Virtumonde

[commandoz]

i have virtumonde. i will give my HJT log, but my KAV online scanner log crashed at 45% so i only have the log from that far.
here is my HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:46:01, on 28/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\V0230Mon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Youssef\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [BM8b5fa65a] Rundll32.exe "C:\WINDOWS\system32\lenvtcxo.dll",s
O4 - HKLM\..\Run: [886c95c6] rundll32.exe "C:\WINDOWS\system32\nmxqmyiu.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: Photobucket Publisher - http://pic.photobucket.com/plugins/c..._publisher.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://training.k2ms.com/WebPlayer/a...ab/awswaxd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206733427265
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.orderingmemory.com/controls/cpcScanner.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files...fosFinder2.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Visualware CallerIP (CallerIP) - Unknown owner - C:\Program Files\CallerIP\cip-nt.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 12403 bytes

My 50% KAV Online scanner log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 10:27:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 801559
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 124165
Number of viruses found: 8
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 01:59:37

Infected Object Name / Virus Name / Last Action
C:\APPS\Internet from BT\WebControl\btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.g skipped
C:\Documents and Settings\All Users\Application Data\MailFrontier\reginfo.xml Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04072008-133816.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Config\desktop2.idf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\SwUniNew.tff Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\cert8.db Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\content-prefs.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\cookies.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\downloads.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\formhistory.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\key3.db Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\parent.lock Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\permissions.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\places.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\places.sqlite-journal Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\places.sqlite-stmtjrnl Object is locked skipped
C:\Documents and Settings\Youssef\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rar/Webcam.and.Screen.Recorder.v4.4-Lz0/Setup.exe/file01 Infected: not-a-virus:FraudTool.Win32.WinZix.c skipped
C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rar/Webcam.and.Screen.Recorder.v4.4-Lz0/Setup.exe/file02 Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rar/Webcam.and.Screen.Recorder.v4.4-Lz0/Setup.exe Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rar RAR: infected - 3 skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbw03j1q.default\urlclassifier3.sqlite Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Youssef\Local Settings\Temporary Internet Files\Content.IE5\GQW48WTN\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.ttd skipped
C:\Documents and Settings\Youssef\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Youssef\My Documents\Hackorpack.rar/Hackorpack/v53/MLE 1152.1/IlvMoney.dll Infected: Trojan-Downloader.Win32.Dadobra.aef skipped
C:\Documents and Settings\Youssef\My Documents\Hackorpack.rar/Hackorpack/v53/MSCRC/injector.exe Infected: HackTool.Win32.Injecter.l skipped
C:\Documents and Settings\Youssef\My Documents\Hackorpack.rar RAR: infected - 2 skipped
C:\Documents and Settings\Youssef\My Documents\localhost.rar/localhost.exe Infected: Trojan-PSW.Win32.Mapler.af skipped
C:\Documents and Settings\Youssef\My Documents\localhost.rar RAR: infected - 1 skipped
C:\Documents and Settings\Youssef\My Documents\Snootae Bot 2.0\Snootae Bot 2.0\SnootaeBotFontChecker.exe Infected: Trojan.Win32.Shutdowner.fr skipped
C:\Documents and Settings\Youssef\My Documents\Snootae Bot 2.0.rar/Snootae Bot 2.0/SnootaeBotFontChecker.exe Infected: Trojan.Win32.Shutdowner.fr skipped
C:\Documents and Settings\Youssef\My Documents\Snootae Bot 2.0.rar RAR: infected - 1 skipped
C:\Documents and Settings\Youssef\My Documents\Webcam.and.Screen.Recorder.v4.4-Lz0\Webcam.and.Screen.Recorder.v4.4-Lz0\Setup.exe/file01 Infected: not-a-virus:FraudTool.Win32.WinZix.c skipped
C:\Documents and Settings\Youssef\My Documents\Webcam.and.Screen.Recorder.v4.4-Lz0\Webcam.and.Screen.Recorder.v4.4-Lz0\Setup.exe/file02 Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\Documents and Settings\Youssef\My Documents\Webcam.and.Screen.Recorder.v4.4-Lz0\Webcam.and.Screen.Recorder.v4.4-Lz0\Setup.exe Inno: infected - 2 skipped

Scan was interrupted by user!

also any help to remove a trojan from system32/rydllhtvb.dll
thanks

[Rorschach112]

Hello

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  [kill explorer]
  C:\APPS\Internet from BT\WebControl\btwebcontrol.dll
  C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rar/Webcam.and.Screen.Recorder.v4.4-Lz0/Setup.exe
  C:\Documents and Settings\Youssef\My Documents\Hackorpack.rar/Hackorpack/v53/MLE 1152.1/IlvMoney.dll
  C:\Documents and Settings\Youssef\My Documents\localhost.rar
  C:\Documents and Settings\Youssef\My Documents\Snootae Bot 2.0\Snootae Bot 2.0\SnootaeBotFontChecker.exe
  C:\Documents and Settings\Youssef\My Documents\Webcam.and.Screen.Recorder.v4.4-Lz0\Webcam.and.Screen.Recorder.v4.4-Lz0\Setup.exe
  purity 
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/comb...o-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[commandoz]

i have two problems.
1: kaspersky detected trojans in alot of system restores and the hackorpack and th snootaebot. so kaspersky deleted the files.
2: when i click move it with your files it says invalid time flag![ setup.exe] must be numerical. and all i get in the otmoveit folder is a million files then finally a dll file. any help?
combofix link isnt working
but ill post a highjack this log since spybot found virtumonde again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56:33, on 29/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\V0230Mon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Youssef\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [BM8b5fa65a] Rundll32.exe "C:\WINDOWS\system32\lenvtcxo.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: Photobucket Publisher - http://pic.photobucket.com/plugins/c..._publisher.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://training.k2ms.com/WebPlayer/a...ab/awswaxd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206733427265
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.orderingmemory.com/controls/cpcScanner.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files...fosFinder2.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Visualware CallerIP (CallerIP) - Unknown owner - C:\Program Files\CallerIP\cip-nt.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 12147 bytes

[Rorschach112]

Do this

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  [kill explorer]
  C:\APPS\Internet from BT\WebControl\btwebcontrol.dll
  C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rare
  C:\Documents and Settings\Youssef\My Documents\Hackorpack.rar
  C:\Documents and Settings\Youssef\My Documents\localhost.rar
  C:\Documents and Settings\Youssef\My Documents\Snootae Bot 2.0\Snootae Bot 2.0\SnootaeBotFontChecker.exe
  C:\Documents and Settings\Youssef\My Documents\Webcam.and.Screen.Recorder.v4.4-Lz0\Webcam.and.Screen.Recorder.v4.4-Lz0\Setup.exe
  purity 
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

[commandoz]

OTmoveitlog
[kill explorer]
C:\APPS\Internet from BT\WebControl\btwebcontrol.dll
C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rare
C:\Documents and Settings\Youssef\My Documents\Hackorpack.rar
C:\Documents and Settings\Youssef\My Documents\localhost.rar
C:\Documents and Settings\Youssef\My Documents\Snootae Bot 2.0\Snootae Bot 2.0\SnootaeBotFontChecker.exe
C:\Documents and Settings\Youssef\My Documents\Webcam.and.Screen.Recorder.v4.4-Lz0\Webcam.and.Screen.Recorder.v4.4-Lz0\Setup.exe
purity
[start explorer]

the bt webcontrol was moved in the first time on its own so its in the otmoveit folder as a dll

[commandoz]

Explorer killed successfully
File/Folder C:\APPS\Internet from BT\WebControl\btwebcontrol.dll not found.
File/Folder C:\Documents and Settings\Youssef\Desktop\Webcam.and.Screen.Recorder.v4.4-Lz0.rare not found.
C:\Documents and Settings\Youssef\My Documents\Hackorpack.rar moved successfully.
C:\Documents and Settings\Youssef\My Documents\localhost.rar moved successfully.
File/Folder C:\Documents and Settings\Youssef\My Documents\Snootae Bot 2.0\Snootae Bot 2.0\SnootaeBotFontChecker.exe not found.
File/Folder C:\Documents and Settings\Youssef\My Documents\Webcam.and.Screen.Recorder.v4.4-Lz0\Webcam.and.Screen.Recorder.v4.4-Lz0\Setup.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05302008_072341

the bt webcontrol was moved in the first time on its own so its in the otmoveit folder as a dll[/QUOTE]

[Rorschach112]

Ok go and run ComboFix from my previous post

[commandoz]

erm. combofix wont save a log file. it removed a load of files but when it comes to create the log files it says something about permission denied. any help
i left it on with no programs running so i havent got a log file but it removed about 10 files. i could upload my combofix folder so u can observe the files moved. tell me if i should or if i shouldnt.

[Rorschach112]

Is there not a text file in C:\ComboFix ?

Do this if there isn't

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[commandoz]

ahh found it. just to let you know im not running windows xp pro it windows xp media centre edition.
combofix log:
ComboFix 08-05-29.1 - Youssef 2008-05-31 7:29:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.504 [GMT 1:00]
Running from: C:\Documents and Settings\Youssef\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8b5fa65a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\efcYrRkk.dll
C:\WINDOWS\system32\jgyplxxn.ini
C:\WINDOWS\system32\kkRrYcfe.ini
C:\WINDOWS\system32\kkRrYcfe.ini2
C:\WINDOWS\system32\kupxehtm.dll
C:\WINDOWS\system32\lenvtcxo.dll
C:\WINDOWS\system32\nnramfqv.ini
C:\WINDOWS\system32\rmgvcjjt.ini
C:\WINDOWS\system32\rovevrxa.ini
C:\WINDOWS\system32\uiymqxmn.ini2
C:\WINDOWS\system32\uiymqxmn.tmp
C:\WINDOWS\system32\wfjdihet.ini
C:\WINDOWS\system32\xfkwvwwa.exe
.
---- Previous Run -------
.
C:\install.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

C:\ComboFix\CreateD00 .
C:\ComboFix\CreateD00 .
C:\ComboFix\CreateD00 .
2037-03-26 12:36 . 2037-03-26 12:36 <DIR> d-------- C:\Documents and Settings\Tommy\Application Data\Nokia
2009-03-23 00:23 . 2009-03-23 00:23 <DIR> d-------- C:\Images
2009-03-23 00:23 . 2009-03-23 00:23 <DIR> d-------- C:\Images
2009-03-23 00:23 . 2009-03-23 00:23 <DIR> d-------- C:\Images
2009-03-23 00:23 . 2009-03-23 00:23 <DIR> d-------- C:\Images
2009-03-23 00:23 . 2009-03-23 00:23 <DIR> d-------- C:\Images
2008-05-31 07:28 . 2008-05-31 07:49 <DIR> d-------- C:\ComboFix
2008-05-31 07:28 . 2008-05-31 07:49 <DIR> d-------- C:\ComboFix
2008-05-31 07:28 . 2008-05-31 07:49 <DIR> d-------- C:\ComboFix
2008-05-31 07:28 . 2008-05-31 07:49 <DIR> d-------- C:\ComboFix
2008-05-30 21:03 . 2008-05-30 21:33 <DIR> d-------- C:\QooBox
2008-05-30 21:03 . 2008-05-30 21:33 <DIR> d-------- C:\QooBox
2008-05-30 21:03 . 2008-05-30 21:33 <DIR> d-------- C:\QooBox
2008-05-30 21:03 . 2008-05-30 21:33 <DIR> d-------- C:\QooBox
2008-05-29 21:33 . 2008-05-29 21:33 <DIR> d-------- C:\_OTMoveIt
2008-05-29 21:33 . 2008-05-29 21:33 <DIR> d-------- C:\_OTMoveIt
2008-05-29 21:33 . 2008-05-29 21:33 <DIR> d-------- C:\_OTMoveIt
2008-05-29 21:33 . 2008-05-29 21:33 <DIR> d-------- C:\_OTMoveIt
2008-05-29 21:33 . 2008-05-29 21:33 <DIR> d-------- C:\_OTMoveIt
2008-05-27 14:19 . 2008-05-27 14:19 <DIR> d-------- C:\VundoFix Backups
2008-05-27 14:19 . 2008-05-27 14:19 <DIR> d-------- C:\VundoFix Backups
2008-05-27 14:19 . 2008-05-27 14:19 <DIR> d-------- C:\VundoFix Backups
2008-05-27 14:19 . 2008-05-27 14:19 <DIR> d-------- C:\VundoFix Backups
2008-05-27 14:19 . 2008-05-27 14:19 <DIR> d-------- C:\VundoFix Backups
2008-05-27 14:05 . 2008-05-27 14:05 <DIR> d-------- C:\Program Files\HJT
2008-05-27 13:15 . 2008-05-27 15:33 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-22 19:29 . 2008-05-22 19:29 <DIR> d-------- C:\Program Files\Swf2Avi
2008-05-22 18:12 . 2008-03-26 13:53 <DIR> d-------- C:\Archive
2008-05-22 18:12 . 2008-03-26 13:53 <DIR> d-------- C:\Archive
2008-05-22 18:12 . 2008-03-26 13:53 <DIR> d-------- C:\Archive
2008-05-22 18:12 . 2008-03-26 13:53 <DIR> d-------- C:\Archive
2008-05-22 18:12 . 2008-03-26 13:53 <DIR> d-------- C:\Archive
2008-05-22 18:10 . 2006-11-22 10:01 693,760 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-05-22 18:09 . 2006-11-22 10:01 327,168 --a------ C:\WINDOWS\system32\drivers\akshasp.sys
2008-05-22 18:09 . 2006-10-16 19:35 104,576 --a------ C:\WINDOWS\system32\drivers\aksclass.sys
2008-05-22 18:09 . 2006-11-22 10:01 100,096 --a------ C:\WINDOWS\system32\drivers\aksusb.sys
2008-05-22 18:09 . 2008-05-22 18:09 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2008-05-22 05:17 . 2008-05-22 05:17 <DIR> d-------- C:\Documents and Settings\Tommy\Application Data\HPAppData
2008-05-22 05:06 . 2008-05-30 22:18 <DIR> d-------- C:\Documents and Settings\Tommy\Application Data\Orbit
2008-05-21 17:01 . 2008-03-27 09:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-14 19:06 . 2008-04-13 23:53 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2008-05-13 21:06 . 2008-05-13 21:06 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\HP
2008-05-11 21:05 . 2008-05-28 13:54 <DIR> d-------- C:\Downloads
2008-05-11 21:05 . 2008-05-28 13:54 <DIR> d-------- C:\Downloads
2008-05-11 21:05 . 2008-05-28 13:54 <DIR> d-------- C:\Downloads
2008-05-11 21:05 . 2008-05-28 13:54 <DIR> d-------- C:\Downloads
2008-05-11 21:05 . 2008-05-28 13:54 <DIR> d-------- C:\Downloads
2008-05-11 21:04 . 2008-05-11 21:04 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-05-11 21:04 . 2008-05-31 07:42 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\Orbit
2008-05-11 17:25 . 2008-05-11 17:25 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\Zeon
2008-05-11 17:25 . 2008-05-11 17:25 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\ScanSoft
2008-05-11 17:04 . 2008-05-11 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-05-11 17:03 . 2008-05-11 17:03 <DIR> d-------- C:\Program Files\ScanSoft
2008-05-11 16:46 . 2008-05-11 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-05-11 16:43 . 2008-05-11 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-11 16:42 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-11 16:40 . 2008-05-11 21:09 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\HPAppData
2008-05-11 16:40 . 2008-05-11 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-11 16:37 . 2008-05-11 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-05-11 16:37 . 2008-05-11 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\Program Files\Common Files\HP
2008-05-11 16:35 . 2008-05-11 16:35 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-05 11:31 . 2008-05-08 17:10 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\Ahead
2008-05-05 11:26 . 2008-05-05 11:26 <DIR> d-------- C:\Program Files\Nero
2008-05-05 11:26 . 2008-05-05 11:47 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-05 11:26 . 2008-05-05 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-04 06:57 . 2008-05-04 06:58 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-04 06:57 . 2008-05-04 06:57 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\TuneUp Software
2008-05-04 06:57 . 2008-05-04 06:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-03 18:12 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\VisualTooltip
2008-05-03 18:12 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\ViStart
2008-05-03 18:12 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\Vista Sidebar
2008-05-03 18:12 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\ViOrb
2008-05-03 18:12 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\LClock
2008-05-03 14:22 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\VisualTooltip(2)
2008-05-03 14:22 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\ViStart(2)
2008-05-03 14:22 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\Vista Sidebar(2)
2008-05-03 14:22 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\ViOrb(2)
2008-05-03 14:22 . 2008-05-03 18:12 <DIR> d-------- C:\Program Files\LClock(2)
2008-05-03 10:11 . 2008-05-03 16:33 <DIR> d-------- C:\Diskeeper
2008-05-03 10:11 . 2008-05-03 16:33 <DIR> d-------- C:\Diskeeper
2008-05-03 10:11 . 2008-05-03 16:33 <DIR> d-------- C:\Diskeeper
2008-05-03 10:11 . 2008-05-03 16:33 <DIR> d-------- C:\Diskeeper
2008-05-03 10:11 . 2008-05-03 16:33 <DIR> d-------- C:\Diskeeper
2008-05-03 09:11 . 2008-05-03 18:13 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-03 08:18 . 2008-05-03 08:18 <DIR> dr-h----- C:\MSOCache
2008-05-03 08:18 . 2008-05-03 08:18 <DIR> dr-h----- C:\MSOCache
2008-05-03 08:18 . 2008-05-03 08:18 <DIR> dr-h----- C:\MSOCache
2008-05-03 08:18 . 2008-05-03 08:18 <DIR> dr-h----- C:\MSOCache
2008-05-03 08:18 . 2008-05-03 08:18 <DIR> dr-h----- C:\MSOCache
2008-05-03 08:04 . 2008-05-03 08:04 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-05-03 08:04 . 2008-05-03 08:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-05-01 20:13 . 2008-05-10 07:56 <DIR> d-------- C:\Program Files\RegCure
2008-05-01 18:11 . 2008-05-01 18:11 <DIR> d-------- C:\Program Files\Common Files\Futuremark Shared
2008-05-01 18:10 . 2008-05-01 18:10 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\InstallShield
2008-04-29 19:47 . 2008-05-27 21:31 <DIR> d-------- C:\Program Files\Thoosje Sidebar V2.3
2008-04-29 19:46 . 2008-04-29 19:46 <DIR> d-------- C:\Program Files\Thoosje
2008-04-28 23:37 . 2008-04-28 23:37 <DIR> d-------- C:\Documents and Settings\Ghada\Application Data\MailFrontier
2008-04-28 23:37 . 2008-04-28 23:37 <DIR> d-------- C:\Documents and Settings\Ghada\Application Data\Jasc Software Inc
2008-04-28 23:32 . 2008-04-28 23:35 <DIR> d-------- C:\Documents and Settings\Ghada\Application Data\PC Suite
2008-04-28 20:42 . 2008-04-28 20:42 <DIR> d-------- C:\Documents and Settings\Youssef\Application Data\Norman
2008-04-28 20:31 . 2008-04-28 20:32 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-28 20:31 . 2008-04-28 20:31 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-28 20:19 . 2008-04-29 19:02 <DIR> d-------- C:\Program Files\Windows Live
2008-04-28 20:19 . 2008-04-28 20:28 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-28 20:19 . 2008-04-28 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-28 19:11 . 2008-05-09 22:19 <DIR> d-------- C:\Program Files\BootXP2
2008-04-28 19:11 . 2008-05-02 19:06 420 --------- C:\BOOT.BXP
2008-04-28 19:11 . 2008-05-02 19:06 420 --------- C:\BOOT.BXP
2008-04-28 19:11 . 2008-05-02 19:06 420 --------- C:\BOOT.BXP
2008-04-28 19:11 . 2008-05-02 19:06 420 --------- C:\BOOT.BXP
2008-04-28 19:11 . 2008-05-02 19:06 420 --------- C:\BOOT.BXP
2008-04-28 18:45 . 2008-04-28 18:45 <DIR> d-------- C:\Program Files\WinCustomize
2008-04-28 18:45 . 2008-04-28 18:45 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-04-28 18:00 . 2008-04-28 18:01 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-04-27 21:17 . 2008-04-27 21:17 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-27 21:15 . 2008-04-27 21:15 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-27 20:33 . 2008-04-27 20:33 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-04-27 20:01 . 2008-04-27 20:01 <DIR> d-------- C:\kav
2008-04-27 20:01 . 2008-04-27 20:01 <DIR> d-------- C:\kav
2008-04-27 20:01 . 2008-04-27 20:01 <DIR> d-------- C:\kav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 06:49 15,375,392 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-31 06:46 41,248 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-31 06:45 9,393 ----a-w C:\WINDOWS\system32\urqOHARJ.dll
2008-05-31 06:37 4,796 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-31 06:37 206,852 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-31 06:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 18:38 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 15:10 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-28 12:53 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-27 20:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 20:32 --------- d-----w C:\Program Files\Webcam and Screen Recorder
2008-05-27 20:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 17:09 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2008-05-11 15:40 --------- d-----w C:\Program Files\HP
2008-05-11 15:40 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-04 05:57 354,560 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-03 08:26 --------- d-----w C:\Program Files\MSBuild
2008-05-03 08:26 --------- d-----w C:\Program Files\Microsoft Works
2008-05-03 07:28 --------- d-----w C:\Program Files\MagicISO
2008-05-01 05:58 2,285,568 ----a-w C:\WINDOWS\system32\LOGOOS.EXE
2008-05-01 05:55 2,756,096 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-04-29 17:48 --------- d-----w C:\Program Files\AOL 9.0
2008-04-29 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-20 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-19 05:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-18 18:11 --------- d-----w C:\Program Files\Yahoo!
2008-04-18 17:32 --------- d-----w C:\Program Files\RamBooster 2.0
2008-04-17 19:51 79,272 ----a-w C:\Documents and Settings\Youssef\Application Data\GDIPFONTCACHEV1.DAT
2008-04-14 04:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 04:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 04:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 04:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 04:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 04:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 04:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 04:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 04:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 04:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 04:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 04:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 04:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 23:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 23:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 23:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 23:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 23:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 23:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 23:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 23:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 23:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 23:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 23:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 23:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 23:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 23:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 23:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 23:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 23:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 23:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 23:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 23:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 23:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 23:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 23:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 23:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 23:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 23:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 23:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 23:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 23:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 23:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 23:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 23:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 23:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 23:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 23:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 23:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 23:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 23:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 23:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 23:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 23:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 23:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 23:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 23:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 23:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 23:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 23:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 23:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 23:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 23:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 23:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 23:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 23:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 23:17 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 23:15 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 23:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 23:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 23:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-01-17 19:34 56 --sha-r C:\WINDOWS\system32\17C7629F27.sys
2008-01-17 19:34 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.