PDA

View Full Version : bar888, IpWins, outerinfo (HTJ log inc.)



LugCNE
2006-12-23, 20:08
i'm over at a friends house, and decided to take a look at his computer since it was running like garbage, and was concerned by the following programs in the add/remove progams wizard: bar888, IpWins, and outerinfo... i looked around the forums a bit first, ran ad-aware se pro, and spybot.. and now bar888 is the only one in add/remove programs.. i downloaded HJT and i'll post the logfile here, and i know to wait for a response before i go trying to fix anything... any other info you need, just let me know... thanks

-----------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:19:14 AM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe
C:\WINDOWS\YSTEM3~1\rundll.exe
C:\Documents and Settings\Owner\My Documents\a?sembly\m?hta.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoia.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {86A523E8-BD02-8BF5-2020-E65B542A36B3} - C:\WINDOWS\system32\ebldremb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{382A8~1\Bar888.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [czpeexk.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\czpeexk.dll",rzqlgze
O4 - HKLM\..\Run: [{082A8597-047E-1033-0710-020208060001}] "C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aiuh] "C:\WINDOWS\YSTEM3~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Yqliaree] C:\Documents and Settings\Owner\My Documents\a?sembly\m?hta.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [qqoi] C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

teacup61
2006-12-23, 20:23
Hello LugCNE,

Welcome to Safer Networking Forums :)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

LugCNE
2006-12-23, 20:46
thanks for the welcome, heres the combofix log
------------------------------------------

Owner - 06-12-23 12:33:36.35 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Install.dat
C:\WINDOWS\system32\wapisvsu.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\network monitor
C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}
C:\Program Files\Common Files\{382A8597-047E-1033-0710-020208060001}
C:\WINDOWS\ZGlja2FyZCBib25l

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\My Documents\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\ASEMBL~1\m?hta.exe
C:\QooBox\Purity\WINDOWS\YSTEM3~1
C:\QooBox\Purity\WINDOWS\YSTEM3~1\rundll.exe
C:\QooBox\Purity\WINDOWS\YSTEM3~1\YSTEM3~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-23 to 2006-12-23 ))))))))))))))))))))))))))))))))))


2006-12-23 12:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-23 12:07 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2006-12-23 11:11 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-23 10:53 <DIR> d-------- C:\WINDOWS\qqoi
2006-12-23 10:53 <DIR> d-------- C:\Program Files\Common Files\qqoi
2006-12-23 10:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-23 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-23 10:24 88,340 --a------ C:\WINDOWS\system32\jebtsbta.exe
2006-12-23 10:24 825,996 ---hs---- C:\WINDOWS\system32\tttss.bak1
2006-12-23 10:24 44,052 --a------ C:\WINDOWS\system32\ebeiumad.dll
2006-12-23 10:24 277,044 ---hs---- C:\WINDOWS\system32\ssttt.dll
2006-12-23 10:19 72,704 --a------ C:\WINDOWS\system32\drvlim.dll
2006-12-23 10:19 56,320 --a------ C:\WINDOWS\system32\ebldremb.dll
2006-12-23 10:19 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2006-12-23 10:19 22,541 ---hs---- C:\WINDOWS\system32\ssqpnki.dll
2006-12-23 07:55 93,184 --a------ C:\WINDOWS\system32\czpeexk.dll
2006-12-23 07:55 71,680 --a------ C:\WINDOWS\system32\itbwqwf.dll
2006-12-23 07:55 3,648 --a------ C:\WINDOWS\system32\kernels1118.exe
2006-12-23 07:55 3,584 --a------ C:\WINDOWS\system32\msasvc.exe
2006-12-23 07:53 17,920 --a------ C:\WINDOWS\system32\winwil32.dll
2006-12-23 07:52 9,769 --a------ C:\ctsosaq.exe
2006-12-23 07:52 3,648 --a------ C:\tomvnwhd.exe
2006-12-23 07:52 23,552 --a------ C:\eufjxc.exe
2006-12-23 07:06 <DIR> d-------- C:\Program Files\CheckIt
2006-12-23 06:38 <DIR> d--h----- C:\WINDOWS\PIF
2006-12-23 06:20 <DIR> d--hs---- C:\Config.Msi
2006-12-23 06:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-12-23 05:42 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-12-23 05:42 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-23 05:42 <DIR> d-------- C:\Program Files\Symantec
2006-12-23 05:42 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-23 05:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-12-23 04:38 <DIR> d-------- C:\Program Files\Soulseek-Test212121
2006-12-23 01:32 <DIR> d-------- C:\Program Files\Common Files\Scanner
2006-12-23 01:32 <DIR> d-------- C:\Program Files\ComcastToolbar
2006-12-22 23:08 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-12-22 22:49 98,176 --a------ C:\WINDOWS\system32\drivers\NBF.SYS
2006-12-22 22:35 40,960 --a------ C:\WINDOWS\system32\parport.dll
2006-12-22 22:35 4,256 --a------ C:\WINDOWS\system32\drivers\UserPort.sys
2006-12-19 04:31 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-19 04:30 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2006-12-19 04:30 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2006-12-19 04:30 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2006-12-19 04:16 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2006-12-19 04:13 <DIR> d-------- C:\Program Files\Diablo II
2006-12-18 12:30 <DIR> d-------- C:\Program Files\Microsoft Visual Studio
2006-12-18 12:30 <DIR> d-------- C:\msdn
2006-12-18 12:27 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-12-18 12:27 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-12-18 12:27 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2006-12-18 12:27 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2006-12-18 12:27 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-12-18 12:27 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-12-18 12:27 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-12-18 12:27 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-12-18 12:26 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-12-18 12:08 <DIR> d-------- C:\Program Files\MTV Networks
2006-12-18 11:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-12-18 10:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2006-12-18 09:40 <DIR> d-------- C:\Program Files\QuickTime
2006-12-18 09:40 <DIR> d-------- C:\Program Files\Apple Software Update
2006-12-18 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-12-17 23:40 <DIR> d-------- C:\WINDOWS\system32\DRM
2006-12-17 23:39 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-17 23:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-17 23:37 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-17 23:36 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2006-12-17 23:27 <DIR> dr--s---- C:\WINDOWS\assembly
2006-12-17 23:27 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2006-12-17 23:27 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2006-12-17 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-12-17 23:12 <DIR> dr-h----- C:\Documents and Settings\Owner\Application Data\yahoo!
2006-12-17 21:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\vlc
2006-12-17 21:23 <DIR> d-------- C:\Program Files\VideoLAN
2006-12-17 21:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2006-12-17 21:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2006-12-17 20:58 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-17 20:58 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-12-17 20:57 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-17 20:57 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-17 20:56 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-17 20:44 <DIR> d-------- C:\Program Files\uTorrent
2006-12-17 20:40 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-12-17 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-17 20:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-12-17 20:32 <DIR> d-------- C:\Program Files\Soulseek
2006-12-17 20:30 <DIR> d-------- C:\Program Files\Jasc Software Inc
2006-12-17 20:30 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2006-12-17 20:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jasc Software Inc
2006-12-17 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2006-12-17 20:24 <DIR> d-------- C:\Program Files\Support.com
2006-12-17 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2006-12-17 20:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-12-17 20:21 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2006-12-17 20:21 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2006-12-17 20:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-12-17 20:14 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-12-17 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-12-17 20:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-12-17 20:13 <DIR> d-------- C:\Program Files\Adobe
2006-12-17 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-12-17 20:09 <DIR> d-------- C:\Program Files\DivX
2006-12-17 20:07 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2006-12-17 20:07 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-12-17 20:07 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-12-17 20:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-12-17 20:07 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-12-17 20:07 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2006-12-17 20:06 <DIR> d-------- C:\Program Files\Winamp
2006-12-17 20:05 <DIR> d-------- C:\Program Files\PowerISO
2006-12-17 20:05 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-17 20:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-17 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2006-12-17 20:03 <DIR> d-------- C:\Program Files\Yahoo!
2006-12-17 20:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2006-12-17 20:01 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-17 20:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-12-17 20:00 <DIR> d-------- C:\Program Files\Nero
2006-12-17 20:00 <DIR> d-------- C:\Program Files\Common Files\Ahead
2006-12-17 19:57 <DIR> d-------- C:\Program Files\WinRAR
2006-12-17 19:50 <DIR> d--hs---- C:\RECYCLER
2006-12-17 19:49 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2006-12-17 19:49 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-12-17 19:49 <DIR> d-------- C:\Program Files\Viewpoint
2006-12-17 19:49 <DIR> d-------- C:\Program Files\AWS
2006-12-17 19:49 <DIR> d-------- C:\Program Files\AOD
2006-12-17 19:49 <DIR> d-------- C:\Program Files\AIM
2006-12-17 19:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Aim
2006-12-17 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-12-17 19:48 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-17 19:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-12-17 19:48 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-17 19:45 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-17 19:45 <DIR> d--hs---- C:\Documents and Settings\Owner\UserData
2006-12-17 19:45 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-17 19:44 <DIR> dr-h----- C:\Documents and Settings\Owner\SendTo
2006-12-17 19:44 <DIR> dr-h----- C:\Documents and Settings\Owner\Recent
2006-12-17 19:44 <DIR> dr-h----- C:\Documents and Settings\Owner\Application Data\.
2006-12-17 19:44 <DIR> dr-h----- C:\Documents and Settings\Owner\Application Data
2006-12-17 19:44 <DIR> dr------- C:\Documents and Settings\Owner\Start Menu
2006-12-17 19:44 <DIR> dr------- C:\Documents and Settings\Owner\My Documents
2006-12-17 19:44 <DIR> dr------- C:\Documents and Settings\Owner\Favorites
2006-12-17 19:44 <DIR> d--hs---- C:\Documents and Settings\Owner\Cookies
2006-12-17 19:44 <DIR> d--h----- C:\Program Files\Uninstall Information
2006-12-17 19:44 <DIR> d--h----- C:\Documents and Settings\Owner\Templates
2006-12-17 19:44 <DIR> d--h----- C:\Documents and Settings\Owner\PrintHood
2006-12-17 19:44 <DIR> d--h----- C:\Documents and Settings\Owner\NetHood
2006-12-17 19:44 <DIR> d--h----- C:\Documents and Settings\Owner\Local Settings
2006-12-17 19:44 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2006-12-17 19:44 <DIR> d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-17 19:44 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-12-17 19:44 <DIR> d-------- C:\WINDOWS\Prefetch
2006-12-17 19:44 <DIR> d-------- C:\Documents and Settings\Owner\Desktop
2006-12-17 19:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-12-17 19:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\..
2006-12-17 19:44 <DIR> d-------- C:\Documents and Settings\Owner\..
2006-12-17 19:44 <DIR> d-------- C:\Documents and Settings\Owner\.
2006-12-17 19:40 8,704 --a------ C:\WINDOWS\system32\snmptrap.exe
2006-12-17 19:40 6,144 --a------ C:\WINDOWS\system32\snmpmib.dll
2006-12-17 19:40 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2006-12-17 19:40 33,280 --a------ C:\WINDOWS\system32\snmp.exe
2006-12-17 19:40 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2006-12-17 19:39 92,160 --a------ C:\WINDOWS\system32\evntwin.exe
2006-12-17 19:39 39,936 --a------ C:\WINDOWS\system32\hostmib.dll
2006-12-17 19:39 35,328 --a------ C:\WINDOWS\system32\iprip.dll
2006-12-17 19:39 24,064 --a------ C:\WINDOWS\system32\evntcmd.exe
2006-12-17 19:39 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2006-12-17 19:38 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-12-17 19:38 0 -rahs---- C:\MSDOS.SYS
2006-12-17 19:38 0 -rahs---- C:\IO.SYS
2006-12-17 19:38 0 --a------ C:\CONFIG.SYS
2006-12-17 19:38 0 --a------ C:\AUTOEXEC.BAT
2006-12-17 19:38 <DIR> d-------- C:\WINDOWS\system32\xircom
2006-12-17 19:38 <DIR> d-------- C:\Program Files\xerox
2006-12-17 19:38 <DIR> d-------- C:\Program Files\microsoft frontpage
2006-12-17 19:37 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2006-12-17 19:36 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-12-17 19:36 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2006-12-17 19:36 <DIR> d--h----- C:\Program Files\WindowsUpdate
2006-12-17 19:36 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2006-12-17 19:36 <DIR> d-------- C:\WINDOWS\system32\DirectX
2006-12-17 19:35 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-12-17 19:35 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-12-17 19:35 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-12-17 19:35 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-12-17 19:35 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-12-17 19:35 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-12-17 19:35 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-12-17 19:35 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-12-17 19:35 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-12-17 19:35 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-12-17 19:35 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2006-12-17 19:35 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-12-17 19:35 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-12-17 19:35 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-17 19:35 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-12-17 19:35 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-12-17 19:35 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-12-17 19:35 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-12-17 19:35 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-12-17 19:35 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-12-17 19:35 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-12-17 19:35 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-12-17 19:35 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-12-17 19:35 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-12-17 19:35 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-12-17 19:35 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-12-17 19:35 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-12-17 19:35 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-12-17 19:35 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-12-17 19:35 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-17 19:35 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-12-17 19:35 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-17 19:35 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-12-17 19:35 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-17 19:35 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-12-17 19:35 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-12-17 19:35 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-12-17 19:35 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-12-17 19:35 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-17 19:35 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-12-17 19:35 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-12-17 19:35 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-17 19:35 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-12-17 19:35 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-12-17 19:35 <DIR> d---s---- C:\WINDOWS\Tasks
2006-12-17 19:35 <DIR> d-------- C:\WINDOWS\system32\Restore
2006-12-17 19:35 <DIR> d-------- C:\WINDOWS\system32\Macromed
2006-12-17 19:35 <DIR> d-------- C:\WINDOWS\srchasst
2006-12-17 19:35 <DIR> d-------- C:\Program Files\Outlook Express
2006-12-17 19:35 <DIR> d-------- C:\Program Files\NetMeeting
2006-12-17 19:35 <DIR> d-------- C:\Program Files\Movie Maker
2006-12-17 19:35 <DIR> d-------- C:\Program Files\Internet Explorer
2006-12-17 19:35 <DIR> d-------- C:\Program Files\ComPlus Applications
2006-12-17 19:35 <DIR> d-------- C:\Program Files\Common Files\System
2006-12-17 19:35 <DIR> d-------- C:\Program Files\Common Files\Services
2006-12-17 19:35 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2006-12-17 19:34 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-12-17 19:34 <DIR> d-------- C:\WINDOWS\Registration
2006-12-17 19:34 <DIR> d-------- C:\Program Files\Windows Media Player
2006-12-17 19:34 <DIR> d-------- C:\Program Files\Online Services
2006-12-17 19:34 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2006-12-17 19:34 <DIR> d-------- C:\Program Files\Messenger
2006-12-17 19:33 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2006-12-17 19:33 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-12-17 19:33 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-12-17 19:33 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-12-17 19:33 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-12-17 19:33 87,176 --a------

LugCNE
2006-12-23, 20:48
heres the other half

C:\WINDOWS\system32\rdpwsx.dll
2006-12-17 19:33 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-12-17 19:33 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-12-17 19:33 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-12-17 19:33 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-12-17 19:33 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-12-17 19:33 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-12-17 19:33 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-12-17 19:33 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-12-17 19:33 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-12-17 19:33 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-12-17 19:33 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-12-17 19:33 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-12-17 19:33 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-12-17 19:33 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-12-17 19:33 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-12-17 19:33 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-12-17 19:33 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-12-17 19:33 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-12-17 19:33 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-12-17 19:33 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-12-17 19:33 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-12-17 19:33 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-12-17 19:33 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-12-17 19:33 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-12-17 19:33 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2006-12-17 19:33 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-12-17 19:33 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-12-17 19:33 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-12-17 19:33 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-12-17 19:33 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-12-17 19:33 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-12-17 19:33 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-17 19:33 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-12-17 19:33 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2006-12-17 19:33 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-12-17 19:33 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-12-17 19:33 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-12-17 19:33 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-12-17 19:33 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-12-17 19:33 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-12-17 19:33 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-12-17 19:33 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-12-17 19:33 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-12-17 19:33 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-12-17 19:33 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-12-17 19:33 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-12-17 19:33 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-17 19:33 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-12-17 19:33 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-12-17 19:33 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-12-17 19:33 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-12-17 19:33 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-12-17 19:33 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-12-17 19:33 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-12-17 19:33 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-12-17 19:33 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-12-17 19:33 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-12-17 19:33 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-12-17 19:33 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-12-17 19:33 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-12-17 19:33 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-12-17 19:33 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-12-17 19:33 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-12-17 19:33 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-12-17 19:33 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-17 19:33 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-12-17 19:33 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-12-17 19:33 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-17 19:33 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-12-17 19:33 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-12-17 19:33 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-12-17 19:33 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-12-17 19:33 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-12-17 19:33 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-12-17 19:33 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-17 19:33 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-12-17 19:33 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-12-17 19:33 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2006-12-17 19:33 <DIR> d-------- C:\WINDOWS\system32\Com
2006-12-17 19:33 <DIR> d-------- C:\Program Files\Windows NT
2006-12-17 19:33 <DIR> d-------- C:\Program Files\MSN
2006-12-17 13:30 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-12-17 13:30 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-12-17 13:30 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-12-17 13:30 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-12-17 13:30 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-12-17 13:30 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-12-17 13:30 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-12-17 13:30 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-12-17 13:30 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-12-17 13:30 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-12-17 13:30 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-12-17 13:30 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-12-17 13:29 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2006-12-17 13:29 860,480 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-12-17 13:29 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-12-17 13:29 51,200 --a------ C:\WINDOWS\system32\sfman32.dll
2006-12-17 13:29 42,240 --a------ C:\WINDOWS\system32\drivers\VIAAGP.SYS
2006-12-17 13:29 36,480 --a------ C:\WINDOWS\system32\drivers\sfmanm.sys
2006-12-17 13:29 258,048 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-12-17 13:29 256,512 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-12-17 13:29 2,636,672 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-12-17 13:29 162,816 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2006-12-17 13:29 1,505,792 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-12-17 13:28 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2006-12-17 13:28 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-17 13:28 6,912 --a------ C:\WINDOWS\system32\drivers\ctlfacem.sys
2006-12-17 13:28 495,616 --a------ C:\WINDOWS\system32\sblfx.dll
2006-12-17 13:28 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-12-17 13:28 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll
2006-12-17 13:28 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys
2006-12-17 13:28 283,904 --a------ C:\WINDOWS\system32\drivers\emu10k1m.sys
2006-12-17 13:28 256,512 --a------ C:\WINDOWS\system32\devcon32.dll
2006-12-17 13:28 24,064 --a------ C:\WINDOWS\system32\devldr32.exe
2006-12-17 13:28 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-12-17 13:28 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2006-12-17 13:27 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2006-12-17 13:27 9,008 --a------ C:\WINDOWS\system\VER.DLL
2006-12-17 13:27 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2006-12-17 13:27 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2006-12-17 13:27 8,704 --a------ C:\WINDOWS\system32\batt.dll
2006-12-17 13:27 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2006-12-17 13:27 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-12-17 13:27 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2006-12-17 13:27 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2006-12-17 13:27 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2006-12-17 13:27 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll
2006-12-17 13:27 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2006-12-17 13:27 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2006-12-17 13:27 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-12-17 13:27 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2006-12-17 13:27 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2006-12-17 13:27 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-12-17 13:27 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2006-12-17 13:27 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-12-17 13:27 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2006-12-17 13:27 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-12-17 13:27 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2006-12-17 13:27 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-12-17 13:27 <DIR> d-a------ C:\Program Files\Common Files\..
2006-12-17 13:27 <DIR> d-a------ C:\Program Files\.
2006-12-17 13:27 <DIR> d-a------ C:\Program Files
2006-12-17 13:27 <DIR> d--hs---- C:\WINDOWS\Installer
2006-12-17 13:27 <DIR> d--hs---- C:\Program Files\..
2006-12-17 13:27 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2006-12-17 13:27 <DIR> d-------- C:\Program Files\Common Files\ODBC
2006-12-17 13:27 <DIR> d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-17 13:27 <DIR> d-------- C:\Program Files\Common Files\.
2006-12-17 13:27 <DIR> d-------- C:\Program Files\Common Files
2006-12-17 13:26 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\.
2006-12-17 13:26 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data
2006-12-17 13:26 <DIR> dr------- C:\Documents and Settings\All Users\Start Menu
2006-12-17 13:26 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2006-12-17 13:26 <DIR> d--hs---- C:\System Volume Information
2006-12-17 13:26 <DIR> d--h----- C:\Documents and Settings\All Users\Templates
2006-12-17 13:26 <DIR> d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-12-17 13:26 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2006-12-17 13:26 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2006-12-17 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Favorites
2006-12-17 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Desktop
2006-12-17 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\..
2006-12-17 13:26 <DIR> d-------- C:\Documents and Settings\All Users\..
2006-12-17 13:26 <DIR> d-------- C:\Documents and Settings\All Users\.
2006-12-17 13:26 <DIR> d-------- C:\Documents and Settings
2006-12-17 13:18 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2006-12-17 13:18 <DIR> dr--s---- C:\WINDOWS\Fonts
2006-12-17 13:18 <DIR> dr------- C:\WINDOWS\Web
2006-12-17 13:18 <DIR> d-a------ C:\WINDOWS\system32\drivers\..
2006-12-17 13:18 <DIR> d-a------ C:\WINDOWS\system32\.
2006-12-17 13:18 <DIR> d-a------ C:\WINDOWS\system32
2006-12-17 13:18 <DIR> d--hs---- C:\WINDOWS\..
2006-12-17 13:18 <DIR> d--h----- C:\WINDOWS\inf
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\WinSxS
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\twain_32
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Temp
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\wins
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\wbem
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\usmt
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\spool
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\Setup
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\ras
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\oobe
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\npp
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\mui
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\IME
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\icsxml
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\ias
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\export
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\drivers\.
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\drivers
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\dhcp
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\config
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\3076
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\2052
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1054
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1042
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1041
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1037
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1033
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1031
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1028
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\1025
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system32\..
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system\..
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system\.
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\system
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\security
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Resources
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\repair
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Provisioning
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\PeerNet
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\pchealth
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\mui
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\msapps
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\msagent
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Media
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\java
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\ime
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Help
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Driver Cache
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Debug
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Cursors
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Connection Wizard
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\Config
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\AppPatch
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\addins
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS\.
2006-12-17 13:18 <DIR> d-------- C:\WINDOWS
2006-12-12 10:30 520,192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-12-12 10:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 10:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 10:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 10:25 806,912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 10:25 806,912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 10:25 790,528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 10:25 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 10:25 635,486 --a------ C:\WINDOWS\system32\DivX.dll
2006-12-12 10:25 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-12-12 10:25 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 10:25 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-12-12 10:25 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 10:25 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 10:25 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 10:25 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 10:24 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-12 10:24 118,784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-11-27 02:45 60,416 --------- C:\WINDOWS\system32\tzchange.exe

LugCNE
2006-12-23, 20:49
and heres the tail end, followed by the HJT log




(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required



(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Aiuh"="\"C:\\WINDOWS\\YSTEM3~1\\rundll.exe\" -vt yazb"
"Yqliaree"="C:\\Documents and Settings\\Owner\\My Documents\\a?sembly\\m?hta.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"qqoi"="C:\\PROGRA~1\\COMMON~1\\qqoi\\qqoim.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"tgcmd"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server /startmonitor /deaf"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"czpeexk.dll"="C:\\WINDOWS\\system32\\rundll32.exe \"C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\czpeexk.dll\",rzqlgze"
"{082A8597-047E-1033-0710-020208060001}"="\"C:\\Program Files\\Common Files\\{082A8597-047E-1033-0710-020208060001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-23 12:37:53.73
C:\ComboFix.txt ... 06-12-23 12:37

-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:44:12 PM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\COMMON~1\qqoi\qqoia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {86A523E8-BD02-8BF5-2020-E65B542A36B3} - C:\WINDOWS\system32\ebldremb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{382A8~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [czpeexk.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\czpeexk.dll",rzqlgze
O4 - HKLM\..\Run: [{082A8597-047E-1033-0710-020208060001}] "C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aiuh] "C:\WINDOWS\YSTEM3~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Yqliaree] C:\Documents and Settings\Owner\My Documents\a?sembly\m?hta.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [qqoi] C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

teacup61
2006-12-23, 21:28
Hello,

Bad news.:sad: Did you see this line?
Rootkit driver pe386 is present. A rootkit scan is required Your friend's system is compromised seriously. The only way I can promise a clean system is a complete reformat and reinstall. We can clean it, but consider what I said. Have your friend change any sensitive passwords from a clean computer immediately. Let me know what you decide to do.

Regards,
tea

LugCNE
2006-12-23, 21:53
i guess we'll try to clean it... he doesn't have a valid copy of windows to be able to reformat, and i dont anymore either.. what can we do?

LugCNE
2006-12-23, 21:56
what confuses me though.... i just ran rustock.b-fix... and heres my logfile
---------------------------------------------------------------------------

************************* Rustock.b-fix -- By ejvindh *************************
Sat 12/23/2006 13:43:30.07

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69550
Total size: 69550 bytes.
Attempting to remove ADS...
system32: deleted 69550 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

teacup61
2006-12-23, 22:23
Hey,

It was there....the fix deleted the ADS file. Let's get rid of some more, since you want to fix it.:) My bet is that this will pick it up too.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.


Thanks,
tea

tashi
2007-01-04, 01:23
This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.