help! home page defaults to http://www.uptodateprotection.net/

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

help! home page defaults to http://www.uptodateprotection.net/

Options

cromulentone View Member Profile	Oct 4 2006, 07:08 PM Post #1
Member Posts: 13 OS: windows xp home	Hi, I have gone through the steps listed on the site twice and have cleared up a lot of popups and such, but I am still having my homepage on Internet Explorer going to http://www.uptodateprotection.net/. I have tried changing my homepage, but it doesn't seem to make a difference. I have posted my hijackthis log below. Please let me know if there is any additional information that would be helpful in solving this problem. Thanks in advance for your assistance! Scott Logfile of HijackThis v1.99.1 Scan saved at 6:58:22 PM, on 10/4/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\WINDOWS\system32\issearch.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\TrojanHunter 4.6\THGuard.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Scott\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\nwsgaaci.dll O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158533964219 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Wizard View Member Profile	Oct 4 2006, 07:19 PM Post #2
Retired Staff Posts: 5,661 OS: Windows	Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm

cromulentone View Member Profile	Oct 4 2006, 07:32 PM Post #3
Member Posts: 13 OS: windows xp home	Hi, Thanks for the quick reply as well as your assistance! Here is the log from SmitfraudFix: SmitFraudFix v2.104 Scan done at 19:30:29.87, Wed 10/04/2006 Run from C:\Documents and Settings\Scott\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in normal mode �� C:\ �� C:\WINDOWS �� C:\WINDOWS\system �� C:\WINDOWS\Web �� C:\WINDOWS\system32 C:\WINDOWS\system32\ismini.exe FOUND ! C:\WINDOWS\system32\issearch.exe FOUND ! C:\WINDOWS\system32\ixt?.dll FOUND ! C:\WINDOWS\system32\ixt??.dll FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\components\flx?.dll FOUND ! C:\WINDOWS\system32\components\flx??.dll FOUND ! C:\WINDOWS\system32\components\flx???.dll FOUND ! �� C:\Documents and Settings\Scott �� C:\Documents and Settings\Scott\Application Data �� Start Menu C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND ! �� C:\DOCUME~1\Scott\FAVORI~1 C:\DOCUME~1\Scott\FAVORI~1\Antivirus Test Online.url FOUND ! �� Desktop �� C:\Program Files �� Corrupted keys �� Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" �� Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" �� pe386-msguard-lzx32 �� Scanning wininet.dll infection �� End

Wizard View Member Profile	Oct 4 2006, 07:39 PM Post #4
Retired Staff Posts: 5,661 OS: Windows	You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background. After posting C:\rapport.txt,Please download Combofix to your desktop. http://download.bleepingcomputer.com/sUBs/combofix.exe Doubleclick combo.exe to launch the application. Follow the prompts that will be displayed on the screen. Don't click on the window while the fix is running, because that will cause your system to hang. When finished, it should produce a log, combofix.txt Please post that log in the next reply.

cromulentone View Member Profile	Oct 4 2006, 07:56 PM Post #5
Member Posts: 13 OS: windows xp home	Thanks again for your assistance. I will be downloading Combofix and posting my results in a moment per your instructions. Here are the contents of rapport.txt: SmitFraudFix v2.104 Scan done at 19:48:08.40, Wed 10/04/2006 Run from C:\Documents and Settings\Scott\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode �� Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� Killing process �� Generic Renos Fix GenericRenosFix by S!Ri �� Deleting infected files C:\WINDOWS\system32\ismini.exe Deleted C:\WINDOWS\system32\issearch.exe Deleted C:\WINDOWS\system32\ixt?.dll Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\components\flx?.dll Deleted C:\DOCUME~1\Scott\FAVORI~1\Antivirus Test Online.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted �� Deleting Temp Files �� Registry Cleaning Registry Cleaning done. �� After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� End

cromulentone View Member Profile	Oct 4 2006, 07:58 PM Post #6
Member Posts: 13 OS: windows xp home	Here is my ComboFix log: Scott - 06-10-04 19:57:33.18 Service Pack 2 ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Scott\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\components C:\Program Files\Common Files\{50FAC5EE-0896-1033-0524-060124060001} C:\Program Files\Common Files\{50FAC5EE-0897-1033-0524-060124060001} ((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 )))))))))))))))))))))))))))))))))) 2006-10-04 19:30 53,248 --a------ C:\WINDOWS\system32\Process.exe 2006-10-04 19:30 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2006-10-04 19:30 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2006-10-04 19:30 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2006-10-03 17:41 86,036 --a------ C:\WINDOWS\system32\nwsgaaci.dll 2006-10-03 17:41 823,560 ---hs---- C:\WINDOWS\system32\vvvwa.bak2 2006-10-01 22:03 836,440 ---hs---- C:\WINDOWS\system32\vvvwa.bak1 2006-10-01 21:54 45,525 --a------ C:\WINDOWS\system32\jqjwfmtq.dll 2006-10-01 16:48 45,525 --a------ C:\WINDOWS\system32\isucgaqo.dll 2006-10-01 16:48 143,380 --a------ C:\WINDOWS\system32\gmblsqiv.exe 2006-10-01 16:46 577,588 --a------ C:\WINDOWS\system32\awvvv.dll.vir 2006-09-22 21:50 34,528 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys 2006-09-21 17:01 339,968 --a------ C:\WINDOWS\system32\mpiwin32.dll 2006-09-21 17:01 15,840 --a------ C:\WINDOWS\system32\Machnm1.exe 2006-09-20 20:12 16,384 --a------ C:\WINDOWS\system32\FileOps.exe 2006-09-19 22:01 61,440 --a------ C:\WINDOWS\system32\packet.dll 2006-09-19 19:56 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2006-09-19 19:55 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2006-09-19 19:55 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2006-09-19 19:55 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2006-09-19 19:55 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2006-09-19 10:18 180,224 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2006-09-19 10:18 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe 2006-09-17 17:57 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2006-09-17 17:57 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2006-09-17 17:57 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2006-09-17 17:57 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2006-09-17 17:57 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2006-09-17 17:57 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2006-09-17 17:00 18,200 --a------ C:\WINDOWS\system32\wups2.dll 2006-09-17 16:55 31,104 -ra------ C:\WINDOWS\system32\drivers\atl01_xp.sys 2006-09-17 16:44 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2006-09-17 16:44 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys 2006-09-17 16:44 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2006-09-17 16:44 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2006-09-17 16:44 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2006-09-17 16:44 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2006-09-17 16:44 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2006-09-17 16:44 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2006-09-17 16:44 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe 2006-09-17 16:44 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys 2006-09-17 16:44 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2006-09-17 16:44 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2006-09-17 16:44 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2006-09-17 16:44 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys 2006-09-17 16:44 135,168 -r------- C:\WINDOWS\system32\RtlCPAPI.dll 2006-09-17 16:43 9,711,104 -r------- C:\WINDOWS\RTLCPL.exe 2006-09-17 16:43 86,016 -r------- C:\WINDOWS\SoundMan.exe 2006-09-17 16:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe 2006-09-17 16:43 487,424 -r------- C:\WINDOWS\RtlExUpd.dll 2006-09-17 16:43 4,262,912 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.Sys 2006-09-17 16:43 364,544 -r------- C:\WINDOWS\RtlUpd.exe 2006-09-17 16:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2006-09-17 16:43 2,809,344 -r------- C:\WINDOWS\alcwzrd.exe 2006-09-17 16:43 2,158,592 -r------- C:\WINDOWS\MicCal.exe 2006-09-17 16:43 16,143,872 -r------- C:\WINDOWS\RTHDCPL.exe 2006-09-17 16:38 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2006-09-17 16:38 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys 2006-09-17 16:30 112,128 --a------ C:\WINDOWS\system32\mapi32.dll 2006-09-17 16:30 0 -rahs---- C:\MSDOS.SYS 2006-09-17 16:30 0 -rahs---- C:\IO.SYS 2006-09-17 16:30 0 --a------ C:\CONFIG.SYS 2006-09-17 16:30 0 --a------ C:\AUTOEXEC.BAT 2006-09-17 16:29 64,512 --a------ C:\WINDOWS\system32\acctres.dll 2006-09-17 16:29 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll 2006-09-17 16:29 11,264 --a------ C:\WINDOWS\system32\atrace.dll 2006-09-17 16:28 81,920 --a------ C:\WINDOWS\system32\isign32.dll 2006-09-17 16:28 81,920 --a------ C:\WINDOWS\system32\ils.dll 2006-09-17 16:28 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll 2006-09-17 16:28 73,728 --a------ C:\WINDOWS\system32\icwdial.dll 2006-09-17 16:28 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys 2006-09-17 16:28 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll 2006-09-17 16:28 69,632 --a------ C:\WINDOWS\system32\msconf.dll 2006-09-17 16:28 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-09-17 16:28 67,584 --a------ C:\WINDOWS\system32\srclient.dll 2006-09-17 16:28 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll 2006-09-17 16:28 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll 2006-09-17 16:28 48,128 --a------ C:\WINDOWS\system32\inetres.dll 2006-09-17 16:28 465,176 --a------ C:\WINDOWS\system32\wuapi.dll 2006-09-17 16:28 45,568 --a------ C:\WINDOWS\system32\safrslv.dll 2006-09-17 16:28 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll 2006-09-17 16:28 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll 2006-09-17 16:28 41,240 --a------ C:\WINDOWS\system32\wups.dll 2006-09-17 16:28 382,464 --a------ C:\WINDOWS\system32\qmgr.dll 2006-09-17 16:28 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll 2006-09-17 16:28 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe 2006-09-17 16:28 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll 2006-09-17 16:28 29,696 --a------ C:\WINDOWS\system32\safrdm.dll 2006-09-17 16:28 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll 2006-09-17 16:28 274,944 --a------ C:\WINDOWS\system32\mstask.dll 2006-09-17 16:28 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll 2006-09-17 16:28 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll 2006-09-17 16:28 239,104 --a------ C:\WINDOWS\system32\srrstr.dll 2006-09-17 16:28 23,040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-09-17 16:28 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll 2006-09-17 16:28 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll 2006-09-17 16:28 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2006-09-17 16:28 173,536 --a------ C:\WINDOWS\system32\wuweb.dll 2006-09-17 16:28 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe 2006-09-17 16:28 170,496 --a------ C:\WINDOWS\system32\srsvc.dll 2006-09-17 16:28 16,896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-09-17 16:28 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll 2006-09-17 16:28 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys 2006-09-17 16:28 127,256 --a------ C:\WINDOWS\system32\wucltui.dll 2006-09-17 16:28 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe 2006-09-17 16:28 12,288 --a------ C:\WINDOWS\system32\mstinit.exe 2006-09-17 16:28 105,984 --a------ C:\WINDOWS\system32\msoert2.dll 2006-09-17 16:28 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll 2006-09-17 16:27 97,792 --a------ C:\WINDOWS\system32\comrepl.dll 2006-09-17 16:27 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll 2006-09-17 16:27 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll 2006-09-17 16:27 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll 2006-09-17 16:27 9,728 --a------ C:\WINDOWS\system32\reset.exe 2006-09-17 16:27 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll 2006-09-17 16:27 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll 2006-09-17 16:27 80,384 --a------ C:\WINDOWS\system32\charmap.exe 2006-09-17 16:27 73,216 --a------ C:\WINDOWS\system32\avwav.dll 2006-09-17 16:27 67,072 --a------ C:\WINDOWS\system32\rdshost.exe 2006-09-17 16:27 655,360 --a------ C:\WINDOWS\system32\mstscax.dll 2006-09-17 16:27 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll 2006-09-17 16:27 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe 2006-09-17 16:27 605,696 --a------ C:\WINDOWS\system32\getuname.dll 2006-09-17 16:27 60,416 --a------ C:\WINDOWS\system32\remotepg.dll 2006-09-17 16:27 60,416 --a------ C:\WINDOWS\system32\colbact.dll 2006-09-17 16:27 6,144 --a------ C:\WINDOWS\system32\msdtc.exe 2006-09-17 16:27 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll 2006-09-17 16:27 58,880 --a------ C:\WINDOWS\system32\licwmi.dll 2006-09-17 16:27 56,832 --a------ C:\WINDOWS\system32\sol.exe 2006-09-17 16:27 56,320 --a------ C:\WINDOWS\system32\servdeps.dll 2006-09-17 16:27 55,296 --a------ C:\WINDOWS\system32\freecell.exe 2006-09-17 16:27 540,160 --a------ C:\WINDOWS\system32\comuid.dll 2006-09-17 16:27 54,272 --a------ C:\WINDOWS\system32\stclient.dll 2006-09-17 16:27 538,624 --a------ C:\WINDOWS\system32\spider.exe 2006-09-17 16:27 5,632 --a------ C:\WINDOWS\system32\write.exe 2006-09-17 16:27 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe 2006-09-17 16:27 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll 2006-09-17 16:27 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe 2006-09-17 16:27 44,544 --a------ C:\WINDOWS\system32\hticons.dll 2006-09-17 16:27 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll 2006-09-17 16:27 407,552 --a------ C:\WINDOWS\system32\mstsc.exe 2006-09-17 16:27 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys 2006-09-17 16:27 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll 2006-09-17 16:27 4,096 --a------ C:\WINDOWS\system32\mtxex.dll 2006-09-17 16:27 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll 2006-09-17 16:27 35,328 --a------ C:\WINDOWS\system32\winchat.exe 2006-09-17 16:27 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll 2006-09-17 16:27 343,040 --a------ C:\WINDOWS\system32\mspaint.exe 2006-09-17 16:27 33,792 --a------ C:\WINDOWS\system32\regini.exe 2006-09-17 16:27 295,424 --a------ C:\WINDOWS\system32\termsrv.dll 2006-09-17 16:27 25,600 --a------ C:\WINDOWS\system32\comaddin.dll 2006-09-17 16:27 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll 2006-09-17 16:27 227,840 --a------ C:\WINDOWS\system32\avtapi.dll 2006-09-17 16:27 225,792 --a------ C:\WINDOWS\system32\catsrv.dll 2006-09-17 16:27 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe 2006-09-17 16:27 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys 2006-09-17 16:27 20,992 --a------ C:\WINDOWS\system32\msg.exe 2006-09-17 16:27 20,480 --a------ C:\WINDOWS\system32\qprocess.exe 2006-09-17 16:27 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll 2006-09-17 16:27 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys 2006-09-17 16:27 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll 2006-09-17 16:27 185,344 --a------ C:\WINDOWS\system32\cmprops.dll 2006-09-17 16:27 183,808 --a------ C:\WINDOWS\system32\accwiz.exe 2006-09-17 16:27 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll 2006-09-17 16:27 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2006-09-17 16:27 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe 2006-09-17 16:27 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe 2006-09-17 16:27 16,384 --a------ C:\WINDOWS\system32\tskill.exe 2006-09-17 16:27 16,384 --a------ C:\WINDOWS\system32\avmeter.dll 2006-09-17 16:27 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe 2006-09-17 16:27 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll 2006-09-17 16:27 15,360 --a------ C:\WINDOWS\system32\logoff.exe 2006-09-17 16:27 147,968 --a------ C:\WINDOWS\system32\rdchost.dll 2006-09-17 16:27 147,456 --a------ C:\WINDOWS\system32\comsnap.dll 2006-09-17 16:27 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe 2006-09-17 16:27 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe 2006-09-17 16:27 14,848 --a------ C:\WINDOWS\system32\tscon.exe 2006-09-17 16:27 14,848 --a------ C:\WINDOWS\system32\shadow.exe 2006-09-17 16:27 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys 2006-09-17 16:27 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe 2006-09-17 16:27 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe 2006-09-17 16:27 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe 2006-09-17 16:27 126,976 --a------ C:\WINDOWS\system32\mshearts.exe 2006-09-17 16:27 123,392 --a------ C:\WINDOWS\system32\mplay32.exe 2006-09-17 16:27 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys 2006-09-17 16:27 119,808 --a------ C:\WINDOWS\system32\winmine.exe 2006-09-17 16:27 114,688 --a------ C:\WINDOWS\system32\calc.exe 2006-09-17 16:27 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll 2006-09-17 16:27 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll 2006-09-17 16:27 11,264 --a------ C:\WINDOWS\system32\icaapi.dll 2006-09-17 16:27 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe 2006-09-17 16:27 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll 2006-09-17 16:27 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd 2006-09-17 10:24 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2006-09-17 10:24 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2006-09-17 10:19 74,240 --a------ C:\WINDOWS\system32\usbui.dll 2006-09-17 10:18 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll 2006-09-17 10:18 8,704 --a------ C:\WINDOWS\system32\batt.dll 2006-09-17 10:18 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll 2006-09-17 10:18 74,752 --a------ C:\WINDOWS\system32\storprop.dll 2006-09-17 10:18 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll 2006-09-17 10:18 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll 2006-09-17 10:18 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL 2006-09-17 10:18 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll 2006-09-17 10:18 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll 2006-09-17 10:18 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll 2006-09-17 10:18 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll 2006-09-17 10:18 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll 2006-09-17 10:18 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll 2006-09-17 10:18 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll 2006-09-17 10:18 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll 2006-09-17 10:18 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2006-09-17 10:18 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll 2006-09-17 10:18 15,360 --a------ C:\WINDOWS\TASKMAN.EXE 2006-09-17 10:18 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2006-09-17 10:18 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys 2006-09-17 10:18 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll 2006-09-17 10:05 61,184 -ra------ C:\WINDOWS\system32\drivers\mv614x.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-04 19:57 -------- d-------- C:\Program Files\Common Files 2006-10-04 19:51 -------- d-------- C:\Program Files\Mozilla Firefox 2006-10-04 10:17 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-10-02 19:18 -------- d-------- C:\Documents and Settings\Scott\Application Data\TrojanHunter 2006-10-02 18:42 -------- d-------- C:\Program Files\TrojanHunter 4.6 2006-10-02 18:39 -------- d-------- C:\Program Files\Internet Explorer 2006-10-02 18:38 -------- d-------- C:\Program Files\Common Files\Autodesk Shared 2006-10-01 21:53 -------- d-------- C:\Program Files\CleanUp! 2006-10-01 17:00 -------- d-------- C:\Program Files\DVD Shrink 2006-10-01 16:59 -------- d-------- C:\Program Files\DVD Decrypter 2006-10-01 16:28 -------- d---s---- C:\Documents and Settings\Scott\Application Data\Microsoft 2006-10-01 09:58 -------- d-------- C:\Documents and Settings\Scott\Application Data\Adobe 2006-09-25 18:11 -------- d-------- C:\Documents and Settings\Scott\Application Data\ICAClient 2006-09-25 18:02 -------- d-------- C:\Program Files\Citrix 2006-09-23 10:02 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-23 09:57 -------- d-------- C:\Program Files\LucasArts 2006-09-22 22:09 -------- d-------- C:\Program Files\PopCap Games 2006-09-22 21:17 -------- d-------- C:\Program Files\Lavasoft 2006-09-22 18:16 -------- d-------- C:\Program Files\Common Files\Adobe 2006-09-22 18:16 -------- d-------- C:\Program Files\Adobe 2006-09-21 17:01 -------- d-------- C:\Program Files\@Last Software 2006-09-21 14:05 -------- d-------- C:\Documents and Settings\Scott\Application Data\Sun 2006-09-21 10:38 -------- d-------- C:\Documents and Settings\Scott\Application Data\AdobeUM 2006-09-21 06:57 -------- d-------- C:\Program Files\Common Files\System 2006-09-21 06:57 -------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-09-21 06:57 -------- d-------- C:\Program Files\Common Files\Designer 2006-09-21 06:55 -------- d-------- C:\Program Files\Microsoft Office 2006-09-21 06:55 -------- d-------- C:\Program Files\microsoft frontpage 2006-09-21 06:55 -------- d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Web Folders 2006-09-21 06:53 -------- d-------- C:\Program Files\Java 2006-09-21 06:52 -------- d-------- C:\Program Files\LimeWire Acceleration Patch 2006-09-20 21:37 -------- d-------- C:\Documents and Settings\Scott\Application Data\Lavasoft 2006-09-20 19:22 -------- d-------- C:\Documents and Settings\Scott\Application Data\Autodesk 2006-09-20 19:16 -------- d--h----- C:\Program Files\Uninstall Information 2006-09-20 19:16 -------- d-------- C:\Program Files\Autodesk 2006-09-20 19:15 -------- d-------- C:\Program Files\AutoCAD 2005 2006-09-20 19:15 -------- d-------- C:\Program Files\AnswerWorks 4.0 2006-09-19 22:01 -------- d-------- C:\Program Files\LimeWire 2006-09-19 21:59 -------- d-------- C:\Program Files\Common Files\Java 2006-09-19 21:42 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared 2006-09-19 21:18 -------- d-------- C:\Program Files\WinRAR 2006-09-19 21:18 -------- d-------- C:\Documents and Settings\Scott\Application Data\Help 2006-09-19 21:02 -------- d-------- C:\Documents and Settings\Scott\Application Data\Macromedia 2006-09-19 20:25 -------- d-------- C:\Documents and Settings\Scott\Application Data\Mozilla 2006-09-19 10:30 -------- d-------- C:\Program Files\Trend Micro 2006-09-17 18:02 -------- d-------- C:\Program Files\Common Files\Nero 2006-09-17 17:57 -------- d-------- C:\Program Files\Common Files\Ahead 2006-09-17 17:57 -------- d-------- C:\Program Files\Ahead 2006-09-17 17:48 -------- d-------- C:\Program Files\Windows Media Player 2006-09-17 17:39 -------- d-------- C:\Program Files\Outlook Express 2006-09-17 17:38 -------- d-------- C:\Program Files\Messenger 2006-09-17 16:55 -------- d-------- C:\Program Files\Attansic 2006-09-17 16:43 -------- d-------- C:\Program Files\Realtek 2006-09-17 16:43 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-17 16:38 -------- d-------- C:\Program Files\VIA 2006-09-17 16:36 -------- d-------- C:\Documents and Settings\Scott\Application Data\Identities 2006-09-17 16:30 -------- d-------- C:\Program Files\xerox 2006-09-17 16:29 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-17 16:29 -------- d-------- C:\Program Files\NetMeeting 2006-09-17 16:29 -------- d-------- C:\Program Files\Common Files\Services 2006-09-17 16:28 -------- d-------- C:\Program Files\Movie Maker 2006-09-17 16:28 -------- d-------- C:\Program Files\ComPlus Applications 2006-09-17 16:28 -------- d-------- C:\Program Files\Common Files\MSSoap 2006-09-17 16:27 -------- d-------- C:\Program Files\Windows NT 2006-09-17 16:27 -------- d-------- C:\Program Files\Online Services 2006-09-17 16:27 -------- d-------- C:\Program Files\MSN Gaming Zone 2006-09-17 16:27 -------- d-------- C:\Program Files\MSN 2006-09-17 10:18 62 --ahs---- C:\Documents and Settings\Scott\Application Data\desktop.ini 2006-09-17 10:18 -------- d-------- C:\Program Files\Common Files\SpeechEngines 2006-09-17 10:18 -------- d-------- C:\Program Files\Common Files\ODBC 2006-09-06 20:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys 2006-09-06 20:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2006-09-06 20:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys 2006-07-21 02:24 72704 --a------ C:\WINDOWS\system32\hlink.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" "Alcmtr"="ALCMTR.EXE" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2005\\pccguide.exe\"" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\"" @="" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" "{D3B3C51E-8D11-4667-85B9-0930F519BED7}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Completion time: Wed 10/04/2006 19:57:58.95 ComboFix.txt

Wizard View Member Profile	Oct 5 2006, 02:26 AM Post #7
Retired Staff Posts: 5,661 OS: Windows	Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, Right Click inside the listbox (white box) and click add more files Copy&Paste the entries below into the open boxes C:\WINDOWS\system32\gmblsqiv.exe C:\WINDOWS\system32\nwsgaaci.dll C:\WINDOWS\system32\jqjwfmtq.dll Click Add Files and Click Close Window Click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Restart in Safe Mode and be sure Windows is Showing Hidden Files. http://www.bleepingcomputer.com/tutorials/...al62.html#winxp Search for and Delete if found C:\WINDOWS\system32\isucgaqo.dll<-- File C:\WINDOWS\system32\awvvv.dll.vir<-- File C:\WINDOWS\system32\vvvwa.bak2<-- File C:\WINDOWS\system32\vvvwa.bak1<-- File Still in Safe Mode,Scan with ComboFix once more and save the log. Restart Normal and post a fresh HijackThis log along with C:\vundofix.txt and the new Combo Fix log. After posting those logs,Please run the F-Secure Online Scanner Note: This Scanner is for Internet Explorer Only! Follow the Instruction on the F-Secure page for proper installation. Accept the License Agreement. Once the ActiveX installs,Click Full System Scan Once the download completes,the scan will begin automatically. The scan will take some time to finish,so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and Copy&Paste the entire report in your next reply. This post has been edited by Cretemonster: Oct 5 2006, 02:28 AM

cromulentone View Member Profile	Oct 5 2006, 05:48 PM Post #8
Member Posts: 13 OS: windows xp home	Hi, Here is my VundoFix log: VundoFix V6.1.6 Checking Java version... Java version is 1.5.0.3 Java version is 1.5.0.6 Scan started at 5:45:31 PM 10/3/2006 Listing files found while scanning.... C:\WINDOWS\system32\hkghknih.dll C:\WINDOWS\system32\qomklkk.dll C:\WINDOWS\system32\winhoo32.dll C:\Program Files\Common Files\{50FAC5EE-0896-1033-0524-060124060001}\services.dll C:\Program Files\Common Files\{50FAC5EE-0897-1033-0524-060124060001}\services.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\hkghknih.dll C:\WINDOWS\system32\hkghknih.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\qomklkk.dll C:\WINDOWS\system32\qomklkk.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\winhoo32.dll C:\WINDOWS\system32\winhoo32.dll Has been deleted! Attempting to delete C:\Program Files\Common Files\{50FAC5EE-0896-1033-0524-060124060001}\services.dll C:\Program Files\Common Files\{50FAC5EE-0896-1033-0524-060124060001}\services.dll Has been deleted! Attempting to delete C:\Program Files\Common Files\{50FAC5EE-0897-1033-0524-060124060001}\services.dll C:\Program Files\Common Files\{50FAC5EE-0897-1033-0524-060124060001}\services.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.1.6 Checking Java version... Java version is 1.5.0.3 Java version is 1.5.0.6 Scan started at 5:55:34 PM 10/3/2006 Listing files found while scanning.... No infected files were found. Beginning removal... VundoFix V6.1.6 Checking Java version... Java version is 1.5.0.3 Java version is 1.5.0.6 Scan started at 6:55:20 PM 10/4/2006 Listing files found while scanning.... No infected files were found. VundoFix V6.1.6 Checking Java version... Java version is 1.5.0.3 Java version is 1.5.0.6 Scan started at 5:36:18 PM 10/5/2006 Listing files found while scanning.... No infected files were found. Beginning removal... Attempting to delete C:\WINDOWS\system32\gmblsqiv.exe C:\WINDOWS\system32\gmblsqiv.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\nwsgaaci.dll C:\WINDOWS\system32\nwsgaaci.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\jqjwfmtq.dll C:\WINDOWS\system32\jqjwfmtq.dll Has been deleted! Performing Repairs to the registry. Done! And here is my HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 5:43:52 PM, on 10/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\TrojanHunter 4.6\THGuard.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Scott\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\nwsgaaci.dll (file missing) O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.ht ml O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htm l O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/ en/x86/client/wuweb_site.cab?1158533964219 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.c ab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe I will post a combofix log, vundofix, and new hijack this log in a few moments. Thanks! Scott

cromulentone

Oct 5 2006, 06:39 PM

Post #9

Member

Posts: 13
OS: windows xp home

Hi,

Here is my combofix log:

Scott - 06-10-05 18:33:13.79 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Scott\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

2006-10-04 19:30 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-04 19:30 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-04 19:30 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-04 19:30 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-03 17:41 823,560 ---hs---- C:\WINDOWS\system32\vvvwa.bak2
2006-10-01 22:03 836,440 ---hs---- C:\WINDOWS\system32\vvvwa.bak1
2006-09-22 21:50 34,528 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2006-09-21 17:01 339,968 --a------ C:\WINDOWS\system32\mpiwin32.dll
2006-09-21 17:01 15,840 --a------ C:\WINDOWS\system32\Machnm1.exe
2006-09-20 20:12 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2006-09-19 22:01 6