd to infected machine and shazam, I have login, I ran Antivir and then renamed HJT here are the fresh logs.


Antivir:




Avira AntiVir Personal
Report file date: 2009-01-28 07:22

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: ZULE

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 23:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 23:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 23:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/11/2008 21:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 22:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 22:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 22:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 22:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 22:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2009-01-28 07:22

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'searchindexer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'imapi.exe' - '1' Module(s) have been scanned
Scan process 'Quickcam.exe' - '0' Module(s) have been scanned
Scan process 'Communications_Helper.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'LVComSer.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PrfldSvc.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'NBService.exe' - '1' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned
Scan process 'LVComSer.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '69' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49c35d1b.qua'!
C:\Documents and Settings\All Users\Documents\My Music\my dick mickey avalon.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was deleted!
C:\Documents and Settings\Madnezz\Desktop\arma maps\ArmA MH 1.08 v3.5.exe
[DETECTION] Is the TR/Horse.VZ Trojan
[NOTE] The file was moved to '49ed5e3b.qua'!
C:\Documents and Settings\Madnezz\Desktop\arma maps\arma_combat_operations_trainer_for_v1.08.zip
[0] Archive type: ZIP
--> ArmA MH 1.08 v3.5.exe
[DETECTION] Is the TR/Horse.VZ Trojan
[NOTE] The file was moved to '49ed5e46.qua'!
C:\Documents and Settings\Madnezz\Desktop\MoMo\PST_723andUnipatch.zip
[0] Archive type: ZIP
--> pst_uni_patch.exe
[DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
[NOTE] The file was moved to '49d45ea4.qua'!
C:\Documents and Settings\Madnezz\Desktop\MoMo\pst_uni_patch.exe
[DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
[NOTE] The file was moved to '49f45ec4.qua'!
C:\Documents and Settings\Madnezz\Desktop\MoMo\1000 Cell Phone Java Games Motorola\1000_Cell_Phone_Java_Games.rar
[0] Archive type: RAR
--> test33.exe
[DETECTION] Is the TR/Spy.Alexa.A Trojan
[NOTE] The file was moved to '49b05e9e.qua'!
C:\Documents and Settings\Madnezz\Desktop\MoMo\1000_Cell_Phone_Java_Games_Motorola\1000_Cell_Phone_Java_Games.rar
[0] Archive type: RAR
--> test33.exe
[DETECTION] Is the TR/Spy.Alexa.A Trojan
[NOTE] The file was moved to '49b05ef8.qua'!
C:\Documents and Settings\Madnezz\Desktop\New Desktop cleanup\ComboFix.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/VB.YV back-door program
[NOTE] The file was moved to '49ed601f.qua'!
C:\Documents and Settings\Madnezz\Desktop\New Desktop cleanup\virus fix.rar
[0] Archive type: RAR
--> ComboFix.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/VB.YV back-door program
[NOTE] The file was moved to '49f2602e.qua'!
C:\Documents and Settings\Madnezz\Desktop\SB\SVilla\3DSexVillaInstall.exe
[0] Archive type: NSIS
--> [UnknownDir]/ThriXXX010262FG.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49d36b92.qua'!
C:\Documents and Settings\Madnezz\Desktop\SB\SVilla\Launcher\fc3DSexVillaRun.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '49b36bb5.qua'!
C:\Documents and Settings\Madnezz\Desktop\SB\winamp.5.3.full\keygen.exe
[DETECTION] Is the TR/Agent.40849 Trojan
[NOTE] The file was moved to '49f96bbd.qua'!
C:\Documents and Settings\Madnezz\Desktop\torrents\SVilla.rar
[0] Archive type: RAR
--> Launcher\fc3DSexVillaRun.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
--> 3DSexVillaInstall.exe
[1] Archive type: NSIS
--> [UnknownDir]/ThriXXX010262FG.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49e96bf2.qua'!
C:\Documents and Settings\Madnezz\Desktop\torrents\winamp.5.3.full.rar
[0] Archive type: RAR
--> keygen.exe
[DETECTION] Is the TR/Agent.40849 Trojan
[NOTE] The file was moved to '49ee6c13.qua'!
C:\Documents and Settings\Madnezz\Desktop\torrents\SVilla\3DSexVillaInstall.exe
[0] Archive type: NSIS
--> [UnknownDir]/ThriXXX010262FG.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49d36c88.qua'!
C:\Documents and Settings\Madnezz\Desktop\torrents\SVilla\Launcher\fc3DSexVillaRun.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '49b36ca9.qua'!
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\Applications & games collection for Palm OS (April 1, 2008).rar
[0] Archive type: RAR
--> Databases\SlovoEd 6.07\Keygen\sled60kg.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
--> Games\Pocket Aargon 1.0\keygen4PocketAargon105.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
--> System\Softick PPP 2.21\SoftickPPP221-en.exe
[DETECTION] Is the TR/Gendal.816509 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26001
[WARNING] Failed!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was moved to '4b34c68b.qua'!
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\Winamp Pro 5.55 Megapack.rar
[0] Archive type: RAR
--> WinAMP Patch\Winamp5.0+keymaker_NGEN.exe
[DETECTION] Is the TR/Agent.25849 Trojan
[NOTE] The file was moved to '49ee6f67.qua'!
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\commercial.fonts.win.2006.02.20\commercial.fonts.win.2006.02.20.rar
[0] Archive type: RAR
--> Font.Bureau.Amplitude.WinAll.Commercial.Font-TYPO\t-fb-a01.zip
[1] Archive type: ZIP
--> TYPO.r00
[2] Archive type: RAR
--> AmplitudeComp-Regular.ttf
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> House.Industries.Paperback.Text.WinAll.Commercial.Font.Merry.Xmas.Happy.New.Year-TYPO\t-hi-p01.zip
[1] Archive type: ZIP
--> TYPO.r00
[2] Archive type: RAR
--> Paperback9-Bold.pfb
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> House.Industries.Paperback.WinAll.Commercial.Font.Merry.Xmas.Happy.New.Year-TYPO\t-hi-pb1.zip
[1] Archive type: ZIP
--> TYPO.r00
[2] Archive type: RAR
--> Paperback6-ItalicFrac.pfb
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> T26.Astro.WinAll.Commercial.Font-TYPO\t-t26-02.zip
[1] Archive type: ZIP
--> TYPO.r01
[2] Archive type: RAR
--> Astro-Bold.pfb
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\commercial.fonts.win.2006.02.20\commercial.fonts.win.2006.02.20\Font.Bureau.Amplitude.WinAll.Commercial.Font-TYPO\t-fb-a01.zip
[0] Archive type: ZIP
--> TYPO.r00
[1] Archive type: RAR
--> AmplitudeComp-Regular.ttf
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\commercial.fonts.win.2006.02.20\commercial.fonts.win.2006.02.20\House.Industries.Paperback.Text.WinAll.Commercial.Font.Merry.Xmas.Happy.New.Year-TYPO\t-hi-p01.zip
[0] Archive type: ZIP
--> TYPO.r00
[1] Archive type: RAR
--> Paperback9-Bold.pfb
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\commercial.fonts.win.2006.02.20\commercial.fonts.win.2006.02.20\House.Industries.Paperback.WinAll.Commercial.Font.Merry.Xmas.Happy.New.Year-TYPO\t-hi-pb1.zip
[0] Archive type: ZIP
--> TYPO.r00
[1] Archive type: RAR
--> Paperback6-ItalicFrac.pfb
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\commercial.fonts.win.2006.02.20\commercial.fonts.win.2006.02.20\T26.Astro.WinAll.Commercial.Font-TYPO\t-t26-02.zip
[0] Archive type: ZIP
--> TYPO.r01
[1] Archive type: RAR
--> Astro-Bold.pfb
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Motorola\PST\pst_uni_patch.exe
[DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
[NOTE] The file was moved to '49f47d9b.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\fgoslqmk.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49ef7fe7.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002007.exe
[DETECTION] Is the TR/Horse.VZ Trojan
[NOTE] The file was moved to '49b07fb3.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002008.exe
[DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
[NOTE] The file was moved to '4ae189c4.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002009.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/VB.YV back-door program
[NOTE] The file was moved to '49b07fb5.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002016.exe
[0] Archive type: NSIS
--> [UnknownDir]/ThriXXX010262FG.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49b07fb7.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002017.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4ae189c8.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002018.exe
[DETECTION] Is the TR/Agent.40849 Trojan
[NOTE] The file was moved to '49b07fb9.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002019.exe
[0] Archive type: NSIS
--> [UnknownDir]/ThriXXX010262FG.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4ae189ca.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002020.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '49b07fbb.qua'!
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP1\A0002021.exe
[DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
[NOTE] The file was moved to '4ae189cc.qua'!


End of the scan: 2009-01-28 10:00
Used time: 2:37:56 Hour(s)

The scan has been done completely.

17658 Scanning directories
1079994 Files were scanned
32 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
1 files were deleted
0 files were repaired
29 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
1079960 Files not concerned
12378 Archives were scanned
10 Warnings
30 Notes





HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26, on 2009-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {F62D52D2-FDEE-4991-BC7D-85A3CE5F6E08} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF8721.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FreshDownload - {7BC71F9B-6EFE-4A17-8606-2615BEFB541C} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Open Last Closed Tab - {e15e75e9-a653-42a3-8d05-f2f7e309bdca} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: vod.adameve.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddcCRHBU - C:\WINDOWS\
O20 - Winlogon Notify: iiffCTlL - iiffCTlL.dll (file missing)
O20 - Winlogon Notify: rqRHaXQh - C:\WINDOWS\
O20 - Winlogon Notify: yaywtUnL - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 9389 bytes







i hope i did good in my insolance? :cowboy:

Mr_JAk3
2009-01-29, 17:24
Hi :)


Well I did it again. Instead of doing a repair install, I removed my hard drive and set it up as a slave on another machine and copied the userinit.exe to the correct file re-installed my hd to infected machine and shazam, I have login, I ran Antivir and then renamed HJT here are the fresh logs.
Ok good to hear that.

You seem to have some p2p programs installed. As you can see in the Antivir log, this is one reason for you to be infected. We here at Spybot have a policy about those programs -> Read this (http://forums.spybot.info/showthread.php?t=282)


Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.


If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.



Please be aware that tools used during the cleanup will likely remove them anyway, if that is not acceptable to you please withdraw your request for assistance.



If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.



So we'll remove these during the cleaning process. If you're not okay with this - I can't help you.



I assume that you wan't to get cleaned.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

:bigthumb:

Madnezz
2009-02-01, 21:20
sry for the delay :clown:




ComboFix 09-01-31.01 - Madnezz 2009-01-31 13:23:56.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1500 [GMT -6:00]
Running from: c:\documents and settings\Madnezz\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Madnezz\Application Data\Google\lptspcp.dll
c:\documents and settings\Madnezz\Application Data\Google\torsi2225487.exe
c:\windows\system32\digeste.dll
c:\windows\system32\drivers\svchost.exe
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-28 17:33 . 2008-10-24 05:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-28 02:47 . 2009-01-28 02:47 5,280 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-01-27 22:42 . 2009-01-27 22:42 <DIR> d-------- c:\program files\Copy of Mozilla Firefox
2009-01-27 22:33 . 2008-04-13 18:12 26,112 --a------ c:\windows\system32\userinit.exe
2009-01-26 04:56 . 2009-01-26 04:56 53,317 --a------ c:\windows\Sysvxd.exe
2009-01-25 21:57 . 2009-01-25 21:57 203,776 --a------ c:\windows\system32\clrviddc.dll
2009-01-24 19:24 . 2009-01-24 19:25 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-01-24 19:10 . 2004-08-04 06:00 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll
2009-01-24 19:09 . 2004-08-04 06:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-24 19:07 . 2004-08-04 06:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2009-01-24 19:07 . 2009-01-24 19:07 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-24 19:07 . 2009-01-24 19:07 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-24 19:07 . 2009-01-24 19:07 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-01-24 19:07 . 2009-01-24 19:07 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-01-24 19:07 . 2009-01-24 19:07 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-01-24 19:07 . 2009-01-24 19:07 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-24 19:05 . 2004-08-04 06:00 44,544 --a------ c:\windows\system32\tscupgrd.exe
2009-01-24 19:05 . 2004-08-04 06:00 44,544 --a--c--- c:\windows\system32\dllcache\tscupgrd.exe
2009-01-24 00:12 . 2009-01-24 00:12 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-24 00:11 . 2008-06-13 07:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-24 00:09 . 2008-08-14 03:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-24 00:08 . 2008-08-14 04:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-24 00:08 . 2008-08-14 03:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-24 00:08 . 2008-08-14 03:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-23 11:59 . 2009-01-23 11:59 <DIR> d-------- c:\program files\Avira
2009-01-23 11:59 . 2009-01-23 11:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-23 08:12 . 2009-01-23 08:13 <DIR> d-------- C:\ERDNT
2009-01-18 21:45 . 2009-01-18 21:45 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-18 21:45 . 2009-01-18 21:45 <DIR> d-------- c:\documents and settings\Madnezz\Application Data\Malwarebytes
2009-01-18 21:45 . 2009-01-18 21:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-18 21:45 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-18 21:45 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 15:00 . 2009-01-16 15:00 <DIR> d-------- c:\program files\CCleaner
2009-01-13 03:39 . 2009-01-13 03:39 <DIR> d-------- c:\documents and settings\Newbie
2009-01-13 03:15 . 2009-01-13 03:15 <DIR> d--h----- c:\windows\PIF
2009-01-12 02:06 . 2009-01-12 02:06 <DIR> d-------- C:\!KillBox
2009-01-12 01:54 . 2009-01-12 02:04 <DIR> d-------- c:\program files\CleanUp!
2009-01-11 21:14 . 2009-01-11 21:14 <DIR> d-------- c:\documents and settings\Bootz\Application Data\Windows Desktop Search
2009-01-11 21:14 . 2009-01-11 21:14 <DIR> d-------- c:\documents and settings\Bootz\Application Data\HotSync
2009-01-09 07:05 . 2009-01-09 07:05 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Xfire
2009-01-08 15:51 . 2009-01-08 15:51 <DIR> d-------- c:\program files\Common Files\Logitech
2009-01-04 18:21 . 2009-01-04 18:21 <DIR> d-------- c:\documents and settings\Madnezz\Application Data\Zen of Sudoku
2009-01-03 22:11 . 2009-01-13 20:24 <DIR> d-------- c:\program files\First Strike
2008-12-31 05:16 . 2008-12-31 05:16 <DIR> d-------- c:\program files\America's Army
2008-12-29 10:45 . 2008-12-31 05:23 <DIR> d-------- c:\program files\America's Army Deploy Client
2008-12-29 10:45 . 2008-12-29 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\America's Army Deploy Client
2008-12-19 15:18 . 2007-11-30 07:25 1,689,088 --ah---t- c:\windows\system32\5d50b92.dll
2008-12-19 15:18 . 2007-11-30 07:25 1,689,088 --ah---t- c:\windows\system32\3a3f1139.dll
2008-12-19 15:18 . 2007-11-30 07:26 82,432 --ah---t- c:\windows\system32\e022a7.dll
2008-12-19 15:18 . 2007-11-30 07:26 82,432 --ah---t- c:\windows\system32\c3b36eb.dll
2008-12-18 04:35 . 2008-12-18 04:35 <DIR> d-------- C:\Nexon
2008-12-18 04:35 . 2008-12-18 15:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\NexonUS
2008-12-11 14:37 . 2008-12-11 14:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-11 09:35 . 2009-01-13 03:47 <DIR> d-------- c:\program files\TotalSpoof
2008-12-11 04:15 . 2008-12-11 04:14 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 13:18 . 2008-12-09 13:18 <DIR> dr-h----- c:\documents and settings\Madnezz\Application Data\SecuROM
2008-12-09 13:15 . 2008-12-09 13:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2008-12-09 06:04 . 2009-01-05 05:03 <DIR> d-------- c:\program files\Full Tilt Poker
2008-12-09 06:02 . 2008-12-09 06:02 16 --a------ c:\windows\popcinfot.dat
2008-12-09 05:36 . 2008-12-09 05:36 <DIR> d-------- c:\documents and settings\Madnezz\Application Data\funkitron
2008-12-06 06:24 . 2008-12-06 06:24 <DIR> d-------- c:\program files\PC-home
2008-12-06 02:24 . 2008-12-06 02:24 <DIR> d-------- c:\program files\PopCap Games
2008-12-06 02:24 . 2009-01-21 07:28 163 --a------ c:\windows\popcinfo.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 18:55 --------- d-----w c:\documents and settings\Madnezz\Application Data\Azureus
2009-01-26 09:14 --------- d-----w c:\documents and settings\Madnezz\Application Data\Camfrog
2009-01-26 09:14 --------- d-----w c:\documents and settings\Madnezz\Application Data\Arcsoft
2009-01-26 09:14 --------- d-----w c:\documents and settings\Madnezz\Application Data\Apple Computer
2009-01-26 09:14 --------- d-----w c:\documents and settings\Madnezz\Application Data\AdobeUM
2009-01-26 09:14 --------- d-----w c:\documents and settings\Madnezz\Application Data\ACD Systems
2009-01-26 00:40 202,304 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-26 00:40 138,208 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-26 00:39 12,400 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-01-17 07:35 --------- d-----w c:\documents and settings\Madnezz\Application Data\FrostWire
2009-01-14 04:51 --------- d-----w c:\program files\Documents To Go
2009-01-12 07:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-09 15:53 --------- d-----w c:\documents and settings\Madnezz\Application Data\Xfire
2009-01-09 10:43 --------- d-----w c:\program files\Xfire
2009-01-04 05:38 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-04 03:58 22,584 ----a-w c:\documents and settings\Madnezz\Application Data\PnkBstrK.sys
2008-12-28 02:25 --------- d-----w c:\program files\GameSpy Arcade
2008-12-19 16:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:29 --------- d-----w c:\program files\FrostWire
2008-12-11 10:14 --------- d-----w c:\program files\Java
2008-12-09 18:29 --------- d-----w c:\program files\Electronic Arts
2008-12-09 18:23 8,218 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-12-09 12:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 02:57 --------- d-----w c:\program files\Download Manager
2008-12-02 02:57 --------- d-----w c:\documents and settings\Madnezz\Application Data\IGN_DLM
2008-12-01 09:27 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-01 03:40 --------- d-----w c:\documents and settings\NetworkService\Application Data\Xfire
2008-12-01 00:03 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-11-30 20:38 --------- d-----w c:\documents and settings\Madnezz\Application Data\teamspeak2
2008-11-25 00:53 724,992 ----a-w c:\windows\iun6002.exe
2008-10-28 23:41 14,303,392 ----a-w c:\windows\system32\xlive.dll
2008-10-28 23:41 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-02-01 08:39 113,664 ----a-w c:\windows\inf\hdaudio.sys
2008-03-25 21:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008032520080326\index.dat
.

------- Sigcheck -------

2008-04-13 18:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
2008-04-13 18:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2009-01-28_22.47.46.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-18 14:32:13 450,560 ----a-w c:\windows\$hf_mig$\KB944338-v2\SP2QFE\jscript.dll
+ 2007-12-18 14:32:13 417,792 ----a-w c:\windows\$hf_mig$\KB944338-v2\SP2QFE\vbscript.dll
+ 2007-03-06 01:22:36 14,048 ----a-w c:\windows\$hf_mig$\KB944338-v2\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w c:\windows\$hf_mig$\KB944338-v2\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\updspapi.dll
+ 2008-05-08 12:14:51 203,008 ----a-w c:\windows\$hf_mig$\KB950762\SP2QFE\rmcast.sys
+ 2008-05-08 14:02:52 203,136 ----a-w c:\windows\$hf_mig$\KB950762\SP3GDR\rmcast.sys
+ 2008-07-07 20:06:43 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
+ 2008-07-07 20:26:58 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
+ 2008-04-11 18:39:39 683,520 ----a-w c:\windows\$hf_mig$\KB951066\SP2QFE\inetcomm.dll
+ 2008-04-11 19:04:26 691,712 ----a-w c:\windows\$hf_mig$\KB951066\SP3GDR\inetcomm.dll
+ 2008-06-13 09:52:16 272,128 ----a-w c:\windows\$hf_mig$\KB951376-v2\SP2QFE\bthport.sys
+ 2008-06-13 11:05:51 272,128 ----a-w c:\windows\$hf_mig$\KB951376-v2\SP3GDR\bthport.sys
+ 2008-05-07 04:55:40 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2006-08-16 12:08:32 100,352 ----a-w c:\windows\$hf_mig$\KB951748\SP2QFE\6to4svc.dll
+ 2008-06-20 10:44:08 138,368 ----a-w c:\windows\$hf_mig$\KB951748\SP2QFE\afd.sys
+ 2008-06-20 17:36:11 147,968 ----a-w c:\windows\$hf_mig$\KB951748\SP2QFE\dnsapi.dll
+ 2008-06-20 17:36:11 245,248 ----a-w c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
+ 2008-06-20 10:44:42 360,960 ----a-w c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
+ 2008-06-20 09:32:39 225,920 ----a-w c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip6.sys
+ 2008-06-20 11:40:08 138,496 ----a-w c:\windows\$hf_mig$\KB951748\SP3GDR\afd.sys
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\$hf_mig$\KB951748\SP3GDR\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 ----a-w c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
+ 2008-06-20 11:51:12 361,600 ----a-w c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
+ 2008-06-20 11:08:27 225,856 ----a-w c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip6.sys
+ 2008-05-01 15:04:00 331,776 ----a-w c:\windows\$hf_mig$\KB952287\SP2QFE\msadce.dll
+ 2008-05-01 14:33:02 331,776 ----a-w c:\windows\$hf_mig$\KB952287\SP3GDR\msadce.dll
+ 2008-06-24 16:28:00 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP2QFE\mscms.dll
+ 2008-06-24 16:43:16 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP3GDR\mscms.dll
+ 2008-09-15 12:17:07 1,846,912 ----a-w c:\windows\$hf_mig$\KB954211\SP2QFE\win32k.sys
+ 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\$hf_mig$\KB954211\SP3GDR\win32k.sys
+ 2008-10-03 09:57:49 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP2QFE\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP3GDR\strmdll.dll
+ 2008-09-04 16:32:52 1,106,944 ----a-w c:\windows\$hf_mig$\KB955069\SP2QFE\msxml3.dll
+ 2008-09-04 17:15:04 1,106,944 ----a-w c:\windows\$hf_mig$\KB955069\SP3GDR\msxml3.dll
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-08-14 09:48:52 138,368 ----a-w c:\windows\$hf_mig$\KB956803\SP2QFE\afd.sys
+ 2008-08-14 10:04:36 138,496 ----a-w c:\windows\$hf_mig$\KB956803\SP3GDR\afd.sys
+ 2008-08-14 09:55:01 2,142,720 ----a-w c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlmp.exe
+ 2008-08-14 09:18:44 2,062,976 ----a-w c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
+ 2008-08-14 09:18:46 2,020,864 ----a-w c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrpamp.exe
+ 2008-08-14 09:57:20 2,185,984 ----a-w c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
+ 2008-08-14 10:09:26 2,145,280 ----a-w c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlmp.exe
+ 2008-08-14 09:33:16 2,066,048 ----a-w c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
+ 2008-08-14 09:33:16 2,023,936 ----a-w c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrpamp.exe
+ 2008-08-14 10:11:02 2,189,184 ----a-w c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
+ 2008-10-24 11:25:29 455,936 ----a-w c:\windows\$hf_mig$\KB957097\SP2QFE\mrxsmb.sys
+ 2008-10-24 11:21:09 455,296 ----a-w c:\windows\$hf_mig$\KB957097\SP3GDR\mrxsmb.sys
+ 2008-10-15 16:53:28 339,456 ----a-w c:\windows\$hf_mig$\KB958644\SP2QFE\netapi32.dll
+ 2008-10-15 16:34:24 337,408 ----a-w c:\windows\$hf_mig$\KB958644\SP3GDR\netapi32.dll
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-08-14 09:58:27 2,136,064 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:22:13 2,057,728 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 10:00:45 2,180,352 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2004-08-04 12:00:00 208,896 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-27 04:10:26 317,440 ----a-w c:\windows\inf\unregmp2.exe
- 2000-08-31 14:00:00 161,792 ----a-w c:\windows\swreg.exe
+ 2000-08-31 14:00:00 286,720 ----a-w c:\windows\swreg.exe
- 2004-08-04 12:00:00 100,352 ----a-w c:\windows\system32\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 ----a-w c:\windows\system32\6to4svc.dll
- 2004-08-04 12:00:00 8,192 ----a-w c:\windows\system32\asferror.dll
+ 2006-10-19 03:47:08 7,168 ----a-w c:\windows\system32\asferror.dll
- 2004-08-04 12:00:00 286,208 ----a-w c:\windows\system32\blackbox.dll
+ 2006-10-19 03:47:10 542,720 ----a-w c:\windows\system32\blackbox.dll
- 2004-08-04 12:00:00 1,016,832 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2004-08-04 12:00:00 150,528 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:37:02 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2004-08-04 12:00:00 159,232 ----a-w c:\windows\system32\cewmdm.dll
+ 2006-10-19 03:47:10 229,376 ----a-w c:\windows\system32\cewmdm.dll
- 2004-08-04 12:00:00 1,053,696 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:37:02 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2004-08-04 12:00:00 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
- 2004-08-04 12:00:00 138,496 -c--a-w c:\windows\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 -c----w c:\windows\system32\dllcache\afd.sys
- 2004-08-04 12:00:00 8,192 -c--a-w c:\windows\system32\dllcache\asferror.dll
+ 2006-10-19 03:47:08 7,168 -c--a-w c:\windows\system32\dllcache\asferror.dll
- 2004-08-04 12:00:00 286,208 -c--a-w c:\windows\system32\dllcache\blackbox.dll
+ 2006-10-19 03:47:10 542,720 -c--a-w c:\windows\system32\dllcache\blackbox.dll
- 2004-08-04 12:00:00 1,016,832 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 -c--a-w c:\windows\system32\dllcache\browseui.dll
- 2004-08-04 12:00:00 150,528 -c--a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:37:02 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
- 2004-08-04 12:00:00 159,232 -c--a-w c:\windows\system32\dllcache\cewmdm.dll
+ 2006-10-19 03:47:10 229,376 -c--a-w c:\windows\system32\dllcache\cewmdm.dll
- 2004-08-04 12:00:00 1,053,696 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:37:02 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2004-08-04 12:00:00 148,480 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
- 2004-08-04 12:00:00 695,296 -c--a-w c:\windows\system32\dllcache\drmv2clt.dll
+ 2006-10-19 03:47:10 991,744 -c--a-w c:\windows\system32\dllcache\drmv2clt.dll
- 2004-08-04 12:00:00 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 12:00:00 201,728 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-04 12:00:00 243,200 -c--a-w c:\windows\system32\dllcache\es.dll
+ 2008-07-07 20:32:22 253,952 -c--a-w c:\windows\system32\dllcache\es.dll
- 2004-08-04 12:00:00 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:37:02 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00:00 278,016 -c--a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2004-08-04 12:00:00 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 09:45:01 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2004-08-04 12:00:00 249,344 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:37:02 251,392 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00:00 678,400 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
- 2004-08-04 12:00:00 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:37:02 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2004-08-04 12:00:00 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2004-08-04 12:00:00 15,872 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00:00 6,656 -c--a-w c:\windows\system32\dllcache\laprxy.dll
+ 2006-10-19 03:47:14 11,264 -c--a-w c:\windows\system32\dllcache\LAPRXY.dll
- 2004-08-04 12:00:00 103,936 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 07:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2004-08-04 12:00:00 72,704 -c--a-w c:\windows\system32\dllcache\magnify.exe
+ 2006-10-04 08:48:36 72,704 -c--a-w c:\windows\system32\dllcache\magnify.exe
- 2004-08-04 12:00:00 310,272 -c--a-w c:\windows\system32\dllcache\mp43dmod.dll
+ 2006-10-19 03:47:14 4,096 -c--a-w c:\windows\system32\dllcache\MP43DMOD.dll
- 2004-08-04 12:00:00 384,512 -c--a-w c:\windows\system32\dllcache\mp4sdmod.dll
+ 2006-10-19 03:47:14 4,096 -c--a-w c:\windows\system32\dllcache\MP4SDMOD.dll
- 2004-08-04 12:00:00 240,640 -c--a-w c:\windows\system32\dllcache\mpg4dmod.dll
+ 2006-10-19 03:47:14 4,096 -c--a-w c:\windows\system32\dllcache\MPG4DMOD.dll
- 2004-08-04 12:00:00 368,640 -c--a-w c:\windows\system32\dllcache\mpvis.dll
+ 2006-10-19 03:47:14 243,712 -c--a-w c:\windows\system32\dllcache\mpvis.dll
- 2004-08-04 12:00:00 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
- 2004-08-04 12:00:00 73,728 -c--a-w c:\windows\system32\dllcache\mscms.dll
+ 2008-06-24 16:23:05 74,240 -c--a-w c:\windows\system32\dllcache\mscms.dll
- 2004-08-04 12:00:00 3,003,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2004-08-04 12:00:00 448,512 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-04 12:00:00 259,072 -c--a-w c:\windows\system32\dllcache\msnetobj.dll
+ 2006-10-19 03:47:16 179,712 -c--a-w c:\windows\system32\dllcache\msnetobj.dll
- 2004-08-04 12:00:00 52,224 -c--a-w c:\windows\system32\dllcache\mspmsnsv.dll
+ 2006-10-19 03:47:16 27,136 -c--a-w c:\windows\system32\dllcache\mspmsnsv.dll
- 2004-08-04 12:00:00 201,728 -c--a-w c:\windows\system32\dllcache\mspmsp.dll
+ 2006-10-19 03:47:16 175,616 -c--a-w c:\windows\system32\dllcache\mspmsp.dll
- 2004-08-04 12:00:00 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:37:02 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 12:00:00 356,352 -c--a-w c:\windows\system32\dllcache\msscp.dll
+ 2006-12-04 22:21:50 414,720 -c--a-w c:\windows\system32\dllcache\msscp.dll
- 2004-08-04 12:00:00 530,432 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:37:02 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00:00 245,760 -c--a-w c:\windows\system32\dllcache\mswmdm.dll
+ 2006-10-19 03:47:16 321,536 -c--a-w c:\windows\system32\dllcache\mswmdm.dll
- 2004-08-04 12:00:00 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
- 2004-08-04 12:00:00 1,236,480 -c--a-w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c--a-w c:\windows\system32\dllcache\msxml3.dll
- 2004-08-04 12:00:00 53,760 -c--a-w c:\windows\system32\dllcache\narrator.exe
+ 2006-10-04 08:48:36 53,760 -c--a-w c:\windows\system32\dllcache\narrator.exe
- 2004-08-04 12:00:00 332,288 -c--a-w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c--a-w c:\windows\system32\dllcache\netapi32.dll
- 2004-08-04 12:00:00 215,552 -c--a-w c:\windows\system32\dllcache\osk.exe
+ 2006-10-04 08:48:37 215,552 -c--a-w c:\windows\system32\dllcache\osk.exe
- 2004-08-04 12:00:00 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-04 12:00:00 237,568 -c--a-w c:\windows\system32\dllcache\qasf.dll
+ 2006-10-19 03:47:18 211,456 -c--a-w c:\windows\system32\dllcache\qasf.dll
- 2004-08-04 12:00:00 1,287,680 -c--a-w c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w c:\windows\system32\dllcache\quartz.dll
- 2004-08-04 12:00:00 200,064 -c--a-w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w c:\windows\system32\dllcache\rmcast.sys
- 2004-08-04 12:00:00 774,144 -c--a-w c:\windows\system32\dllcache\setup_wm.exe
+ 2006-11-02 00:31:38 1,669,120 -c--a-w c:\windows\system32\dllcache\setup_wm.exe
- 2004-08-04 12:00:00 1,483,264 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2004-08-04 12:00:00 473,600 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2004-08-04 12:00:00 336,256 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2004-08-04 12:00:00 246,302 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2004-08-04 12:00:00 359,040 -c--a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w c:\windows\system32\dllcache\tcpip.sys
- 2004-08-04 12:00:00 223,616 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
- 2004-08-04 12:00:00 35,840 -c--a-w c:\windows\system32\dllcache\umandlg.dll
+ 2006-10-04 13:33:38 35,840 -c--a-w c:\windows\system32\dllcache\umandlg.dll
- 2004-08-04 12:00:00 208,896 -c--a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-27 04:10:26 317,440 -c--a-w c:\windows\system32\dllcache\unregmp2.exe
- 2004-08-04 12:00:00 601,088 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:37:04 615,936 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2004-08-04 12:00:00 50,176 -c--a-w c:\windows\system32\dllcache\utilman.exe
+ 2006-10-04 08:48:37 50,176 -c--a-w c:\windows\system32\dllcache\utilman.exe
- 2004-08-04 12:00:00 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2004-08-04 12:00:00 1,835,904 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2004-08-04 12:00:00 656,384 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:37:03 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00:00 408,064 -c--a-w c:\windows\system32\dllcache\wmadmod.dll
+ 2006-10-19 03:47:18 757,248 -c--a-w c:\windows\system32\dllcache\WMADMOD.dll
- 2004-08-04 12:00:00 670,720 -c--a-w c:\windows\system32\dllcache\wmadmoe.dll
+ 2006-10-19 03:47:18 1,117,696 -c--a-w c:\windows\system32\dllcache\WMADMOE.dll
- 2004-08-04 12:00:00 230,400 -c--a-w c:\windows\system32\dllcache\wmasf.dll
+ 2007-10-27 23:40:30 222,720 -c--a-w c:\windows\system32\dllcache\wmasf.dll
- 2004-08-04 12:00:00 27,136 -c--a-w c:\windows\system32\dllcache\wmdmlog.dll
+ 2006-10-19 03:47:18 33,792 -c--a-w c:\windows\system32\dllcache\wmdmlog.dll
- 2004-08-04 12:00:00 23,552 -c--a-w c:\windows\system32\dllcache\wmdmps.dll
+ 2006-10-19 03:47:18 37,376 -c--a-w c:\windows\system32\dllcache\wmdmps.dll
- 2004-08-04 12:00:00 168,448 -c--a-w c:\windows\system32\dllcache\wmerror.dll
+ 2006-10-19 03:47:20 227,328 -c--a-w c:\windows\system32\dllcache\wmerror.dll
- 2004-08-04 12:00:00 151,552 -c--a-w c:\windows\system32\dllcache\wmidx.dll
+ 2006-10-19 03:47:20 157,184 -c--a-w c:\windows\system32\dllcache\wmidx.dll
- 2004-08-04 12:00:00 1,050,624 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-18 11:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2004-08-04 12:00:00 4,874,240 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-06-12 05:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2004-08-04 12:00:00 114,688 -c--a-w c:\windows\system32\dllcache\wmpasf.dll
+ 2006-10-19 03:47:20 242,688 -c--a-w c:\windows\system32\dllcache\wmpasf.dll
- 2004-08-04 12:00:00 98,304 -c--a-w c:\windows\system32\dllcache\wmpband.dll
+ 2006-10-19 03:47:20 96,256 -c--a-w c:\windows\system32\dllcache\wmpband.dll
- 2004-08-04 12:00:00 233,472 -c--a-w c:\windows\system32\dllcache\wmpdxm.dll
+ 2006-10-19 03:47:20 314,880 -c--a-w c:\windows\system32\dllcache\wmpdxm.dll
- 2004-08-04 12:00:00 73,728 -c--a-w c:\windows\system32\dllcache\wmplayer.exe
+ 2006-10-19 03:46:20 64,000 -c--a-w c:\windows\system32\dllcache\wmplayer.exe
- 2004-08-04 12:00:00 2,940,928 -c--a-w c:\windows\system32\dllcache\wmploc.dll
+ 2006-10-19 03:47:20 8,231,936 -c--a-w c:\windows\system32\dllcache\wmploc.dll
- 2004-08-04 12:00:00 102,400 -c--a-w c:\windows\system32\dllcache\wmpshell.dll
+ 2006-10-19 03:47:20 99,840 -c--a-w c:\windows\system32\dllcache\wmpshell.dll
- 2004-08-04 12:00:00 759,296 -c--a-w c:\windows\system32\dllcache\wmsdmod.dll
+ 2006-10-19 03:47:22 4,096 -c--a-w c:\windows\system32\dllcache\wmsdmod.dll
- 2004-08-04 12:00:00 1,119,744 -c--a-w c:\windows\system32\dllcache\wmsdmoe2.dll
+ 2006-10-19 03:47:22 4,096 -c--a-w c:\windows\system32\dllcache\wmsdmoe2.dll
- 2004-08-04 12:00:00 484,864 -c--a-w c:\windows\system32\dllcache\wmspdmod.dll
+ 2006-10-19 03:47:22 603,648 -c--a-w c:\windows\system32\dllcache\WMSPDMOD.dll
- 2004-08-04 12:00:00 896,512 -c--a-w c:\windows\system32\dllcache\wmspdmoe.dll
+ 2006-10-19 03:47:22 1,329,152 -c--a-w c:\windows\system32\dllcache\WMSPDMOE.dll
- 2004-08-04 12:00:00 2,105,344 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 11:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-04 12:00:00 809,984 -c--a-w c:\windows\system32\dllcache\wmvdmod.dll
+ 2006-10-19 03:47:22 4,096 -c--a-w c:\windows\system32\dllcache\wmvdmod.dll
- 2004-08-04 12:00:00 1,001,472 -c--a-w c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2006-10-19 03:47:22 4,096 -c--a-w c:\windows\system32\dllcache\wmvdmoe2.dll
- 2004-08-04 12:00:00 36,864 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 20:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2004-08-04 12:00:00 148,480 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w c:\windows\system32\dnsapi.dll
- 2004-08-04 12:00:00 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2004-08-04 12:00:00 274,304 ----a-w c:\windows\system32\drivers\bthport.sys
+ 2008-06-13 13:10:50 272,128 ----a-w c:\windows\system32\drivers\bthport.sys
- 2004-08-04 12:00:00 451,456 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
- 2004-08-04 12:00:00 200,064 ----a-w c:\windows\system32\drivers\RMCast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2004-08-04 12:00:00 359,040 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2004-08-04 12:00:00 223,616 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 ----a-w c:\windows\system32\drivers\tcpip6.sys
- 2004-08-04 12:00:00 695,296 ----a-w c:\windows\system32\drmv2clt.dll
+ 2006-10-19 03:47:10 991,744 ----a-w c:\windows\system32\drmv2clt.dll
- 2004-08-04 12:00:00 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2004-08-04 12:00:00 201,728 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2004-08-04 12:00:00 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2004-08-04 12:00:00 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2009-01-25 01:20:16 1,490,584 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-24 09:10:59 1,489,848 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 12:00:00 249,344 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2004-08-04 12:00:00 678,400 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2004-08-04 12:00:00 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\inseng.dll
- 2004-08-04 12:00:00 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
- 2004-08-04 12:00:00 15,872 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2004-08-04 12:00:00 6,656 ----a-w c:\windows\system32\laprxy.dll
+ 2006-10-19 03:47:14 11,264 ----a-w c:\windows\system32\LAPRXY.dll
- 2004-08-04 12:00:00 103,936 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 07:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2004-08-04 12:00:00 72,704 ----a-w c:\windows\system32\magnify.exe
+ 2006-10-04 08:48:36 72,704 ----a-w c:\windows\system32\magnify.exe
- 2004-08-04 12:00:00 310,272 ----a-w c:\windows\system32\mp43dmod.dll
+ 2006-10-19 03:47:14 4,096 ----a-w c:\windows\system32\MP43DMOD.dll
- 2004-08-04 12:00:00 384,512 ----a-w c:\windows\system32\mp4sdmod.dll
+ 2006-10-19 03:47:14 4,096 ----a-w c:\windows\system32\MP4SDMOD.dll
- 2004-08-04 12:00:00 240,640 ----a-w c:\windows\system32\mpg4dmod.dll
+ 2006-10-19 03:47:14 4,096 ----a-w c:\windows\system32\MPG4DMOD.dll
- 2004-08-04 12:00:00 73,728 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2004-08-04 12:00:00 3,003,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2004-08-04 12:00:00 448,512 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2007-04-30 22:50:50 903,072 ----a-w c:\windows\system32\msidcrl40.dll
+ 2007-08-27 21:41:22 1,089,440 ----a-w c:\windows\system32\msidcrl40.dll
- 2004-08-04 12:00:00 259,072 ----a-w c:\windows\system32\msnetobj.dll
+ 2006-10-19 03:47:16 179,712 ----a-w c:\windows\system32\msnetobj.dll
- 2004-08-04 12:00:00 52,224 ----a-w c:\windows\system32\mspmsnsv.dll
+ 2006-10-19 03:47:16 27,136 ----a-w c:\windows\system32\mspmsnsv.dll
- 2004-08-04 12:00:00 201,728 ----a-w c:\windows\system32\mspmsp.dll
+ 2006-10-19 03:47:16 175,616 ----a-w c:\windows\system32\mspmsp.dll
- 2004-08-04 12:00:00 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\msrating.dll
- 2004-08-04 12:00:00 356,352 ----a-w c:\windows\system32\msscp.dll
+ 2006-12-04 22:21:50 414,720 ----a-w c:\windows\system32\msscp.dll
- 2004-08-04 12:00:00 530,432 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\mstime.dll
- 2004-08-04 12:00:00 245,760 ----a-w c:\windows\system32\mswmdm.dll
+ 2006-10-19 03:47:16 321,536 ----a-w c:\windows\system32\mswmdm.dll
- 2004-08-04 12:00:00 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2004-08-04 12:00:00 1,236,480 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2004-08-04 12:00:00 53,760 ----a-w c:\windows\system32\narrator.exe
+ 2006-10-04 08:48:36 53,760 ----a-w c:\windows\system32\narrator.exe
- 2004-08-04 12:00:00 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2004-08-04 12:00:00 2,015,232 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2004-08-04 12:00:00 2,148,352 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 09:58:27 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
- 2004-08-04 12:00:00 215,552 ----a-w c:\windows\system32\osk.exe
+ 2006-10-04 08:48:37 215,552 ----a-w c:\windows\system32\osk.exe
- 2004-08-04 12:00:00 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00:00 237,568 ----a-w c:\windows\system32\qasf.dll
+ 2006-10-19 03:47:18 211,456 ----a-w c:\windows\system32\qasf.dll
- 2004-08-04 12:00:00 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
- 2004-08-04 12:00:00 1,483,264 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2004-08-04 12:00:00 473,600 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2004-08-04 12:00:00 35,840 ----a-w c:\windows\system32\umandlg.dll
+ 2006-10-04 13:33:38 35,840 ----a-w c:\windows\system32\umandlg.dll
- 2004-08-04 12:00:00 601,088 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\urlmon.dll
- 2004-08-04 12:00:00 50,176 ----a-w c:\windows\system32\utilman.exe
+ 2006-10-04 08:48:37 50,176 ----a-w c:\windows\system32\utilman.exe
- 2004-08-04 12:00:00 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
- 2004-08-04 12:00:00 1,835,904 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2004-08-04 12:00:00 408,064 ----a-w c:\windows\system32\wmadmod.dll
+ 2006-10-19 03:47:18 757,248 ----a-w c:\windows\system32\wmadmod.dll
- 2004-08-04 12:00:00 670,720 ----a-w c:\windows\system32\wmadmoe.dll
+ 2006-10-19 03:47:18 1,117,696 ----a-w c:\windows\system32\WMADMOE.dll
- 2004-08-04 12:00:00 230,400 ----a-w c:\windows\system32\wmasf.dll
+ 2007-10-27 23:40:30 222,720 ----a-w c:\windows\system32\wmasf.dll
- 2004-08-04 12:00:00 27,136 ----a-w c:\windows\system32\wmdmlog.dll
+ 2006-10-19 03:47:18 33,792 ----a-w c:\windows\system32\wmdmlog.dll
- 2004-08-04 12:00:00 23,552 ----a-w c:\windows\system32\wmdmps.dll
+ 2006-10-19 03:47:18 37,376 ----a-w c:\windows\system32\wmdmps.dll
- 2004-08-04 12:00:00 168,448 ----a-w c:\windows\system32\wmerror.dll
+ 2006-10-19 03:47:20 227,328 ----a-w c:\windows\system32\wmerror.dll
- 2004-08-04 12:00:00 151,552 ----a-w c:\windows\system32\wmidx.dll
+ 2006-10-19 03:47:20 157,184 ----a-w c:\windows\system32\wmidx.dll
- 2004-08-04 12:00:00 1,050,624 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-18 11:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2004-08-04 12:00:00 4,874,240 ----a-w c:\windows\system32\wmp.dll
+ 2007-06-12 05:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
- 2004-08-04 12:00:00 114,688 ----a-w c:\windows\system32\wmpasf.dll
+ 2006-10-19 03:47:20 242,688 ----a-w c:\windows\system32\wmpasf.dll
- 2004-08-04 12:00:00 233,472 ----a-w c:\windows\system32\wmpdxm.dll
+ 2006-10-19 03:47:20 314,880 ----a-w c:\windows\system32\wmpdxm.dll
- 2004-08-04 12:00:00 2,940,928 ----a-w c:\windows\system32\wmploc.dll
+ 2006-10-19 03:47:20 8,231,936 ----a-w c:\windows\system32\wmploc.dll
- 2004-08-04 12:00:00 102,400 ----a-w c:\windows\system32\wmpshell.dll
+ 2006-10-19 03:47:20 99,840 ----a-w c:\windows\system32\wmpshell.dll
- 2004-08-04 12:00:00 759,296 ----a-w c:\windows\system32\wmsdmod.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmsdmod.dll
- 2004-08-04 12:00:00 1,119,744 ----a-w c:\windows\system32\wmsdmoe2.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmsdmoe2.dll
- 2004-08-04 12:00:00 484,864 ----a-w c:\windows\system32\wmspdmod.dll
+ 2006-10-19 03:47:22 603,648 ----a-w c:\windows\system32\WMSPDMOD.dll
- 2004-08-04 12:00:00 896,512 ----a-w c:\windows\system32\wmspdmoe.dll
+ 2006-10-19 03:47:22 1,329,152 ----a-w c:\windows\system32\WMSPDMOE.dll
- 2004-08-04 12:00:00 2,105,344 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 11:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2004-08-04 12:00:00 809,984 ----a-w c:\windows\system32\wmvdmod.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmvdmod.dll
- 2004-08-04 12:00:00 1,001,472 ----a-w c:\windows\system32\wmvdmoe2.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmvdmoe2.dll
- 2006-10-19 02:47:22 38,400 ----a-w c:\windows\system32\wpdshextres.dll
+ 2006-10-19 03:47:22 38,400 ----a-w c:\windows\system32\wpdshextres.dll
- 2007-11-30 05:25:36 675,328 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-10-15 14:00:41 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2009-01-26 09:16:16 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_188.dat
+ 2007-11-07 02:23:58 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2007-11-07 07:19:34 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 07:19:34 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-15 185872]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-01-03 1392640]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hrxwju.dll nwtqlx.dll drwmwc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe"
"igndlm.exe"=c:\program files\Download Manager\DLM.exe /windowsstart /startifwork
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" -silent
"LogitechSetup"=c:\docume~1\Madnezz\LOCALS~1\Temp\QuickCam_11.80.1065\setup.exe /skip_all_checks /p /start /restart /l:enu

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"SoundMan"=SOUNDMAN.EXE
"muBlinder"=c:\documents and settings\Madnezz\Desktop\muBlinder\muBlinder.exe -startup
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Atari\\ArmA\\arma.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Red Storm Entertainment\\RavenShield\\system\\RavenShield.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:*:Disabled:@xpsp2res.dll,-22017

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2008-03-26 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2008-03-26 5248]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2008-03-28 120320]
R1 SSHDRV79;SSHDRV79;c:\windows\system32\drivers\SSHDRV79.sys [2008-03-31 75264]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [2008-03-26 78848]
R4 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-04-21 70912]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.sys [2001-06-01 10758]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-10-29 7548]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2f34037-742e-11dd-b318-0016ecf09f9c}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-realtechs - c:\documents and settings\Madnezz\Application Data\Google\torsi2225487.exe


.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZKfox000
IE: {{7BC71F9B-6EFE-4A17-8606-2615BEFB541C} - c:\program files\FreshDevices\FreshDownload\fd.exe
Trusted Zone: adameve.com\vod
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 13:26:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000070539FCD065A265ECB 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1214440339-1177238915-1003\Software\SecuROM\License information*]
"datasecu"=hex:91,25,84,fd,cd,9f,3d,c1,3f,79,39,9d,20,2b,0c,14,e5,a5,13,cc,f3,
ec,76,14,8a,5f,11,3c,91,b5,0d,09,55,36,b0,4e,d1,4c,45,a7,af,c4,ac,85,2d,33,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-31 13:28:28
ComboFix-quarantined-files.txt 2009-01-31 19:28:25
ComboFix2.txt 2009-01-29 04:49:15
ComboFix3.txt 2008-06-09 00:05:59
ComboFix4.txt 2008-06-05 07:04:32
ComboFix5.txt 2009-01-31 19:07:20

Pre-Run: 31,479,209,984 bytes free
Post-Run: 31,465,959,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

676 --- E O F --- 2009-01-25 09:53:04

Mr_JAk3
2009-02-02, 14:19
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Uninstall Azureus & FrostWire via Control Panel -> Add/Remove programs


Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

==================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\Sysvxd.exe
c:\windows\system32\5d50b92.dll
c:\windows\system32\3a3f1139.dll
c:\windows\system32\e022a7.dll
c:\windows\system32\c3b36eb.dll

Folder::
c:\documents and settings\Madnezz\Application Data\Azureus
c:\documents and settings\Madnezz\Application Data\FrostWire
c:\program files\FrostWire
c:\program files\Azureus

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: hrxwju.dll
Search for this and delete if found: nwtqlx.dll
Search for this and delete if found: drwmwc.dll

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Malwarebytes' Anti-Malware

Please go to F-Secure website (http://support.f-secure.com/ols3beta/start.html) to perform an online scan. Click on Start scanning at the bottom of the page.
You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
Click on Accept to accept the License Agreement.
Click on Custom Scan. Under Virus Scan Options, select the Scan whole system option.
Under Other Scan Options, select these options: Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics Click Start.
It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
Click on I want decide item by item.
Under Actions, select None for all infections found.
Click Next.
Click on Show Report.
Please copy and paste this report in your next reply.
Click Finish.

================

When you're ready, please post the following logs to here:
- F-Secure's report
- a fresh HijackThis log

tashi
2009-02-14, 01:25
This topic has been closed due to inactivity.

As it has been five days or more since your last post, and your helper posted a response to which you did not reply, this topic has been archived and will not be reopened. If you still require help and plan to follow up, please start a new topic and include a fresh HijackThis log and a link to this thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.


Previous: http://forums.spybot.info/showthread.php?p=202261