Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rootkit/rustock found by pandascan, help!

Started by njgirl , Sep 29 2006 01:23 PM

  • Please log in to reply

#1
njgirl
Posted 29 September 2006 - 01:23 PM

njgirl

    Member

  • Member
  • PipPip
  • 10 posts
I was reading another forum about rustock and my computer also has it - I have a lot of pop ups and comp was COMPLETELY taken over beg. of this month by EVERYTHING. I have it almost back to normal...

what was found was C:\WINDOWS\SYSTEM32:lzx32.sys

I also have the GMER program thanks to the other forum; the log that was found is:


GMER 1.0.11.11389 - http://www.gmer.net
Rootkit 2006-09-29 15:23:33
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SYSENTER ? FC0E3FA3

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x14 0x8A 0xE0 0x38 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

---- Files - GMER 1.0.11 ----

ADS C:\Program Files\INSTALL.LOG:SummaryInformation
ADS C:\Program Files\INSTALL.LOG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...
File C:\WINDOWS\SYSTEM32\lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----



ANY HELP IS MUCH APPRECIATED!! the comp shut down & a blue screen showed when I tried to send this before so I'm re-doing it in safe mode.

also not sure if this is related to when I tried to download windows SP2 and my comp kept shutting down with the same blue screen. help help help!
  • 0

Advertisements

#2
loophole
Posted 29 September 2006 - 10:29 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Can you get me a hijack log, do this if you dont have it


* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Also this log

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



After you post those two logs we will remove it and anything else I can find

also not sure if this is related to when I tried to download windows SP2 and my comp kept shutting down with the same blue screen. help help help!


This is a legit version of XP... right?
Thanks

Edited by loophole, 29 September 2006 - 10:33 PM.

  • 0

#3
njgirl
Posted 30 September 2006 - 11:27 AM

njgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hiya :blink:

Yes yes it is a legit copy of windows xp. It's at my job on the work computer.

I followed exactly as the other forum said - what was found was the same # 386 so I did all that as said... here is the recent HiJack log after following that other forum (sorry if I went ahead? but the programs were all so easy to follow & helped so much!)

Logfile of HijackThis v1.99.1
Scan saved at 1:26:43 PM, on 9/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\WgaTray.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Gin - http://download2.gam...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157224056296
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://duxpond.com/freedom/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://69.139.205.19...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




I'll wait for your expert advice. thank youuuuuuuu!! :whistling:
  • 0

#4
loophole
Posted 30 September 2006 - 01:15 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi



1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#5
njgirl
Posted 30 September 2006 - 01:54 PM

njgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
did what you said...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xefprlnu

*******************

Script file located at: \??\C:\WINDOWS\System32\qhdygtfn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\pe386 not found!
Unload of driver pe386 failed!

Could not process line:
pe386
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 3:54:26 PM, on 9/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Gin - http://download2.gam...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157224056296
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://duxpond.com/freedom/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://69.139.205.19...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
loophole
Posted 30 September 2006 - 02:48 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Strange,Avenger says its not there. can you do this please

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#7
njgirl
Posted 01 October 2006 - 04:25 PM

njgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
here goes...

FRONT DESK - 06-10-01 18:07:40.29 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\FRONT DESK\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *



DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\Inetget2
C:\WINDOWS\system32\crunner
C:\Program Files\PrintView


((((((((((((((((((((((((((((((( Files Created from 2006-09-01 to 2006-10-01 ))))))))))))))))))))))))))))))))))


2006-09-28 17:33 45,525 --a------ C:\WINDOWS\SYSTEM32\dtctgbqm.dll
2006-09-28 17:33 143,380 --a------ C:\WINDOWS\SYSTEM32\qslwcedn.exe
2006-09-25 10:16 143,380 --a------ C:\WINDOWS\SYSTEM32\thfyvalc.exe
2006-09-25 08:37 45,525 --a------ C:\WINDOWS\SYSTEM32\mfgveyai.dll
2006-09-18 14:59 74,752 --a------ C:\WINDOWS\SYSTEM32\jst.dll
2006-09-18 14:59 61,440 --a------ C:\WINDOWS\SYSTEM32\PMLJNI.dll
2006-09-18 14:59 40,960 --a------ C:\WINDOWS\SYSTEM32\d4channel.dll
2006-09-18 14:54 23,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Dot4usb.sys
2006-09-18 14:54 205,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Dot4.sys
2006-09-13 12:03 58,368 --a------ C:\WINDOWS\Unwash6.exe
2006-09-11 12:03 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2006-09-11 11:29 997,888 --a------ C:\WINDOWS\SYSTEM32\wmvdmoe2.dll
2006-09-11 11:29 9,216 --a------ C:\WINDOWS\SYSTEM32\wuauserv.dll
2006-09-11 11:29 892,416 --a------ C:\WINDOWS\SYSTEM32\wmspdmoe.dll
2006-09-11 11:29 755,200 --------- C:\WINDOWS\SYSTEM32\ir50_32.dll
2006-09-11 11:29 52,224 --a------ C:\WINDOWS\SYSTEM32\mspmsnsv.dll
2006-09-11 11:29 5,120 --a------ C:\WINDOWS\SYSTEM32\hccoin.dll
2006-09-11 11:29 486,536 --a------ C:\WINDOWS\SYSTEM32\wmspdmod.dll
2006-09-11 11:29 384,512 --a------ C:\WINDOWS\SYSTEM32\mp4sdmod.dll
2006-09-11 11:29 361,984 --a------ C:\WINDOWS\SYSTEM32\qmgr.dll
2006-09-11 11:29 338,432 --------- C:\WINDOWS\SYSTEM32\ir41_qcx.dll
2006-09-11 11:29 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2006-09-11 11:29 316,040 --a------ C:\WINDOWS\SYSTEM32\mp43dmod.dll
2006-09-11 11:29 3,584 --a------ C:\WINDOWS\SYSTEM32\dsprpres.dll
2006-09-11 11:29 25,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
2006-09-11 11:29 225,280 --a------ C:\WINDOWS\SYSTEM32\wmpdxm.dll
2006-09-11 11:29 200,192 --------- C:\WINDOWS\SYSTEM32\ir50_qc.dll
2006-09-11 11:29 19,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbehci.sys
2006-09-11 11:29 187,904 --a------ C:\WINDOWS\SYSTEM32\xpsp1res.dll
2006-09-11 11:29 183,808 --------- C:\WINDOWS\SYSTEM32\ir50_qcx.dll
2006-09-11 11:29 167,936 --a------ C:\WINDOWS\SYSTEM32\wmerror.dll
2006-09-11 11:29 159,232 --a------ C:\WINDOWS\SYSTEM32\xpob2res.dll
2006-09-11 11:29 155,648 --a------ C:\WINDOWS\SYSTEM32\encdec.dll
2006-09-11 11:29 143,360 --a------ C:\WINDOWS\SYSTEM32\wmidx.dll
2006-09-11 11:29 120,320 --------- C:\WINDOWS\SYSTEM32\ir41_qc.dll
2006-09-11 11:29 12,288 --a------ C:\WINDOWS\SYSTEM32\encapi.dll
2006-09-11 11:29 106,496 --a------ C:\WINDOWS\SYSTEM32\wmpasf.dll
2006-09-11 11:29 1,111,040 --a------ C:\WINDOWS\SYSTEM32\wmsdmoe2.dll
2006-09-11 11:28 595,968 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll
2006-09-11 11:28 32,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amdk7.sys
2006-09-11 11:28 27,648 --a------ C:\WINDOWS\SYSTEM32\pidgen.dll
2006-09-11 11:28 115,200 --a------ C:\WINDOWS\SYSTEM32\dpcdll.dll
2006-09-11 11:28 11,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tunmp.sys
2006-09-11 11:27 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2006-09-11 11:27 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2006-09-11 11:27 504,832 --a------ C:\WINDOWS\SYSTEM32\msftedit.dll
2006-09-11 11:27 403,456 --a------ C:\WINDOWS\SYSTEM32\winbrand.dll
2006-09-11 11:27 218,112 --a------ C:\WINDOWS\SYSTEM32\sbe.dll
2006-09-11 11:27 172,032 --a------ C:\WINDOWS\SYSTEM32\mssap.dll
2006-09-11 11:27 110,080 --a------ C:\WINDOWS\SYSTEM32\sbeio.dll
2006-09-11 11:26 29,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\agpcpq.sys
2006-09-11 11:26 27,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amdagp.sys
2006-09-11 11:26 27,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\alim1541.sys
2006-09-11 11:26 27,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\viaagp.sys
2006-09-11 11:26 26,112 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sisagp.sys
2006-09-11 11:25 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2006-09-11 11:25 99,840 --a------ C:\WINDOWS\SYSTEM32\dmsynth.dll
2006-09-11 11:25 95,232 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-09-11 11:25 94,720 --a------ C:\WINDOWS\SYSTEM32\dmusic.dll
2006-09-11 11:25 92,160 --a------ C:\WINDOWS\SYSTEM32\cscdll.dll
2006-09-11 11:25 91,648 --a------ C:\WINDOWS\SYSTEM32\ahui.exe
2006-09-11 11:25 9,216 --a------ C:\WINDOWS\SYSTEM32\dumprep.exe
2006-09-11 11:25 85,504 --a------ C:\WINDOWS\SYSTEM32\catsrvps.dll
2006-09-11 11:25 84,992 --a------ C:\WINDOWS\SYSTEM32\dskquota.dll
2006-09-11 11:25 82,432 --a------ C:\WINDOWS\SYSTEM32\drmstor.dll
2006-09-11 11:25 80,384 --a------ C:\WINDOWS\SYSTEM32\cabview.dll
2006-09-11 11:25 8,192 --a------ C:\WINDOWS\SYSTEM32\d3d8thk.dll
2006-09-11 11:25 8,192 --a------ C:\WINDOWS\SYSTEM32\autolfn.exe
2006-09-11 11:25 792,064 --a------ C:\WINDOWS\SYSTEM32\comres.dll
2006-09-11 11:25 791,040 --a------ C:\WINDOWS\SYSTEM32\d3dim700.dll
2006-09-11 11:25 79,360 --a------ C:\WINDOWS\SYSTEM32\diantz.exe
2006-09-11 11:25 786,432 --a------ C:\WINDOWS\SYSTEM32\dxdiag.exe
2006-09-11 11:25 77,824 --a------ C:\WINDOWS\SYSTEM32\asycfilt.dll
2006-09-11 11:25 77,312 --a------ C:\WINDOWS\SYSTEM32\dmscript.dll
2006-09-11 11:25 76,288 --a------ C:\WINDOWS\SYSTEM32\dfrgfat.exe
2006-09-11 11:25 76,288 --a------ C:\WINDOWS\SYSTEM32\avifil32.dll
2006-09-11 11:25 74,810 --a------ C:\WINDOWS\SYSTEM32\atl.dll
2006-09-11 11:25 70,656 --a------ C:\WINDOWS\SYSTEM32\defrag.exe
2006-09-11 11:25 70,144 --a------ C:\WINDOWS\SYSTEM32\cryptdlg.dll
2006-09-11 11:25 7,680 --a------ C:\WINDOWS\SYSTEM32\dciman32.dll
2006-09-11 11:25 7,680 --a------ C:\WINDOWS\SYSTEM32\asferror.dll
2006-09-11 11:25 678,912 --a------ C:\WINDOWS\SYSTEM32\drmv2clt.dll
2006-09-11 11:25 66,560 --a------ C:\WINDOWS\SYSTEM32\dsdmoprp.dll
2006-09-11 11:25 64,512 --a------ C:\WINDOWS\SYSTEM32\ciodm.dll
2006-09-11 11:25 63,488 --a------ C:\WINDOWS\SYSTEM32\amstream.dll
2006-09-11 11:25 62,464 --a------ C:\WINDOWS\SYSTEM32\colbact.dll
2006-09-11 11:25 62,464 --a------ C:\WINDOWS\SYSTEM32\adsmsext.dll
2006-09-11 11:25 61,440 --a------ C:\WINDOWS\SYSTEM32\dbnetlib.dll
2006-09-11 11:25 61,440 --a------ C:\WINDOWS\SYSTEM32\cleanmgr.exe
2006-09-11 11:25 6,656 --a------ C:\WINDOWS\SYSTEM32\batt.dll
2006-09-11 11:25 595,456 --a------ C:\WINDOWS\SYSTEM32\dx7vb.dll
2006-09-11 11:25 59,904 --a------ C:\WINDOWS\SYSTEM32\cabinet.dll
2006-09-11 11:25 581,632 --a------ C:\WINDOWS\SYSTEM32\catsrvut.dll
2006-09-11 11:25 58,368 --a------ C:\WINDOWS\SYSTEM32\dpvsetup.exe
2006-09-11 11:25 57,344 --a------ C:\WINDOWS\SYSTEM32\dmcompos.dll
2006-09-11 11:25 57,344 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-09-11 11:25 56,320 --a------ C:\WINDOWS\SYSTEM32\dpnhupnp.dll
2006-09-11 11:25 558,592 --a------ C:\WINDOWS\SYSTEM32\autofmt.exe
2006-09-11 11:25 544,256 --a------ C:\WINDOWS\SYSTEM32\crypt32.dll
2006-09-11 11:25 54,784 --a------ C:\WINDOWS\SYSTEM32\cmstp.exe
2006-09-11 11:25 54,272 --a------ C:\WINDOWS\SYSTEM32\clusapi.dll
2006-09-11 11:25 53,840 --a------ C:\WINDOWS\SYSTEM32\dosx.exe
2006-09-11 11:25 53,760 --a------ C:\WINDOWS\SYSTEM32\cryptsvc.dll
2006-09-11 11:25 53,760 --a------ C:\WINDOWS\SYSTEM32\authz.dll
2006-09-11 11:25 53,248 --a------ C:\WINDOWS\SYSTEM32\cryptnet.dll
2006-09-11 11:25 51,712 --a------ C:\WINDOWS\SYSTEM32\devenum.dll
2006-09-11 11:25 51,712 --a------ C:\WINDOWS\SYSTEM32\dataclen.dll
2006-09-11 11:25 50,688 --a------ C:\WINDOWS\SYSTEM32\dmutil.dll
2006-09-11 11:25 5,120 --a------ C:\WINDOWS\SYSTEM32\cisvc.exe
2006-09-11 11:25 499,200 --a------ C:\WINDOWS\SYSTEM32\comuid.dll
2006-09-11 11:25 498,205 --a------ C:\WINDOWS\SYSTEM32\dxmasf.dll
2006-09-11 11:25 497,152 --a------ C:\WINDOWS\SYSTEM32\clbcatq.dll
2006-09-11 11:25 49,664 --a------ C:\WINDOWS\SYSTEM32\dpwsockx.dll
2006-09-11 11:25 49,152 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2006-09-11 11:25 489,984 --a------ C:\WINDOWS\SYSTEM32\dbghelp.dll
2006-09-11 11:25 48,640 --a------ C:\WINDOWS\SYSTEM32\cryptext.dll
2006-09-11 11:25 471,040 --a------ C:\WINDOWS\SYSTEM32\cryptui.dll
2006-09-11 11:25 47,104 --a------ C:\WINDOWS\SYSTEM32\dssec.dll
2006-09-11 11:25 46,592 --a------ C:\WINDOWS\twain_32.dll
2006-09-11 11:25 45,632 --a------ C:\WINDOWS\SYSTEM32\cliconfg.exe
2006-09-11 11:25 45,568 --a------ C:\WINDOWS\SYSTEM32\docprop2.dll
2006-09-11 11:25 45,568 --a------ C:\WINDOWS\SYSTEM32\cnbjmon.dll
2006-09-11 11:25 45,056 --a------ C:\WINDOWS\SYSTEM32\camocx.dll
2006-09-11 11:25 44,032 --a------ C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2006-09-11 11:25 44,032 --a------ C:\WINDOWS\SYSTEM32\basesrv.dll
2006-09-11 11:25 436,736 --a------ C:\WINDOWS\SYSTEM32\certmgr.dll
2006-09-11 11:25 41,984 --a------ C:\WINDOWS\SYSTEM32\alg.exe
2006-09-11 11:25 41,472 --a------ C:\WINDOWS\SYSTEM32\cmdl32.exe
2006-09-11 11:25 4,096 --a------ C:\WINDOWS\SYSTEM32\actmovie.exe
2006-09-11 11:25 38,912 --a------ C:\WINDOWS\SYSTEM32\audiosrv.dll
2006-09-11 11:25 38,400 --a------ C:\WINDOWS\SYSTEM32\dpnlobby.dll
2006-09-11 11:25 36,352 --a------ C:\WINDOWS\SYSTEM32\cmutil.dll
2006-09-11 11:25 35,840 --a------ C:\WINDOWS\SYSTEM32\cmmon32.exe
2006-09-11 11:25 35,328 --a------ C:\WINDOWS\SYSTEM32\dfrgsnap.dll
2006-09-11 11:25 338,944 --a------ C:\WINDOWS\SYSTEM32\dsound.dll
2006-09-11 11:25 324,608 --a------ C:\WINDOWS\SYSTEM32\cmdial32.dll
2006-09-11 11:25 32,768 --a------ C:\WINDOWS\SYSTEM32\cfgbkend.dll
2006-09-11 11:25 31,744 --a------ C:\WINDOWS\SYSTEM32\dmloader.dll
2006-09-11 11:25 307,712 --a------ C:\WINDOWS\SYSTEM32\cscui.dll
2006-09-11 11:25 301,712 --a------ C:\WINDOWS\SYSTEM32\drmclien.dll
2006-09-11 11:25 30,720 --a------ C:\WINDOWS\SYSTEM32\clipsrv.exe
2006-09-11 11:25 29,696 --a------ C:\WINDOWS\SYSTEM32\dpnhpast.dll
2006-09-11 11:25 29,184 --a------ C:\WINDOWS\SYSTEM32\cryptdll.dll
2006-09-11 11:25 28,672 --a------ C:\WINDOWS\SYSTEM32\dbnmpntw.dll
2006-09-11 11:25 272,768 --a------ C:\WINDOWS\SYSTEM32\atmfd.dll
2006-09-11 11:25 27,136 --a------ C:\WINDOWS\SYSTEM32\ddeshare.exe
2006-09-11 11:25 27,136 --a------ C:\WINDOWS\SYSTEM32\batmeter.dll
2006-09-11 11:25 27,136 --a------ C:\WINDOWS\SYSTEM32\atmlib.dll
2006-09-11 11:25 266,752 --a------ C:\WINDOWS\winhlp32.exe
2006-09-11 11:25 263,680 --a------ C:\WINDOWS\SYSTEM32\duser.dll
2006-09-11 11:25 263,168 --a------ C:\WINDOWS\SYSTEM32\devmgr.dll
2006-09-11 11:25 26,112 --a------ C:\WINDOWS\SYSTEM32\dpnaddr.dll
2006-09-11 11:25 26,112 --a------ C:\WINDOWS\SYSTEM32\dplaysvr.exe
2006-09-11 11:25 26,112 --a------ C:\WINDOWS\SYSTEM32\dmband.dll
2006-09-11 11:25 253,440 --a------ C:\WINDOWS\SYSTEM32\ddraw.dll
2006-09-11 11:25 25,600 --a------ C:\WINDOWS\SYSTEM32\dfsshlex.dll
2006-09-11 11:25 24,576 --a------ C:\WINDOWS\SYSTEM32\dbmsrpcn.dll
2006-09-11 11:25 24,576 --a------ C:\WINDOWS\SYSTEM32\conime.exe
2006-09-11 11:25 24,064 --a------ C:\WINDOWS\SYSTEM32\dpvacm.dll
2006-09-11 11:25 24,064 --a------ C:\WINDOWS\SYSTEM32\ddrawex.dll
2006-09-11 11:25 239,616 --a------ C:\WINDOWS\SYSTEM32\adsnt.dll
2006-09-11 11:25 238,592 --a------ C:\WINDOWS\SYSTEM32\compatui.dll
2006-09-11 11:25 232,960 --a------ C:\WINDOWS\SYSTEM32\blackbox.dll
2006-09-11 11:25 227,840 --a------ C:\WINDOWS\SYSTEM32\dsquery.dll
2006-09-11 11:25 227,328 --a------ C:\WINDOWS\SYSTEM32\es.dll
2006-09-11 11:25 222,208 --a------ C:\WINDOWS\SYSTEM32\compstui.dll
2006-09-11 11:25 220,672 --a------ C:\WINDOWS\SYSTEM32\catsrv.dll
2006-09-11 11:25 22,528 --a------ C:\WINDOWS\SYSTEM32\at.exe
2006-09-11 11:25 22,016 --a------ C:\WINDOWS\SYSTEM32\davclnt.dll
2006-09-11 11:25 212,992 --a------ C:\WINDOWS\SYSTEM32\dplayx.dll
2006-09-11 11:25 21,504 --a------ C:\WINDOWS\SYSTEM32\dmserver.dll
2006-09-11 11:25 206,336 --a------ C:\WINDOWS\SYSTEM32\dpvoice.dll
2006-09-11 11:25 204,800 --a------ C:\WINDOWS\SYSTEM32\dmadmin.exe
2006-09-11 11:25 20,992 --a------ C:\WINDOWS\SYSTEM32\dpmodemx.dll
2006-09-11 11:25 2,025,984 --a------ C:\WINDOWS\SYSTEM32\cdosys.dll
2006-09-11 11:25 19,456 --a------ C:\WINDOWS\SYSTEM32\ersvc.dll
2006-09-11 11:25 186,880 --a------ C:\WINDOWS\SYSTEM32\certcli.dll
2006-09-11 11:25 184,320 --a------ C:\WINDOWS\SYSTEM32\dmdskmgr.dll
2006-09-11 11:25 181,760 --a------ C:\WINDOWS\SYSTEM32\activeds.dll
2006-09-11 11:25 180,224 --a------ C:\WINDOWS\SYSTEM32\dwwin.exe
2006-09-11 11:25 18,944 --a------ C:\WINDOWS\SYSTEM32\dpnsvr.exe
2006-09-11 11:25 174,592 --a------ C:\WINDOWS\SYSTEM32\cmprops.dll
2006-09-11 11:25 172,544 --a------ C:\WINDOWS\SYSTEM32\dmime.dll
2006-09-11 11:25 168,960 --a------ C:\WINDOWS\SYSTEM32\dinput8.dll
2006-09-11 11:25 165,888 --a------ C:\WINDOWS\SYSTEM32\dsdmo.dll
2006-09-11 11:25 165,376 --a------ C:\WINDOWS\SYSTEM32\els.dll
2006-09-11 11:25 162,816 --a------ C:\WINDOWS\SYSTEM32\adsldp.dll
2006-09-11 11:25 16,896 --a------ C:\WINDOWS\SYSTEM32\dswave.dll
2006-09-11 11:25 16,896 --a------ C:\WINDOWS\SYSTEM32\cfgmgr32.dll
2006-09-11 11:25 16,384 --a------ C:\WINDOWS\SYSTEM32\ds32gt.dll
2006-09-11 11:25 159,232 --a------ C:\WINDOWS\SYSTEM32\cewmdm.dll
2006-09-11 11:25 158,720 --a------ C:\WINDOWS\SYSTEM32\credui.dll
2006-09-11 11:25 156,672 --a------ C:\WINDOWS\SYSTEM32\dpnet.dll
2006-09-11 11:25 151,552 --a------ C:\WINDOWS\SYSTEM32\dinput.dll
2006-09-11 11:25 15,872 --a------ C:\WINDOWS\SYSTEM32\dvdupgrd.exe
2006-09-11 11:25 15,872 --a------ C:\WINDOWS\SYSTEM32\alrsvc.dll
2006-09-11 11:25 145,920 --a------ C:\WINDOWS\SYSTEM32\diskpart.exe
2006-09-11 11:25 14,877 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-09-11 11:25 14,848 --a------ C:\WINDOWS\SYSTEM32\bidispl.dll
2006-09-11 11:25 14,336 --a------ C:\WINDOWS\SYSTEM32\dmremote.exe
2006-09-11 11:25 139,776 --a------ C:\WINDOWS\SYSTEM32\adsldpc.dll
2006-09-11 11:25 135,680 --a------ C:\WINDOWS\SYSTEM32\dsprop.dll
2006-09-11 11:25 134,144 --a------ C:\WINDOWS\regedit.exe
2006-09-11 11:25 13,312 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2006-09-11 11:25 127,552 --a------ C:\WINDOWS\SYSTEM32\cliconfg.dll
2006-09-11 11:25 124,928 --a------ C:\WINDOWS\SYSTEM32\dssenh.dll
2006-09-11 11:25 12,288 --a------ C:\WINDOWS\SYSTEM32\cmcfg32.dll
2006-09-11 11:25 115,712 --a------ C:\WINDOWS\SYSTEM32\apphelp.dll
2006-09-11 11:25 113,152 --a------ C:\WINDOWS\SYSTEM32\dpvvox.dll
2006-09-11 11:25 113,152 --a------ C:\WINDOWS\SYSTEM32\dfrgui.dll
2006-09-11 11:25 110,080 --a------ C:\WINDOWS\SYSTEM32\dmstyle.dll
2006-09-11 11:25 110,080 --a------ C:\WINDOWS\SYSTEM32\clbcatex.dll
2006-09-11 11:25 11,776 --a------ C:\WINDOWS\SYSTEM32\drprov.dll
2006-09-11 11:25 107,008 --a------ C:\WINDOWS\SYSTEM32\aclui.dll
2006-09-11 11:25 106,496 --a------ C:\WINDOWS\SYSTEM32\dsuiext.dll
2006-09-11 11:25 103,424 --a------ C:\WINDOWS\SYSTEM32\dgnet.dll
2006-09-11 11:25 102,450 --a------ C:\WINDOWS\SYSTEM32\cscript.exe
2006-09-11 11:25 10,752 --a------ C:\WINDOWS\hh.exe
2006-09-11 11:25 10,240 --a------ C:\WINDOWS\SYSTEM32\atmadm.exe
2006-09-11 11:25 1,293,824 --a------ C:\WINDOWS\SYSTEM32\dsound3d.dll
2006-09-11 11:25 1,185,792 --a------ C:\WINDOWS\SYSTEM32\dx8vb.dll
2006-09-11 11:25 1,180,672 --a------ C:\WINDOWS\SYSTEM32\d3d8.dll
2006-09-11 11:25 1,179,136 --a------ C:\WINDOWS\SYSTEM32\comsvcs.dll
2006-09-11 11:25 1,004,032 --a------ C:\WINDOWS\explorer.exe
2006-09-11 11:24 995,384 --a------ C:\WINDOWS\SYSTEM32\mfc42u.dll
2006-09-11 11:24 995,383 --a------ C:\WINDOWS\SYSTEM32\mfc42.dll
2006-09-11 11:24 99,840 --a------ C:\WINDOWS\SYSTEM32\iexpress.exe
2006-09-11 11:24 974,336 --a------ C:\WINDOWS\SYSTEM32\msdtctm.dll
2006-09-11 11:24 971,264 --a------ C:\WINDOWS\SYSTEM32\msgina.dll
2006-09-11 11:24 92,160 --a------ C:\WINDOWS\SYSTEM32\krnl386.exe
2006-09-11 11:24 91,648 --a------ C:\WINDOWS\SYSTEM32\loadperf.dll
2006-09-11 11:24 91,136 --a------ C:\WINDOWS\SYSTEM32\msoert2.dll
2006-09-11 11:24 9,728 --a------ C:\WINDOWS\SYSTEM32\mstinit.exe
2006-09-11 11:24 9,728 --a------ C:\WINDOWS\SYSTEM32\gpkrsrc.dll
2006-09-11 11:24 9,216 --a------ C:\WINDOWS\SYSTEM32\icaapi.dll
2006-09-11 11:24 88,064 --a------ C:\WINDOWS\SYSTEM32\mydocs.dll
2006-09-11 11:24 831,562 --a------ C:\WINDOWS\SYSTEM32\mswdat10.dll
2006-09-11 11:24 83,456 --a------ C:\WINDOWS\SYSTEM32\mtxoci.dll
2006-09-11 11:24 82,432 --a------ C:\WINDOWS\SYSTEM32\fldrclnr.dll
2006-09-11 11:24 81,408 --a------ C:\WINDOWS\SYSTEM32\logagent.exe
2006-09-11 11:24 80,384 --a------ C:\WINDOWS\SYSTEM32\mciavi32.dll
2006-09-11 11:24 80,128 --a------ C:\WINDOWS\SYSTEM32\msapsspc.dll
2006-09-11 11:24 8,832 --a------ C:\WINDOWS\SYSTEM32\framebuf.dll
2006-09-11 11:24 8,704 --a------ C:\WINDOWS\SYSTEM32\lprhelp.dll
2006-09-11 11:24 8,192 --a------ C:\WINDOWS\SYSTEM32\igmpagnt.dll
2006-09-11 11:24 79,360 --a------ C:\WINDOWS\SYSTEM32\mprapi.dll
2006-09-11 11:24 79,360 --a------ C:\WINDOWS\SYSTEM32\makecab.exe
2006-09-11 11:24 774,144 --a------ C:\WINDOWS\SYSTEM32\mmc.exe
2006-09-11 11:24 77,824 --a------ C:\WINDOWS\SYSTEM32\isign32.dll
2006-09-11 11:24 73,728 --a------ C:\WINDOWS\SYSTEM32\ils.dll
2006-09-11 11:24 7,040 --a------ C:\WINDOWS\SYSTEM32\kd1394.dll
2006-09-11 11:24 699,392 --a------ C:\WINDOWS\SYSTEM32\msxml2.dll
2006-09-11 11:24 69,632 --a------ C:\WINDOWS\SYSTEM32\icwdial.dll
2006-09-11 11:24 68,928 --a------ C:\WINDOWS\SYSTEM32\mmsystem.dll
2006-09-11 11:24 68,608 --a------ C:\WINDOWS\SYSTEM32\mscms.dll
2006-09-11 11:24 68,096 --a------ C:\WINDOWS\SYSTEM32\inetpp.dll
2006-09-11 11:24 67,584 --a------ C:\WINDOWS\SYSTEM32\msctfp.dll
2006-09-11 11:24 67,584 --a------ C:\WINDOWS\SYSTEM32\magnify.exe
2006-09-11 11:24 67,072 --a------ C:\WINDOWS\SYSTEM32\msacm32.dll
2006-09-11 11:24 66,560 --a------ C:\WINDOWS\SYSTEM32\mmcbase.dll
2006-09-11 11:24 66,560 --a------ C:\WINDOWS\SYSTEM32\faultrep.dll
2006-09-11 11:24 66,048 --a------ C:\WINDOWS\SYSTEM32\msw3prt.dll
2006-09-11 11:24 65,536 --a------ C:\WINDOWS\SYSTEM32\msconf.dll
2006-09-11 11:24 65,024 --a------ C:\WINDOWS\SYSTEM32\msvcrt40.dll
2006-09-11 11:24 64,512 --a------ C:\WINDOWS\SYSTEM32\mtxclu.dll
2006-09-11 11:24 614,474 --a------ C:\WINDOWS\SYSTEM32\mswstr10.dll
2006-09-11 11:24 61,440 --a------ C:\WINDOWS\SYSTEM32\icwphbk.dll
2006-09-11 11:24 6,656 --a------ C:\WINDOWS\SYSTEM32\laprxy.dll
2006-09-11 11:24 6,144 --a------ C:\WINDOWS\SYSTEM32\msdtc.exe
2006-09-11 11:24 598,016 --a------ C:\WINDOWS\SYSTEM32\mstscax.dll
2006-09-11 11:24 596,480 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-09-11 11:24 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2006-09-11 11:24 585,344 --a------ C:\WINDOWS\SYSTEM32\i81xdnt5.dll
2006-09-11 11:24 584,192 --a------ C:\WINDOWS\SYSTEM32\netcfgx.dll
2006-09-11 11:24 57,856 --a------ C:\WINDOWS\SYSTEM32\licwmi.dll
2006-09-11 11:24 56,320 --a------ C:\WINDOWS\SYSTEM32\miglibnt.dll
2006-09-11 11:24 552,991 --a------ C:\WINDOWS\SYSTEM32\msrepl40.dll
2006-09-11 11:24 55,808 --a------ C:\WINDOWS\SYSTEM32\mpr.dll
2006-09-11 11:24 54,784 --a------ C:\WINDOWS\SYSTEM32\msdtclog.dll
2006-09-11 11:24 54,272 --a------ C:\WINDOWS\SYSTEM32\ipv6mon.dll
2006-09-11 11:24 53,322 --a------ C:\WINDOWS\SYSTEM32\msjter40.dll
2006-09-11 11:24 512,031 --a------ C:\WINDOWS\SYSTEM32\msexch40.dll
2006-09-11 11:24 51,712 --a------ C:\WINDOWS\SYSTEM32\msasn1.dll
2006-09-11 11:24 51,712 --a------ C:\WINDOWS\SYSTEM32\ipconfig.exe
2006-09-11 11:24 51,200 --a------ C:\WINDOWS\SYSTEM32\narrator.exe
2006-09-11 11:24 504,320 --a------ C:\WINDOWS\SYSTEM32\logonui.exe
2006-09-11 11:24 50,688 --a------ C:\WINDOWS\SYSTEM32\msvcirt.dll
2006-09-11 11:24 5,120 --a------ C:\WINDOWS\SYSTEM32\msidle.dll
2006-09-11 11:24 495,376 --a------ C:\WINDOWS\SYSTEM32\msxml.dll
2006-09-11 11:24 49,664 --a------ C:\WINDOWS\SYSTEM32\ixsso.dll
2006-09-11 11:24 49,152 --a------ C:\WINDOWS\SYSTEM32\eventlog.dll
2006-09-11 11:24 48,640 --a------ C:\WINDOWS\SYSTEM32\ipv6.exe
2006-09-11 11:24 47,616 --a------ C:\WINDOWS\SYSTEM32\inetres.dll
2006-09-11 11:24 46,592 --a------ C:\WINDOWS\SYSTEM32\mmcshext.dll
2006-09-11 11:24 45,568 --a------ C:\WINDOWS\SYSTEM32\iyuv_32.dll
2006-09-11 11:24 45,056 --a------ C:\WINDOWS\SYSTEM32\msprivs.dll
2006-09-11 11:24 439,808 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2006-09-11 11:24 421,919 --a------ C:\WINDOWS\SYSTEM32\msrd2x40.dll
2006-09-11 11:24 42,496 --a------ C:\WINDOWS\SYSTEM32\ncobjapi.dll
2006-09-11 11:24 401,462 --a------ C:\WINDOWS\SYSTEM32\msvcp60.dll
2006-09-11 11:24 40,960 --a------ C:\WINDOWS\SYSTEM32\extrac32.exe
2006-09-11 11:24 4,608 --a------ C:\WINDOWS\SYSTEM32\msimg32.dll
2006-09-11 11:24 4,126 --a------ C:\WINDOWS\SYSTEM32\msdxmlc.dll
2006-09-11 11:24 4,096 --a------ C:\WINDOWS\SYSTEM32\nddeapir.exe
2006-09-11 11:24 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
2006-09-11 11:24 39,936 --a------ C:\WINDOWS\SYSTEM32\htui.dll
2006-09-11 11:24 39,424 --a------ C:\WINDOWS\SYSTEM32\net.exe
2006-09-11 11:24 388,608 --a------ C:\WINDOWS\SYSTEM32\mstsc.exe
2006-09-11 11:24 381,440 --a------ C:\WINDOWS\SYSTEM32\lmrt.dll
2006-09-11 11:24 380,445 --a------ C:\WINDOWS\SYSTEM32\expsrv.dll
2006-09-11 11:24 38,912 --a------ C:\WINDOWS\SYSTEM32\hhsetup.dll
2006-09-11 11:24 37,888 --a------ C:\WINDOWS\SYSTEM32\grpconv.exe
2006-09-11 11:24 368,640 --a------ C:\WINDOWS\SYSTEM32\msdtcprx.dll
2006-09-11 11:24 367,616 --a------ C:\WINDOWS\SYSTEM32\licdll.dll
2006-09-11 11:24 364,544 --a------ C:\WINDOWS\SYSTEM32\ipsmsnap.dll
2006-09-11 11:24 361,472 --a------ C:\WINDOWS\SYSTEM32\fontext.dll
2006-09-11 11:24 36,922 --a------ C:\WINDOWS\SYSTEM32\imeshare.dll
2006-09-11 11:24 36,864 --a------ C:\WINDOWS\SYSTEM32\mscpxl32.dll
2006-09-11 11:24 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2006-09-11 11:24 358,912 --a------ C:\WINDOWS\SYSTEM32\msscp.dll
2006-09-11 11:24 348,195 --a------ C:\WINDOWS\SYSTEM32\msjetoledb40.dll
2006-09-11 11:24 348,191 --a------ C:\WINDOWS\SYSTEM32\mspbde40.dll
2006-09-11 11:24 344,095 --a------ C:\WINDOWS\SYSTEM32\msxbde40.dll
2006-09-11 11:24 334,848 --a------ C:\WINDOWS\SYSTEM32\ipsecsnp.dll
2006-09-11 11:24 33,280 --a------ C:\WINDOWS\SYSTEM32\mciqtz32.dll
2006-09-11 11:24 323,072 --a------ C:\WINDOWS\SYSTEM32\msvcrt.dll
2006-09-11 11:24 323,072 --a------ C:\WINDOWS\SYSTEM32\filemgmt.dll
2006-09-11 11:24 32,768 --a------ C:\WINDOWS\SYSTEM32\mnmsrvc.exe
2006-09-11 11:24 32,256 --a------ C:\WINDOWS\SYSTEM32\mnmdd.dll
2006-09-11 11:24 319,760 --a------ C:\WINDOWS\SYSTEM32\msnsspc.dll
2006-09-11 11:24 319,519 --a------ C:\WINDOWS\SYSTEM32\msexcl40.dll
2006-09-11 11:24 318,464 --a------ C:\WINDOWS\SYSTEM32\ippromon.dll
2006-09-11 11:24 315,904 --a------ C:\WINDOWS\SYSTEM32\hnetwiz.dll
2006-09-11 11:24 315,466 --a------ C:\WINDOWS\SYSTEM32\msrd3x40.dll
2006-09-11 11:24 31,232 --a------ C:\WINDOWS\SYSTEM32\inetmib1.dll
2006-09-11 11:24 3,584 --a------ C:\WINDOWS\SYSTEM32\msafd.dll
2006-09-11 11:24 3,072 --a------ C:\WINDOWS\SYSTEM32\icmp.dll
2006-09-11 11:24 285,184 --a------ C:\WINDOWS\SYSTEM32\kerberos.dll
2006-09-11 11:24 28,672 --a------ C:\WINDOWS\SYSTEM32\isrdbg32.dll
2006-09-11 11:24 27,136 --a------ C:\WINDOWS\SYSTEM32\mspatcha.dll
2006-09-11 11:24 266,752 --a------ C:\WINDOWS\SYSTEM32\msctf.dll
2006-09-11 11:24 266,240 --a------ C:\WINDOWS\SYSTEM32\inetcfg.dll
2006-09-11 11:24 260,608 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2006-09-11 11:24 253,983 --a------ C:\WINDOWS\SYSTEM32\mstext40.dll
2006-09-11 11:24 253,952 --a------ C:\WINDOWS\SYSTEM32\msnetobj.dll
2006-09-11 11:24 250,368 --a------ C:\WINDOWS\SYSTEM32\mstask.dll
2006-09-11 11:24 25,088 --a------ C:\WINDOWS\SYSTEM32\findstr.exe
2006-09-11 11:24 245,760 --a------ C:\WINDOWS\SYSTEM32\mswmdm.dll
2006-09-11 11:24 241,695 --a------ C:\WINDOWS\SYSTEM32\msjtes40.dll
2006-09-11 11:24 241,664 --a------ C:\WINDOWS\SYSTEM32\mpg4dmod.dll
2006-09-11 11:24 240,640 --a------ C:\WINDOWS\SYSTEM32\hnetcfg.dll
2006-09-11 11:24 237,056 --a------ C:\WINDOWS\SYSTEM32\icm32.dll
2006-09-11 11:24 230,400 --a------ C:\WINDOWS\SYSTEM32\msieftp.dll
2006-09-11 11:24 23,040 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-09-11 11:24 229,376 --a------ C:\WINDOWS\SYSTEM32\msoeacct.dll
2006-09-11 11:24 228,352 --a------ C:\WINDOWS\SYSTEM32\mswsock.dll
2006-09-11 11:24 22,528 --a------ C:\WINDOWS\SYSTEM32\mslbui.dll
2006-09-11 11:24 22,528 --a------ C:\WINDOWS\SYSTEM32\hid.dll
2006-09-11 11:24 22,016 --a------ C:\WINDOWS\SYSTEM32\mciwave.dll
2006-09-11 11:24 22,016 --a------ C:\WINDOWS\SYSTEM32\ipxroute.exe
2006-09-11 11:24 219,648 --a------ C:\WINDOWS\SYSTEM32\logon.scr
2006-09-11 11:24 213,023 --a------ C:\WINDOWS\SYSTEM32\msltus40.dll
2006-09-11 11:24 210,944 --a------ C:\WINDOWS\SYSTEM32\moricons.dll
2006-09-11 11:24 204,288 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-09-11 11:24 202,752 --a------ C:\WINDOWS\SYSTEM32\localsec.dll
2006-09-11 11:24 201,728 --a------ C:\WINDOWS\SYSTEM32\mspmsp.dll
2006-09-11 11:24 20,992 --a------ C:\WINDOWS\SYSTEM32\mfcsubs.dll
2006-09-11 11:24 20,992 --a------ C:\WINDOWS\SYSTEM32\mciseq.dll
2006-09-11 11:24 20,480 --a------ C:\WINDOWS\SYSTEM32\msorc32r.dll
2006-09-11 11:24 196,096 --a------ C:\WINDOWS\SYSTEM32\mobsync.dll
2006-09-11 11:24 192,512 --a------ C:\WINDOWS\SYSTEM32\mswebdvd.dll
2006-09-11 11:24 19,456 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-09-11 11:24 19,456 --a------ C:\WINDOWS\SYSTEM32\fontview.exe
2006-09-11 11:24 182,784 --a------ C:\WINDOWS\SYSTEM32\msutb.dll
2006-09-11 11:24 18,944 --a------ C:\WINDOWS\SYSTEM32\lpk.dll
2006-09-11 11:24 18,432 --a------ C:\WINDOWS\SYSTEM32\feclient.dll
2006-09-11 11:24 178,688 --a------ C:\WINDOWS\SYSTEM32\eudcedit.exe
2006-09-11 11:24 17,920 --a------ C:\WINDOWS\SYSTEM32\midimap.dll
2006-09-11 11:24 16,384 --a------ C:\WINDOWS\SYSTEM32\nddenb32.dll
2006-09-11 11:24 16,384 --a------ C:\WINDOWS\SYSTEM32\msyuv.dll
2006-09-11 11:24 16,384 --a------ C:\WINDOWS\SYSTEM32\mmfutil.dll
2006-09-11 11:24 16,384 --a------ C:\WINDOWS\SYSTEM32\linkinfo.dll
2006-09-11 11:24 159,744 --a------ C:\WINDOWS\SYSTEM32\ipsecsvc.dll
2006-09-11 11:24 151,626 --a------ C:\WINDOWS\SYSTEM32\msjint40.dll
2006-09-11 11:24 150,528 --a------ C:\WINDOWS\SYSTEM32\msdtcuiu.dll
2006-09-11 11:24 15,360 --a------ C:\WINDOWS\SYSTEM32\nddeapi.dll
2006-09-11 11:24 146,432 --a------ C:\WINDOWS\SYSTEM32\keymgr.dll
2006-09-11 11:24 145,408 --a------ C:\WINDOWS\SYSTEM32\modemui.dll
2006-09-11 11:24 144,896 --a------ C:\WINDOWS\SYSTEM32\initpki.dll
2006-09-11 11:24 143,872 --a------ C:\WINDOWS\SYSTEM32\msimtf.dll
2006-09-11 11:24 143,872 --a------ C:\WINDOWS\SYSTEM32\itircl.dll
2006-09-11 11:24 14,336 --a------ C:\WINDOWS\SYSTEM32\inetppui.dll
2006-09-11 11:24 137,216 --a------ C:\WINDOWS\SYSTEM32\hotplug.dll
2006-09-11 11:24 135,680 --a------ C:\WINDOWS\SYSTEM32\mobsync.exe
2006-09-11 11:24 131,072 --a------ C:\WINDOWS\SYSTEM32\msorcl32.dll
2006-09-11 11:24 128,000 --a------ C:\WINDOWS\SYSTEM32\itss.dll
2006-09-11 11:24 126,976 --a------ C:\WINDOWS\SYSTEM32\msdart.dll
2006-09-11 11:24 126,976 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-09-11 11:24 125,952 --a------ C:\WINDOWS\SYSTEM32\ifmon.dll
2006-09-11 11:24 123,904 --a------ C:\WINDOWS\SYSTEM32\imapi.exe
2006-09-11 11:24 12,800 --a------ C:\WINDOWS\SYSTEM32\mcastmib.dll
2006-09-11 11:24 12,288 --a------ C:\WINDOWS\SYSTEM32\mscpx32r.dll
2006-09-11 11:24 116,736 --a------ C:\WINDOWS\SYSTEM32\glu32.dll
2006-09-11 11:24 116,224 --a------ C:\WINDOWS\SYSTEM32\iasrad.dll
2006-09-11 11:24 115,200 --a------ C:\WINDOWS\SYSTEM32\net1.exe
2006-09-11 11:24 114,176 --a------ C:\WINDOWS\SYSTEM32\input.dll
2006-09-11 11:24 113,664 --a------ C:\WINDOWS\SYSTEM32\msvfw32.dll
2006-09-11 11:24 113,152 --a------ C:\WINDOWS\SYSTEM32\idq.dll
2006-09-11 11:24 110,592 --a------ C:\WINDOWS\SYSTEM32\iccvid.dll
2006-09-11 11:24 11,776 --a------ C:\WINDOWS\SYSTEM32\lsass.exe
2006-09-11 11:24 11,264 --a------ C:\WINDOWS\SYSTEM32\msdmo.dll
2006-09-11 11:24 108,544 --a------ C:\WINDOWS\SYSTEM32\mdminst.dll
2006-09-11 11:24 103,936 --a------ C:\WINDOWS\SYSTEM32\mstlsapi.dll
2006-09-11 11:24 103,936 --a------ C:\WINDOWS\SYSTEM32\imm32.dll
2006-09-11 11:24 10,240 --a------ C:\WINDOWS\SYSTEM32\msrle32.dll
2006-09-11 11:24 10,240 --a------ C:\WINDOWS\SYSTEM32\localui.dll
2006-09-11 11:24 1,503,262 --a------ C:\WINDOWS\SYSTEM32\msjet40.dll
2006-09-11 11:24 1,385,744 --a------ C:\WINDOWS\SYSTEM32\msvbvm60.dll
2006-09-11 11:24 1,220,608 --a------ C:\WINDOWS\SYSTEM32\msvidctl.dll
2006-09-11 11:24 1,128,960 --a------ C:\WINDOWS\SYSTEM32\mmcndmgr.dll
2006-09-11 11:24 1,122,304 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-11 11:23 98,304 --a------ C:\WINDOWS\SYSTEM32\polstore.dll
2006-09-11 11:23 98,304 --a------ C:\WINDOWS\SYSTEM32\oleprn.dll
2006-09-11 11:23 98,304 --a------ C:\WINDOWS\SYSTEM32\odbccp32.dll
2006-09-11 11:23 96,256 --a------ C:\WINDOWS\SYSTEM32\rcbdyctl.dll
2006-09-11 11:23 95,744 --a------ C:\WINDOWS\SYSTEM32\nlhtml.dll
2006-09-11 11:23 91,136 --a------ C:\WINDOWS\SYSTEM32\rastls.dll
2006-09-11 11:23 90,112 --a------ C:\WINDOWS\SYSTEM32\odbcint.dll
2006-09-11 11:23 9,728 --a------ C:\WINDOWS\SYSTEM32\regsvr32.exe
2006-09-11 11:23 89,600 --a------ C:\WINDOWS\SYSTEM32\slbiop.dll
2006-09-11 11:23 87,304 --a------ C:\WINDOWS\SYSTEM32\rdpdd.dll
2006-09-11 11:23 857,600 --a------ C:\WINDOWS\SYSTEM32\netplwiz.dll
2006-09-11 11:23 83,456 --a------ C:\WINDOWS\SYSTEM32\netsh.exe
2006-09-11 11:23 829,952 --a------ C:\WINDOWS\SYSTEM32\tapi3.dll
2006-09-11 11:23 82,944 --a------ C:\WINDOWS\SYSTEM32\smlogsvc.exe
2006-09-11 11:23 82,944 --a------ C:\WINDOWS\SYSTEM32\psbase.dll
2006-09-11 11:23 8,192 --a------ C:\WINDOWS\SYSTEM32\scrnsave.scr
2006-09-11 11:23 75,912 --a------ C:\WINDOWS\SYSTEM32\rdpwsx.dll
2006-09-11 11:23 74,752 --a------ C:\WINDOWS\SYSTEM32\netui0.dll
2006-09-11 11:23 74,240 --a------ C:\WINDOWS\SYSTEM32\rtcshare.exe
2006-09-11 11:23 734,208 --a------ C:\WINDOWS\SYSTEM32\qedwipes.dll
2006-09-11 11:23 72,192 --a------ C:\WINDOWS\SYSTEM32\telnet.exe
2006-09-11 11:23 71,168 --a------ C:\WINDOWS\SYSTEM32\storprop.dll
2006-09-11 11:23 71,168 --a------ C:\WINDOWS\SYSTEM32\sdbinst.exe
2006-09-11 11:23 700,928 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2006-09-11 11:23 69,632 --a------ C:\WINDOWS\SYSTEM32\shrpubw.exe
2006-09-11 11:23 686,080 --a------ C:\WINDOWS\SYSTEM32\opengl32.dll
2006-09-11 11:23 667,648 --a------ C:\WINDOWS\SYSTEM32\ss3dfo.scr
2006-09-11 11:23 66,560 --a------ C:\WINDOWS\SYSTEM32\spoolss.dll
2006-09-11 11:23 66,560 --a------ C:\WINDOWS\SYSTEM32\scarddlg.dll
2006-09-11 11:23 66,048 --a------ C:\WINDOWS\SYSTEM32\sigverif.exe
2006-09-11 11:23 66,048 --a------ C:\WINDOWS\SYSTEM32\notepad.exe
2006-09-11 11:23 66,048 --a------ C:\WINDOWS\notepad.exe
2006-09-11 11:23 64,512 --a------ C:\WINDOWS\SYSTEM32\ntdsapi.dll
2006-09-11 11:23 638,976 --a------ C:\WINDOWS\SYSTEM32\sstext3d.scr
2006-09-11 11:23 63,488 --a------ C:\WINDOWS\SYSTEM32\srclient.dll
2006-09-11 11:23 62,976 --a------ C:\WINDOWS\SYSTEM32\shgina.dll
2006-09-11 11:23 61,952 --a------ C:\WINDOWS\SYSTEM32\sti.dll
2006-09-11 11:23 61,952 --a------ C:\WINDOWS\SYSTEM32\rdshost.exe
2006-09-11 11:23 61,952 --a------ C:\WINDOWS\SYSTEM32\osuninst.dll
2006-09-11 11:23 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccu32.dll
2006-09-11 11:23 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccr32.dll
2006-09-11 11:23 60,416 --a------ C:\WINDOWS\SYSTEM32\shimeng.dll
2006-09-11 11:23 6,144 --a------ C:\WINDOWS\SYSTEM32\sensapi.dll
2006-09-11 11:23 58,880 --a------ C:\WINDOWS\SYSTEM32\pautoenr.dll
2006-09-11 11:23 57,856 --a------ C:\WINDOWS\SYSTEM32\raschap.dll
2006-09-11 11:23 569,344 --a------ C:\WINDOWS\SYSTEM32\sspipes.scr
2006-09-11 11:23 56,320 --a------ C:\WINDOWS\SYSTEM32\remotepg.dll
2006-09-11 11:23 54,784 --a------ C:\WINDOWS\SYSTEM32\resutils.dll
2006-09-11 11:23 54,272 --a------ C:\WINDOWS\SYSTEM32\rasphone.exe
2006-09-11 11:23 535,552 --a------ C:\WINDOWS\SYSTEM32\rpcrt4.dll
2006-09-11 11:23 53,279 --a------ C:\WINDOWS\SYSTEM32\odbcji32.dll
2006-09-11 11:23 53,248 --a------ C:\WINDOWS\SYSTEM32\spoolsv.exe
2006-09-11 11:23 53,248 --a------ C:\WINDOWS\SYSTEM32\servdeps.dll
2006-09-11 11:23 53,248 --a------ C:\WINDOWS\SYSTEM32\sendmail.dll
2006-09-11 11:23 53,248 --a------ C:\WINDOWS\SYSTEM32\packager.exe
2006-09-11 11:23 53,248 --a------ C:\WINDOWS\SYSTEM32\odbcconf.exe
2006-09-11 11:23 52,224 --a------ C:\WINDOWS\SYSTEM32\secur32.dll
2006-09-11 11:23 511,488 --a------ C:\WINDOWS\SYSTEM32\qedit.dll
2006-09-11 11:23 51,712 --a------ C:\WINDOWS\SYSTEM32\synceng.dll
2006-09-11 11:23 51,712 --a------ C:\WINDOWS\SYSTEM32\regsvc.dll
2006-09-11 11:23 5,632 --a------ C:\WINDOWS\SYSTEM32\security.dll
2006-09-11 11:23 49,152 --a------ C:\WINDOWS\SYSTEM32\npptools.dll
2006-09-11 11:23 48,128 --a------ C:\WINDOWS\SYSTEM32\reg.exe
2006-09-11 11:23 460,288 --a------ C:\WINDOWS\SYSTEM32\ntmsmgr.dll
2006-09-11 11:23 45,056 --a------ C:\WINDOWS\SYSTEM32\proquota.exe
2006-09-11 11:23 44,032 --a------ C:\WINDOWS\SYSTEM32\regapi.dll
2006-09-11 11:23 44,032 --a------ C:\WINDOWS\SYSTEM32\rdpclip.exe
2006-09-11 11:23 43,008 --a------ C:\WINDOWS\SYSTEM32\ssmypics.scr
2006-09-11 11:23 43,008 --a------ C:\WINDOWS\SYSTEM32\ssdpsrv.dll
2006-09-11 11:23 423,424 --a------ C:\WINDOWS\SYSTEM32\riched20.dll
2006-09-11 11:23 420,864 --a------ C:\WINDOWS\SYSTEM32\shimgvw.dll
2006-09-11 11:23 40,960 --a------ C:\WINDOWS\SYSTEM32\safrslv.dll
2006-09-11 11:23 40,448 --a------ C:\WINDOWS\SYSTEM32\tcpmon.dll
2006-09-11 11:23 4,096 --a------ C:\WINDOWS\SYSTEM32\sfc.dll
2006-09-11 11:23 399,360 --a------ C:\WINDOWS\SYSTEM32\netlogon.dll
2006-09-11 11:23 392,704 --a------ C:\WINDOWS\SYSTEM32\ntmssvc.dll
2006-09-11 11:23 39,936 --a------ C:\WINDOWS\SYSTEM32\rtutils.dll
2006-09-11 11:23 39,424 --a------ C:\WINDOWS\SYSTEM32\safrcdlg.dll
2006-09-11 11:23 387,584 --a------ C:\WINDOWS\SYSTEM32\regwizc.dll
2006-09-11 11:23 385,024 --a------ C:\WINDOWS\SYSTEM32\sqlsrv32.dll
2006-09-11 11:23 384,000 --a------ C:\WINDOWS\SYSTEM32\themeui.dll
2006-09-11 11:23 38,400 --a------ C:\WINDOWS\SYSTEM32\ntmsapi.dll
2006-09-11 11:23 38,400 --a------ C:\WINDOWS\SYSTEM32\ntlanman.dll
2006-09-11 11:23 37,888 --a------ C:\WINDOWS\SYSTEM32\pstorec.dll
2006-09-11 11:23 364,544 --a------ C:\WINDOWS\SYSTEM32\ssflwbox.scr
2006-09-11 11:23 36,352 --a------ C:\WINDOWS\SYSTEM32\sens.dll
2006-09-11 11:23 357,376 --a------ C:\WINDOWS\SYSTEM32\qdvd.dll
2006-09-11 11:23 35,632 --a------ C:\WINDOWS\SYSTEM32\ntio411.sys
2006-09-11 11:23 35,392 --a------ C:\WINDOWS\SYSTEM32\ntio412.sys
2006-09-11 11:23 343,552 --a------ C:\WINDOWS\SYSTEM32\termmgr.dll
2006-09-11 11:23 34,528 --a------ C:\WINDOWS\SYSTEM32\ntio804.sys
2006-09-11 11:23 34,528 --a------ C:\WINDOWS\SYSTEM32\ntio404.sys
2006-09-11 11:23 34,304 --a------ C:\WINDOWS\SYSTEM32\rcimlby.exe
2006-09-11 11:23 334,848 --a------ C:\WINDOWS\SYSTEM32\smlogcfg.dll
2006-09-11 11:23 33,808 --a------ C:\WINDOWS\SYSTEM32\ntio.sys
2006-09-11 11:23 33,280 --a------ C:\WINDOWS\SYSTEM32\shmgrate.exe
2006-09-11 11:23 33,280 --a------ C:\WINDOWS\SYSTEM32\racpldlg.dll
2006-09-11 11:23 326,656 --a------ C:\WINDOWS\SYSTEM32\netsetup.exe
2006-09-11 11:23 32,768 --a------ C:\WINDOWS\SYSTEM32\odbcad32.exe
2006-09-11 11:23 32,256 --a------ C:\WINDOWS\SYSTEM32\perfproc.dll
2006-09-11 11:23 31,744 --a------ C:\WINDOWS\SYSTEM32\rundll32.exe
2006-09-11 11:23 31,744 --a------ C:\WINDOWS\SYSTEM32\pid.dll
2006-09-11 11:23 30,720 --a------ C:\WINDOWS\SYSTEM32\netstat.exe
2006-09-11 11:23 3,338 --a------ C:\WINDOWS\SYSTEM32\redir.exe
2006-09-11 11:23 297,984 --a------ C:\WINDOWS\SYSTEM32\scesrv.dll
2006-09-11 11:23 29,696 --a------ C:\WINDOWS\SYSTEM32\rtipxmib.dll
2006-09-11 11:23 28,672 --a------ C:\WINDOWS\SYSTEM32\sethc.exe
2006-09-11 11:23 28,672 --a------ C:\WINDOWS\SYSTEM32\profmap.dll
2006-09-11 11:23 276,992 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll
2006-09-11 11:23 276,480 --a------ C:\WINDOWS\SYSTEM32\slbcsp.dll
2006-09-11 11:23 271,360 --a------ C:\WINDOWS\SYSTEM32\objsel.dll
2006-09-11 11:23 270,365 --a------ C:\WINDOWS\SYSTEM32\odbcjt32.dll
2006-09-11 11:23 27,136 --a------ C:\WINDOWS\SYSTEM32\ssdpapi.dll
2006-09-11 11:23 27,136 --a------ C:\WINDOWS\SYSTEM32\sendcmsg.dll
2006-09-11 11:23 266,752 --a------ C:\WINDOWS\SYSTEM32\qdv.dll
2006-09-11 11:23 26,624 --a------ C:\WINDOWS\SYSTEM32\safrdm.dll
2006-09-11 11:23 257,536 --a------ C:\WINDOWS\SYSTEM32\oakley.dll
2006-09-11 11:23 254,976 --a------ C:\WINDOWS\SYSTEM32\pdh.dll
2006-09-11 11:23 251,904 --a------ C:\WINDOWS\SYSTEM32\strmdll.dll
2006-09-11 11:23 25,600 --a------ C:\WINDOWS\SYSTEM32\pstorsvc.dll
2006-09-11 11:23 241,664 --a------ C:\WINDOWS\SYSTEM32\qasf.dll
2006-09-11 11:23 24,576 --a------ C:\WINDOWS\SYSTEM32\odbcbcp.dll
2006-09-11 11:23 24,576 --a------ C:\WINDOWS\SYSTEM32\nmmkcert.dll
2006-09-11 11:23 24,064 --a------ C:\WINDOWS\SYSTEM32\skeys.exe
2006-09-11 11:23 238,592 --a------ C:\WINDOWS\SYSTEM32\tapisrv.dll
2006-09-11 11:23 238,080 --a------ C:\WINDOWS\SYSTEM32\newdev.dll
2006-09-11 11:23 230,400 --a------ C:\WINDOWS\SYSTEM32\netui1.dll
2006-09-11 11:23 23,552 --a------ C:\WINDOWS\SYSTEM32\perfdisk.dll
2006-09-11 11:23 23,040 --a------ C:\WINDOWS\SYSTEM32\shscrap.dll
2006-09-11 11:23 23,040 --a------ C:\WINDOWS\SYSTEM32\perfos.dll
2006-09-11 11:23 226,304 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2006-09-11 11:23 22,528 --a------ C:\WINDOWS\SYSTEM32\slayerxp.dll
2006-09-11 11:23 212,480 --a------ C:\WINDOWS\SYSTEM32\osk.exe
2006-09-11 11:23 205,824 --a------ C:\WINDOWS\SYSTEM32\progman.exe
2006-09-11 11:23 204,800 --a------ C:\WINDOWS\SYSTEM32\odbc32.dll
2006-09-11 11:23 200,192 --a------ C:\WINDOWS\SYSTEM32\termsrv.dll
2006-09-11 11:23 20,992 --a------ C:\WINDOWS\SYSTEM32\setup.exe
2006-09-11 11:23 20,992 --a------ C:\WINDOWS\SYSTEM32\seclogon.dll
2006-09-11 11:23 20,554 --a------ C:\WINDOWS\SYSTEM32\odtext32.dll
2006-09-11 11:23 20,554 --a------ C:\WINDOWS\SYSTEM32\oddbse32.dll
2006-09-11 11:23 20,553 --a------ C:\WINDOWS\SYSTEM32\odpdx32.dll
2006-09-11 11:23 20,553 --a------ C:\WINDOWS\SYSTEM32\odfox32.dll
2006-09-11 11:23 20,553 --a------ C:\WINDOWS\SYSTEM32\odexl32.dll
2006-09-11 11:23 20,480 --a------ C:\WINDOWS\SYSTEM32\stimon.exe
2006-09-11 11:23 193,536 --a------ C:\WINDOWS\SYSTEM32\rasppp.dll
2006-09-11 11:23 19,968 --a------ C:\WINDOWS\SYSTEM32\rcp.exe
2006-09-11 11:23 19,456 --a------ C:\WINDOWS\SYSTEM32\ssmarque.scr
2006-09-11 11:23 184,832 --a------ C:\WINDOWS\SYSTEM32\qcap.dll
2006-09-11 11:23 183,296 --a------ C:\WINDOWS\SYSTEM32\syncui.dll
2006-09-11 11:23 180,800 --a------ C:\WINDOWS\SYSTEM32\sqlunirl.dll
2006-09-11 11:23 18,944 --a------ C:\WINDOWS\SYSTEM32\ssbezier.scr
2006-09-11 11:23 18,432 --a------ C:\WINDOWS\SYSTEM32\sclgntfy.dll
2006-09-11 11:23 18,432 --a------ C:\WINDOWS\SYSTEM32\rsmps.dll
2006-09-11 11:23 18,432 --a------ C:\WINDOWS\SYSTEM32\qprocess.exe
2006-09-11 11:23 174,592 --a------ C:\WINDOWS\SYSTEM32\scecli.dll
2006-09-11 11:23 172,032 --a------ C:\WINDOWS\SYSTEM32\snmpsnap.dll
2006-09-11 11:23 171,008 --a------ C:\WINDOWS\SYSTEM32\sccsccp.dll
2006-09-11 11:23 17,920 --a------ C:\WINDOWS\SYSTEM32\shutdown.exe
2006-09-11 11:23 17,408 --a------ C:\WINDOWS\SYSTEM32\ssmyst.scr
2006-09-11 11:23 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2006-09-11 11:23 17,408 --a------ C:\WINDOWS\SYSTEM32\psapi.dll
2006-09-11 11:23 166,912 --a------ C:\WINDOWS\SYSTEM32\photowiz.dll
2006-09-11 11:23 165,888 --a------ C:\WINDOWS\SYSTEM32\ntmsdba.dll
2006-09-11 11:23 165,376 --a------ C:\WINDOWS\SYSTEM32\tapi32.dll
2006-09-11 11:23 16,896 --a------ C:\WINDOWS\SYSTEM32\snmpapi.dll
2006-09-11 11:23 16,384 --a------ C:\WINDOWS\SYSTEM32\ping.exe
2006-09-11 11:23 16,384 --a------ C:\WINDOWS\SYSTEM32\odbc32gt.dll
2006-09-11 11:23 159,232 --a------ C:\WINDOWS\SYSTEM32\schedsvc.dll
2006-09-11 11:23 158,720 --a------ C:\WINDOWS\SYSTEM32\srsvc.dll
2006-09-11 11:23 155,675 --a------ C:\WINDOWS\SYSTEM32\scrobj.dll
2006-09-11 11:23 154,624 --a------ C:\WINDOWS\SYSTEM32\netman.dll
2006-09-11 11:23 147,483 --a------ C:\WINDOWS\SYSTEM32\scrrun.dll
2006-09-11 11:23 147,456 --a------ C:\WINDOWS\SYSTEM32\odbctrac.dll
2006-09-11 11:23 14,848 --a------ C:\WINDOWS\SYSTEM32\rdpsnd.dll
2006-09-11 11:23 14,848 --a------ C:\WINDOWS\SYSTEM32\powrprof.dll
2006-09-11 11:23 14,336 --a------ C:\WINDOWS\SYSTEM32\perfmon.exe
2006-09-11 11:23 137,216 --a------ C:\WINDOWS\SYSTEM32\ntshrui.dll
2006-09-11 11:23 135,680 --a------ C:\WINDOWS\SYSTEM32\rdchost.dll
2006-09-11 11:23 134,656 --a------ C:\WINDOWS\SYSTEM32\netid.dll
2006-09-11 11:23 133,632 --a------ C:\WINDOWS\SYSTEM32\rsaenh.dll
2006-09-11 11:23 133,120 --a------ C:\WINDOWS\SYSTEM32\sfc_os.dll
2006-09-11 11:23 130,560 --a------ C:\WINDOWS\SYSTEM32\sti_ci.dll
2006-09-11 11:23 13,824 --a------ C:\WINDOWS\SYSTEM32\rassapi.dll
2006-09-11 11:23 13,312 --a------ C:\WINDOWS\SYSTEM32\tcpmib.dll
2006-09-11 11:23 13,312 --a------ C:\WINDOWS\SYSTEM32\ssstars.scr
2006-09-11 11:23 13,312 --a------ C:\WINDOWS\SYSTEM32\rsh.exe
2006-09-11 11:23 128,512 --a------ C:\WINDOWS\SYSTEM32\taskmgr.exe
2006-09-11 11:23 125,440 --a------ C:\WINDOWS\SYSTEM32\shmedia.dll
2006-09-11 11:23 122,880 --a------ C:\WINDOWS\SYSTEM32\odbcconf.dll
2006-09-11 11:23 12,800 --a------ C:\WINDOWS\SYSTEM32\svchost.exe
2006-09-11 11:23 12,800 --a------ C:\WINDOWS\SYSTEM32\runonce.exe
2006-09-11 11:23 12,800 --a------ C:\WINDOWS\SYSTEM32\pjlmon.dll
2006-09-11 11:23 12,288 --a------ C:\WINDOWS\SYSTEM32\rdsaddin.exe
2006-09-11 11:23 12,288 --a------ C:\WINDOWS\SYSTEM32\odbcp32r.dll
2006-09-11 11:23 117,760 --a------ C:\WINDOWS\SYSTEM32\stobject.dll
2006-09-11 11:23 116,736 --a------ C:\WINDOWS\SYSTEM32\shsvcs.dll
2006-09-11 11:23 112,128 --a------ C:\WINDOWS\SYSTEM32\ntmarta.dll
2006-09-11 11:23 11,776 --a------ C:\WINDOWS\SYSTEM32\sigtab.dll
2006-09-11 11:23 11,776 --a------ C:\WINDOWS\SYSTEM32\rexec.exe
2006-09-11 11:23 109,568 --a------ C:\WINDOWS\SYSTEM32\offfilt.dll
2006-09-11 11:23 106,496 --a------ C:\WINDOWS\SYSTEM32\olepro32.dll
2006-09-11 11:23 105,984 --a------ C:\WINDOWS\SYSTEM32\netdde.exe
2006-09-11 11:23 103,936 --a------ C:\WINDOWS\SYSTEM32\sysocmgr.exe
2006-09-11 11:23 10,752 --a------ C:\WINDOWS\SYSTEM32\netrap.dll
2006-09-11 11:23 1,622,528 --a------ C:\WINDOWS\SYSTEM32\netshell.dll
2006-09-11 11:23 1,349,120 --a------ C:\WINDOWS\SYSTEM32\query.dll
2006-09-11 11:23 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll
2006-09-11 11:23 1,158,656 --a------ C:\WINDOWS\SYSTEM32\quartz.dll
2006-09-11 11:23 1,157,632 --a------ C:\WINDOWS\SYSTEM32\sfcfiles.dll
2006-09-11 11:22 981,504 --a------ C:\WINDOWS\SYSTEM32\wmnetmgr.dll
2006-09-11 11:22 98,304 --a------ C:\WINDOWS\SYSTEM32\wmpshell.dll
2006-09-11 11:22 97,280 --a------ C:\WINDOWS\SYSTEM32\txflog.dll
2006-09-11 11:22 938,496 --a------ C:\WINDOWS\SYSTEM32\syssetup.dll
2006-09-11 11:22 932,864 --a------ C:\WINDOWS\SYSTEM32\setupapi.dll
2006-09-11 11:22 93,184 --a------ C:\WINDOWS\SYSTEM32\winscard.dll
2006-09-11 11:22 93,184 --a------ C:\WINDOWS\SYSTEM32\scardsvr.exe
2006-09-11 11:22 88,064 --a------ C:\WINDOWS\SYSTEM32\tscfgwmi.dll
2006-09-11 11:22 87,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ndiswan.sys
2006-09-11 11:22 87,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
2006-09-11 11:22 86,528 --a------ C:\WINDOWS\SYSTEM32\wlnotify.dll
2006-09-11 11:22 86,016 --a------ C:\WINDOWS\SYSTEM32\xactsrv.dll
2006-09-11 11:22 84,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkipx.sys
2006-09-11 11:22 82,944 --a------ C:\WINDOWS\SYSTEM32\rasauto.dll
2006-09-11 11:22 816,264 --a------ C:\WINDOWS\SYSTEM32\wmvdmod.dll
2006-09-11 11:22 81,920 --a------ C:\WINDOWS\SYSTEM32\trkwks.dll
2006-09-11 11:22 80,896 --a------ C:\WINDOWS\SYSTEM32\ntprint.dll
2006-09-11 11:22 8,456 --a------ C:\WINDOWS\SYSTEM32\tsddd.dll
2006-09-11 11:22 79,872 --a------ C:\WINDOWS\SYSTEM32\srvsvc.dll
2006-09-11 11:22 79,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ksecdd.sys
2006-09-11 11:22 79,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ipnat.sys
2006-09-11 11:22 780,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmboot.sys
2006-09-11 11:22 762,368 --a------ C:\WINDOWS\SYSTEM32\winntbbu.dll
2006-09-11 11:22 760,968 --a------ C:\WINDOWS\SYSTEM32\wmsdmod.dll
2006-09-11 11:22 76,032 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\parport.sys
2006-09-11 11:22 74,368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ipsec.sys
2006-09-11 11:22 71,680 --a------ C:\WINDOWS\SYSTEM32\nslookup.exe
2006-09-11 11:22 70,656 --a------ C:\WINDOWS\SYSTEM32\ws2_32.dll
2006-09-11 11:22 70,656 --a------ C:\WINDOWS\SYSTEM32\wiascr.dll
2006-09-11 11:22 7,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\i2omgmt.sys
2006-09-11 11:22 7,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mskssrv.sys
2006-09-11 11:22 69,120 --a------ C:\WINDOWS\SYSTEM32\unimdmat.dll
2006-09-11 11:22 681,984 --a------ C:\WINDOWS\SYSTEM32\lsasrv.dll
2006-09-11 11:22 68,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dxg.sys
2006-09-11 11:22 68,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bridge.sys
2006-09-11 11:22 68,096 --a------ C:\WINDOWS\SYSTEM32\locator.exe
2006-09-11 11:22 670,208 --a------ C:\WINDOWS\SYSTEM32\wmadmoe.dll
2006-09-11 11:22 67,072 --a------ C:\WINDOWS\SYSTEM32\usbui.dll
2006-09-11 11:22 667,136 --a------ C:\WINDOWS\SYSTEM32\userenv.dll
2006-09-11 11:22 66,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\psched.sys
2006-09-11 11:22 654,336 --a------ C:\WINDOWS\SYSTEM32\ntdll.dll
2006-09-11 11:22 65,585 --a------ C:\WINDOWS\SYSTEM32\wshext.dll
2006-09-11 11:22 64,000 --a------ C:\WINDOWS\SYSTEM32\webclnt.dll
2006-09-11 11:22 631,808 --a------ C:\WINDOWS\SYSTEM32\rasdlg.dll
2006-09-11 11:22 62,976 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pci.sys
2006-09-11 11:22 62,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mf.sys
2006-09-11 11:22 60,416 --a------ C:\WINDOWS\SYSTEM32\wextract.exe
2006-09-11 11:22 6,656 --a------ C:\WINDOWS\SYSTEM32\ntlsapi.dll
2006-09-11 11:22 59,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cdfs.sys
2006-09-11 11:22 578,560 --a------ C:\WINDOWS\SYSTEM32\autoconv.exe
2006-09-11 11:22 57,984 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nic1394.sys
2006-09-11 11:22 57,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\drmk.sys
2006-09-11 11:22 57,344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\arp1394.sys
2006-09-11 11:22 57,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atmarpc.sys
2006-09-11 11:22 569,344 --a------ C:\WINDOWS\SYSTEM32\oleaut32.dll
2006-09-11 11:22 568,832 --a------ C:\WINDOWS\SYSTEM32\wiashext.dll
2006-09-11 11:22 565,760 --a------ C:\WINDOWS\SYSTEM32\autochk.exe
2006-09-11 11:22 561,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ntfs.sys
2006-09-11 11:22 561,152 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2006-09-11 11:22 56,832 --a------ C:\WINDOWS\SYSTEM32\wzcdlg.dll
2006-09-11 11:22 558,080 --a------ C:\WINDOWS\SYSTEM32\advapi32.dll
2006-09-11 11:22 557,056 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-09-11 11:22 55,808 --a------ C:\WINDOWS\SYSTEM32\rasman.dll
2006-09-11 11:22 54,784 --a------ C:\WINDOWS\SYSTEM32\samlib.dll
2006-09-11 11:22 54,272 --a------ C:\WINDOWS\SYSTEM32\rastapi.dll
2006-09-11 11:22 53,888 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atmlane.sys
2006-09-11 11:22 522,240 --a------ C:\WINDOWS\SYSTEM32\printui.dll
2006-09-11 11:22 516,608 --a------ C:\WINDOWS\SYSTEM32\winlogon.exe
2006-09-11 11:22 51,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\i8042prt.sys
2006-09-11 11:22 50,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmusic.sys
2006-09-11 11:22 5,632 --a------ C:\WINDOWS\SYSTEM32\wmi.dll
2006-09-11 11:22 5,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mspclock.sys
2006-09-11 11:22 48,640 --a------ C:\WINDOWS\SYSTEM32\vdmredir.dll
2006-09-11 11:22 48,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rasl2tp.sys
2006-09-11 11:22 48,128 --a------ C:\WINDOWS\SYSTEM32\winsta.dll
2006-09-11 11:22 479,261 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-09-11 11:22 47,616 --a------ C:\WINDOWS\SYSTEM32\utilman.exe
2006-09-11 11:22 47,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cdrom.sys
2006-09-11 11:22 46,592 --a------ C:\WINDOWS\SYSTEM32\wdigest.dll
2006-09-11 11:22 46,336 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\classpnp.sys
2006-09-11 11:22 46,080 --a------ C:\WINDOWS\SYSTEM32\wstdecod.dll
2006-09-11 11:22 45,568 --a------ C:\WINDOWS\SYSTEM32\smss.exe
2006-09-11 11:22 449,536 --a------ C:\WINDOWS\SYSTEM32\wiadefui.dll
2006-09-11 11:22 433,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mrxsmb.sys
2006-09-11 11:22 414,720 --a------ C:\WINDOWS\SYSTEM32\wiaacmgr.exe
2006-09-11 11:22 411,136 --a------ C:\WINDOWS\SYSTEM32\samsrv.dll
2006-09-11 11:22 410,248 --a------ C:\WINDOWS\SYSTEM32\wmadmod.dll
2006-09-11 11:22 409,088 --a------ C:\WINDOWS\SYSTEM32\vssapi.dll
2006-09-11 11:22 40,960 --a------ C:\WINDOWS\SYSTEM32\tscupgrd.exe
2006-09-11 11:22 40,960 --a------ C:\WINDOWS\SYSTEM32\tcpmonui.dll
2006-09-11 11:22 40,448 --a------ C:\WINDOWS\SYSTEM32\ftp.exe
2006-09-11 11:22 4,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\intelide.sys
2006-09-11 11:22 4,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mspqm.sys
2006-09-11 11:22 4,096 --a------ C:\WINDOWS\SYSTEM32\winver.exe
2006-09-11 11:22 395,776 --a------ C:\WINDOWS\SYSTEM32\ntvdm.exe
2006-09-11 11:22 39,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\imapi.sys
2006-09-11 11:22 38,912 --a------ C:\WINDOWS\SYSTEM32\wsnmp32.dll
2006-09-11 11:22 38,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\raspppoe.sys
2006-09-11 11:22 38,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nmnt.sys
2006-09-11 11:22 375,808 --a------ C:\WINDOWS\SYSTEM32\cmd.exe
2006-09-11 11:22 37,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\p3.sys
2006-09-11 11:22 37,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mountmgr.sys
2006-09-11 11:22 37,376 --a------ C:\WINDOWS\SYSTEM32\perfctrs.dll
2006-09-11 11:22 36,352 --a------ C:\WINDOWS\SYSTEM32\rshx32.dll
2006-09-11 11:22 346,624 --a------ C:\WINDOWS\SYSTEM32\tourstart.exe
2006-09-11 11:22 34,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidclass.sys
2006-09-11 11:22 34,304 --a------ C:\WINDOWS\SYSTEM32\msgsvc.dll
2006-09-11 11:22 339,456 --a------ C:\WINDOWS\SYSTEM32\usp10.dll
2006-09-11 11:22 33,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msgpc.sys
2006-09-11 11:22 33,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\disk.sys
2006-09-11 11:22 33,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\netbios.sys
2006-09-11 11:22 32,256 --a------ C:\WINDOWS\SYSTEM32\umandlg.dll
2006-09-11 11:22 32,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amd
  • 0

#8
loophole
Posted 01 October 2006 - 07:04 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\dtctgbqm.dll
    C:\WINDOWS\SYSTEM32\qslwcedn.exe
    C:\WINDOWS\SYSTEM32\thfyvalc.exe
    C:\WINDOWS\SYSTEM32\mfgveyai.dll
    C:\WINDOWS\SYSTEM32\PMLJNI.dll
    C:\WINDOWS\SYSTEM32\lzx32.sys



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



Can you run the Gmer scan again and let me know the results
  • 0

#9
njgirl
Posted 02 October 2006 - 06:50 AM

njgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ugh.... I did the killbox & deleted the files....

gmer found a different path but same thing... this is getting crazy! :whistling:

here's the log from gmer -

GMER 1.0.11.11389 - http://www.gmer.net
Rootkit 2006-10-02 08:49:49
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

SYSENTER ? FAB42FA3

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] lzx32 <-- ROOTKIT !!!

---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet005\Services\lzx32@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\lzx32@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@DisplayName Win23 lzx files loade
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@ExtParam 0x52 0xFE 0xD7 0x47 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32@Checked 1

---- Files - GMER 1.0.11 ----

ADS C:\Program Files\INSTALL.LOG:SummaryInformation
ADS C:\Program Files\INSTALL.LOG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...
File C:\WINDOWS\SYSTEM32\lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----
  • 0

#10
loophole
Posted 02 October 2006 - 04:12 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

The display name has changed. This should work to fix it. You dont have to download avenger again just run the tool like you did before using the new script below and post the logs



1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
lzx32


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Edited by loophole, 02 October 2006 - 04:13 PM.

  • 0

Advertisements

#11
njgirl
Posted 03 October 2006 - 06:44 AM

njgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here we go!

Why would it change names? Just curious... aren't these things nasty?!



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pflrwans

*******************

Script file located at: \??\C:\Program Files\qymykecj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver lzx32 unloaded successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 8:43:57 AM, on 10/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\WgaTray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Gin - http://download2.gam...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157224056296
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://duxpond.com/freedom/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://69.139.205.19...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#12
loophole
Posted 03 October 2006 - 12:51 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

I'm not sure why it changed but that worked

Now please browse for and delete this file C:\WINDOWS\SYSTEM32\lzx32.sys if it is present

Can you run the GMER scan one more time just to be safe and please tell me what it finds and also let me know if all the random shutdowns etc have stopped
  • 0

#13
njgirl
Posted 05 October 2006 - 06:38 AM

njgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hi again, and thank you so much for all the help! :whistling:

here's the results of gmer scan. and as for random shutdowns - haven't had one yet, but it said something like, "page default". the other shutdowns always said they were from drivers. haven't had one yet but they seemed to come at random times.

here's the log -

GMER 1.0.11.11389 - http://www.gmer.net
Rootkit 2006-10-05 08:37:55
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Files - GMER 1.0.11 ----

ADS C:\Program Files\INSTALL.LOG:SummaryInformation
ADS C:\Program Files\INSTALL.LOG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.11 ----
  • 0

#14
loophole
Posted 05 October 2006 - 08:05 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Good. The driver issue was probably directly related to this. The other, Im not quite sure but it very well could have been also.

Did you manage to delete that file?
  • 0

#15
njgirl
Posted 05 October 2006 - 08:40 AM

njgirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I did find the file - it was lzx32.sy_ figured that was the same thing as .sys

Thank youuuuuu :whistling:

should I download AVG's rootkit finder beta and run that from time to time just to make sure it doesn't come back??
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP