Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

affected with outerinfo! :[ [RESOLVED]


  • This topic is locked This topic is locked

#1
k0rr

k0rr

    Member

  • Member
  • PipPip
  • 90 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:58 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\Van\APPLIC~1\WNSXS~1\regedit.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\W?nSxS\??rvices.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Warcraft III\Inventory+\Inventory+.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Van\Desktop\misc\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{84-40-0C-C8-DW}] C:\WINDOWS\system32\pinz1\cegmgr76.exe DWram
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [BMabeb73fb] Rundll32.exe "C:\WINDOWS\system32\fyqhwfak.dll",s
O4 - HKLM\..\Run: [a8d84067] rundll32.exe "C:\WINDOWS\system32\igsqykcm.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Winamp] C:\Program Files\Winamp\winamp.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Teso] "C:\DOCUME~1\Van\APPLIC~1\WNSXS~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Akywe] "C:\Documents and Settings\Van\Application Data\S?mantec\w?nspool.exe"
O4 - HKCU\..\Run: [Lwoqvhhp] "C:\Program Files\Common Files\W?nSxS\??rvices.exe"
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\pinz1\cegmgr76.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7221 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
ComboFix 08-04-12.4 - Van 2008-04-12 15:59:29.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1547 [GMT -8:00]
Running from: C:\Documents and Settings\Van\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Van\Application Data\SMANTE~1
C:\Documents and Settings\Van\Application Data\SMANTE~1\w?nspool.exe
C:\Documents and Settings\Van\Application Data\WNSXS~1
C:\Documents and Settings\Van\Application Data\WNSXS~1\regedit.exe
C:\Documents and Settings\Van\Application Data\WNSXS~1\W?nSxS\
C:\Documents and Settings\Van\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Van\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Van\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\??rvices.exe
C:\Program Files\dobe~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aeucxsmk.dll
C:\WINDOWS\system32\agyegsdu.dll
C:\WINDOWS\system32\ajndpttb.dll
C:\WINDOWS\system32\atgban.dll
C:\WINDOWS\system32\bgxnlvqu.dll
C:\WINDOWS\system32\bho.dll
C:\WINDOWS\system32\bkecheht.dll
C:\WINDOWS\system32\bttpdnja.ini
C:\WINDOWS\system32\claqbtoi.ini
C:\WINDOWS\system32\crhnccah.dll
C:\WINDOWS\system32\dbeflrfo.dll
C:\WINDOWS\system32\drivers\mff.sys
C:\WINDOWS\system32\eksyltiu.dll
C:\WINDOWS\system32\ffnkhixo.dll
C:\WINDOWS\system32\fhhkj.ini
C:\WINDOWS\system32\fhhkj.ini2
C:\WINDOWS\system32\fmnwuyjm.ini
C:\WINDOWS\system32\fyqhwfak.dll
C:\WINDOWS\system32\gfowfbre.dll
C:\WINDOWS\system32\idtmlppq.dll
C:\WINDOWS\system32\igsqykcm.dll
C:\WINDOWS\system32\iotbqalc.dll
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\kjesnlki.dll
C:\WINDOWS\system32\mckyqsgi.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\migebblk.dll
C:\WINDOWS\system32\mjyuwnmf.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nnnklml.dll
C:\WINDOWS\system32\opnllig.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pcgijvxi.dll
C:\WINDOWS\system32\pnfnobwq.dll
C:\WINDOWS\system32\tlcmrnyl.dll
C:\WINDOWS\system32\udsgeyga.ini
C:\WINDOWS\system32\uitlyske.ini
C:\WINDOWS\system32\wbulmyjy.dll
C:\WINDOWS\system32\xocimbaj.dll
C:\WINDOWS\system32\yjymlubw.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mff
-------\mff


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 16:24 . 2008-04-12 16:24 400,949 --a------ C:\WINDOWS\system32\g79.exe
2008-04-12 16:24 . 2008-04-12 16:24 196,682 --a------ C:\WINDOWS\system32\rcntpkdn.exe
2008-04-12 16:24 . 2008-04-12 16:24 49,174 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-04-12 16:24 . 2008-04-12 16:24 21 --a------ C:\WINDOWS\system32\zxdnt3d.cfg
2008-04-12 13:52 . 2008-04-12 13:52 191,551 --a------ C:\WINDOWS\jgeb.ini
2008-04-12 04:01 . 2008-04-12 04:01 3,648 --a------ C:\WINDOWS\system32\kynnviuq.dll
2008-04-11 03:58 . 2008-04-11 03:58 3,648 --a------ C:\WINDOWS\system32\itkowlts.dll
2008-04-11 02:05 . 2008-04-11 02:05 392,749 --a------ C:\WINDOWS\upmk.ini
2008-04-10 12:45 . 2008-04-10 12:45 258,617 --a------ C:\WINDOWS\pmhe.ini
2008-04-10 04:01 . 2008-04-10 04:01 3,648 --a------ C:\WINDOWS\system32\tlxlgjnl.dll
2008-04-10 02:44 . 2008-04-10 02:44 517,187 --a------ C:\WINDOWS\wqnl.ini
2008-04-09 23:56 . 2008-04-09 23:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 23:56 . 2008-04-09 23:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 04:01 . 2008-04-09 04:01 3,648 --a------ C:\WINDOWS\system32\vcffvwyl.dll
2008-04-08 15:02 . 2008-04-08 15:02 392,749 --a------ C:\WINDOWS\nkif.ini
2008-04-08 13:18 . 2008-04-08 13:18 459,815 --a------ C:\WINDOWS\rpjg.ini
2008-04-06 03:55 . 2008-04-12 03:59 101,091 --a------ C:\WINDOWS\BMabeb73fb.xml
2008-04-06 03:38 . 2008-04-06 03:38 37,376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-04-06 03:37 . 2008-04-06 03:37 <DIR> d-------- C:\WINDOWS\system32\wii
2008-04-06 03:37 . 2008-04-06 03:37 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-06 03:37 . 2008-04-06 03:37 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-06 03:37 . 2008-04-06 03:37 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-06 03:37 . 2008-04-06 03:37 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-06 03:37 . 2008-04-06 03:37 <DIR> d-------- C:\Temp\wdlw14
2008-04-06 03:37 . 2008-04-06 03:37 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-06 03:37 . 2008-04-06 03:39 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-06 03:37 . 2008-04-06 03:37 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-04-06 03:37 . 2008-04-06 03:37 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-04-06 03:37 . 2008-04-06 03:39 37,376 --a------ C:\WINDOWS\mrofinu572.exe
2008-04-04 22:08 . 2008-04-04 22:08 <DIR> d-------- C:\Logs
2008-03-29 14:18 . 2008-03-29 14:18 <DIR> d-------- C:\Program Files\Outsim
2008-03-29 14:13 . 2008-03-29 14:13 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Publish Providers
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\NetMedia Providers
2008-03-27 17:53 . 2008-03-27 17:53 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-03-27 17:53 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-27 17:53 . 2002-12-17 16:23 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2008-03-27 17:53 . 2002-10-20 14:05 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Program Files\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-03-27 17:51 . 2008-03-27 17:51 <DIR> d-------- C:\Program Files\Sony Setup
2008-03-27 13:21 . 2008-03-27 13:22 <DIR> d-------- C:\Program Files\VirtualDJ
2008-03-27 12:20 . 2008-04-01 11:20 <DIR> d-------- C:\Program Files\VstPlugins
2008-03-27 12:20 . 2008-03-27 12:20 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-03-27 12:18 . 2008-04-01 11:19 <DIR> d-------- C:\Program Files\Image-Line
2008-03-27 10:34 . 2008-03-27 10:34 402,451 --a------ C:\WINDOWS\xvpn.ini
2008-03-27 10:34 . 2008-03-27 10:34 402,451 --a------ C:\WINDOWS\xvpm.ini
2008-03-26 12:40 . 2008-03-26 12:40 <DIR> d-------- C:\Program Files\Activision
2008-03-26 10:42 . 2008-03-26 12:50 22,328 --a------ C:\Documents and Settings\Van\Application Data\PnkBstrK.sys
2008-03-26 10:31 . 2008-04-09 02:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-26 09:59 . 2008-03-26 09:59 402,451 --a------ C:\WINDOWS\spnz.ini
2008-03-25 10:16 . 2008-03-25 10:16 <DIR> d-------- C:\Program Files\WinPcap
2008-03-25 10:16 . 2008-03-25 11:03 <DIR> d-------- C:\Program Files\WC3Banlist
2008-03-25 10:08 . 2008-03-25 10:08 335,385 --a------ C:\WINDOWS\zxrp.ini
2008-03-24 21:23 . 2008-03-24 21:23 335,385 --a------ C:\WINDOWS\vtqo.ini
2008-03-24 21:23 . 2008-03-24 21:23 335,385 --a------ C:\WINDOWS\nljd.ini
2008-03-23 21:23 . 2008-03-23 21:23 268,319 --a------ C:\WINDOWS\sqnl.ini
2008-03-23 21:23 . 2008-03-23 21:23 268,319 --a------ C:\WINDOWS\sqni.ini
2008-03-22 21:23 . 2008-03-22 21:23 201,253 --a------ C:\WINDOWS\rpmk.ini
2008-03-22 21:23 . 2008-03-22 21:23 201,253 --a------ C:\WINDOWS\pjhe.ini
2008-03-21 21:23 . 2008-03-21 21:23 134,187 --a------ C:\WINDOWS\wuom.ini
2008-03-21 21:23 . 2008-03-21 21:23 134,187 --a------ C:\WINDOWS\urmj.ini
2008-03-21 02:21 . 2005-01-22 11:12 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-03-21 01:43 . 2008-03-21 01:54 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-03-21 01:43 . 2008-03-21 02:11 75,965 --a------ C:\WINDOWS\War3Unin.dat
2008-03-21 01:43 . 2008-03-21 01:54 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-21 01:41 . 2008-04-10 21:19 <DIR> d-------- C:\Program Files\Warcraft III
2008-03-17 23:09 . 2008-03-31 19:23 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-17 00:40 . 2008-03-17 00:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-16 21:20 . 2008-03-16 21:20 <DIR> d-------- C:\Program Files\Magnus Brading
2008-03-16 21:20 . 2008-03-16 21:20 495,104 --a------ C:\WINDOWS\system32\mp3tsshx.dll
2008-03-16 19:09 . 2008-04-08 17:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-13 11:20 . 2008-03-13 11:20 204,800 --a------ C:\WINDOWS\TinyBHO.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 09:02 --------- d-----w C:\Program Files\Steam
2008-04-09 10:23 --------- d-----w C:\Program Files\THQ
2008-04-08 21:51 --------- d-----w C:\Program Files\Avant Browser
2008-04-07 09:51 --------- d-----w C:\Documents and Settings\Van\Application Data\.BitTornado
2008-04-05 06:09 --------- d-----w C:\Program Files\World of Warcraft
2008-04-04 01:25 --------- d-----w C:\Documents and Settings\Van\Application Data\Aim
2008-03-30 22:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-03-29 22:13 --------- d-----w C:\Program Files\Stardock
2008-03-28 17:04 --------- d-----w C:\Program Files\coolpro2
2008-03-26 20:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-26 01:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 03:52 --------- d-----w C:\Program Files\America's Army
2008-03-11 06:21 --------- d-----w C:\Program Files\AIM
2008-03-07 18:05 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-03-07 18:04 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-03-07 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-05 06:30 --------- d-----w C:\Program Files\PowerISO
2008-03-02 01:47 --------- d-----w C:\Program Files\Java Web Start
2008-03-02 01:47 --------- d-----w C:\Program Files\Java
2008-02-29 21:36 --------- d-----w C:\Documents and Settings\Van\Application Data\Microsoft Games
2008-02-29 20:02 --------- d-----w C:\Program Files\Microsoft Games
2008-02-27 07:59 --------- d-----w C:\Program Files\3ivx
2008-02-26 01:15 --------- d-----w C:\Program Files\Realtek
2008-02-25 07:01 --------- d-----w C:\Documents and Settings\Van\Application Data\Atari
2008-02-24 09:18 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-02-24 09:18 --------- d-----w C:\Documents and Settings\Van\Application Data\Leadertech
2008-02-24 09:15 --------- d-----w C:\Program Files\Atari
2008-02-17 03:00 --------- d-----w C:\Documents and Settings\Van\Application Data\InstallShield
2008-02-09 07:54 87,608 ----a-w C:\Documents and Settings\Van\Application Data\inst.exe
2008-02-09 07:54 47,360 ----a-w C:\Documents and Settings\Van\Application Data\pcouffin.sys
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2003-09-18 21:50 129,904 ----a-w C:\Documents and Settings\Van\e10002ke.sys
.

((((((((((((((((((((((((((((( snapshot_2008-01-18_ 2.01.40.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-12 23:12:26 213,216 -c----w C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe
+ 2005-10-12 23:12:33 371,424 -c----w C:\WINDOWS\$NtUninstallKB926239$\spuninst\updspapi.dll
+ 2005-01-28 21:44:28 294,912 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\blackbox.dll
+ 2005-01-28 21:44:28 164,864 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\cewmdm.dll
+ 2005-01-28 21:44:28 502,272 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\drmv2clt.dll
+ 2005-01-28 21:44:28 6,656 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\laprxy.dll
+ 2005-01-28 21:44:28 96,768 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\logagent.exe
+ 2004-08-04 12:00:00 310,272 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\mp43dmod.dll
+ 2004-08-04 12:00:00 384,512 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\mp4sdmod.dll
+ 2004-08-04 12:00:00 240,640 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\mpg4dmod.dll
+ 2005-01-28 21:44:28 142,336 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\msnetobj.dll
+ 2005-01-28 21:44:28 25,088 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\mspmsnsv.dll
+ 2005-01-28 21:44:28 173,568 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\mspmsp.dll
+ 2005-01-28 21:44:28 364,784 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\msscp.dll
+ 2005-01-28 21:44:28 315,904 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\mswmdm.dll
+ 2005-01-28 21:44:28 221,184 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\qasf.dll
+ 2006-05-17 02:11:54 213,216 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe
+ 2006-05-17 02:11:54 371,424 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\updspapi.dll
+ 2006-11-02 19:46:52 13,312 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\wpdinstallutil.dll
+ 2005-01-28 21:44:28 47,104 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\uwdf.exe
+ 2005-01-28 21:44:28 15,872 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wdfapi.dll
+ 2005-01-28 21:44:28 38,912 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wdfmgr.exe
+ 2005-01-28 21:44:28 396,528 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmadmod.dll
+ 2005-01-28 21:44:28 716,288 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmadmoe.dll
+ 2005-01-28 21:44:28 224,768 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmasf.dll
+ 2005-01-28 21:44:28 28,160 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmdmlog.dll
+ 2005-01-28 21:44:28 33,792 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmdmps.dll
+ 2005-01-28 21:44:28 335,872 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmdrmdev.dll
+ 2005-01-28 21:44:28 290,816 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmdrmnet.dll
+ 2005-01-28 21:44:28 150,016 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmidx.dll
+ 2005-01-28 21:44:28 1,027,072 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmnetmgr.dll
+ 2005-01-28 21:44:28 774,904 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmsdmod.dll
+ 2005-01-28 21:44:28 1,119,744 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmsdmoe2.dll
+ 2005-01-28 21:44:28 819,200 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmsetsdk.exe
+ 2005-01-28 21:44:28 413,944 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmspdmod.dll
+ 2005-01-28 21:44:28 940,544 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmspdmoe.dll
+ 2005-01-28 21:44:28 1,218,808 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmvadvd.dll
+ 2005-01-28 21:44:28 1,512,448 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmvadve.dll
+ 2005-01-28 21:44:28 2,370,296 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmvcore.dll
+ 2005-01-28 21:44:28 895,736 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmvdmod.dll
+ 2005-01-28 21:44:28 1,003,008 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wmvdmoe2.dll
+ 2005-01-28 21:44:28 38,912 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wpd_ci.dll
+ 2005-01-28 21:44:28 61,952 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wpdconns.dll
+ 2005-01-28 21:44:28 114,176 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wpdmtp.dll
+ 2005-01-28 21:44:28 66,560 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wpdmtpus.dll
+ 2005-01-28 21:44:28 331,264 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wpdsp.dll
+ 2005-01-28 21:44:28 18,944 -c----w C:\WINDOWS\$NtUninstallWMFDist11$\wpdusb.sys
+ 2006-09-16 09:05:22 221,488 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe
+ 2006-09-16 09:05:22 379,184 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\updspapi.dll
+ 2006-09-29 03:01:52 58,368 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\WudfCustom.dll
+ 2006-10-04 14:05:26 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
- 2008-01-14 03:19:48 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-04-09 10:34:36 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-01-14 03:19:49 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-04-09 10:34:37 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-01-14 03:19:49 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-04-09 10:34:37 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-01-14 03:19:40 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:24 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:41 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:26 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:43 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:27 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:43 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:28 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:44 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:30 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:44 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:31 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:45 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:31 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:45 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:33 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:46 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:33 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:49 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-09 10:34:37 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-01-14 03:19:50 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-04-09 10:34:38 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-01-14 03:19:50 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-04-09 10:34:39 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-01-14 03:19:50 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-04-09 10:34:40 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-01-14 03:19:51 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-04-09 10:34:41 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-01-14 03:19:47 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-09 10:34:35 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-03-28 01:52:51 245,760 ----a-w C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.30000__3cda94b1926e6fbc\log4net.dll
+ 2008-03-28 01:52:49 65,536 ----a-w C:\WINDOWS\assembly\GAC_MSIL\NullableTypes\1.2.2336.27002__3cda94b1926e6fbc\NullableTypes.dll
+ 2008-03-28 01:52:50 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_de_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 7,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_es_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_fr_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 7,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_it_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 45,056 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_ja-JP_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_ja_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 7,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_ko_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 7,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_nl_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 7,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_pt-PT_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 6,144 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_zh-CHS_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 6,144 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared.resources\2.2.2473.15730_zh-CHT_3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.resources.dll
+ 2008-03-28 01:52:50 327,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.clrshared\2.2.2473.15730__3cda94b1926e6fbc\Sony.MediaSoftware.clrshared.dll
+ 2008-03-28 01:52:49 282,624 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.MediaMgr.resources\2.2.2473.15737_de_3cda94b1926e6fbc\Sony.MediaSoftware.MediaMgr.resources.dll
+ 2008-03-28 01:52:50 266,240 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.MediaMgr.resources\2.2.2473.15737_fr_3cda94b1926e6fbc\Sony.MediaSoftware.MediaMgr.resources.dll
+ 2008-03-28 01:52:50 307,200 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.MediaMgr.resources\2.2.2473.15737_ja-JP_3cda94b1926e6fbc\Sony.MediaSoftware.MediaMgr.resources.dll
+ 2008-03-28 01:52:50 24,576 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.MediaMgr.resources\2.2.2473.15737_ja_3cda94b1926e6fbc\Sony.MediaSoftware.MediaMgr.resources.dll
+ 2008-03-28 01:52:49 2,142,208 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Sony.MediaSoftware.MediaMgr\2.2.2473.15737__3cda94b1926e6fbc\Sony.MediaSoftware.MediaMgr.dll
+ 2008-03-28 01:52:50 282,624 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Syncfusion.Core\4.102.0.62__632609b4d040f6b4\Syncfusion.Core.dll
+ 2008-03-28 01:52:50 16,384 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Syncfusion.Grid.Base\4.102.0.1002__3cda94b1926e6fbc\Syncfusion.Grid.Base.dll
+ 2008-03-28 01:52:51 1,527,808 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Syncfusion.Grid.Windows\4.102.0.1002__3cda94b1926e6fbc\Syncfusion.Grid.Windows.dll
+ 2008-03-28 01:52:51 1,208,320 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Syncfusion.Shared.Base\4.102.0.1002__3cda94b1926e6fbc\Syncfusion.Shared.Base.dll
+ 2008-03-28 01:52:51 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Syncfusion.Shared.Windows\4.102.0.1002__3cda94b1926e6fbc\Syncfusion.Shared.Windows.dll
+ 2008-03-28 01:52:51 16,384 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Syncfusion.Tools.Base\4.102.0.1002__3cda94b1926e6fbc\Syncfusion.Tools.Base.dll
+ 2008-03-28 01:52:51 2,293,760 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Syncfusion.Tools.Windows\4.102.0.1002__3cda94b1926e6fbc\Syncfusion.Tools.Windows.dll
+ 2007-09-05 03:25:14 65,536 ----a-w C:\WINDOWS\AutoTuneScript.dll
- 2000-08-31 16:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 04:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 16:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 16:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2008-03-05 06:06:28 27,648 ----a-r C:\WINDOWS\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
+ 2008-02-29 21:09:59 454,656 ----a-r C:\WINDOWS\Installer\{1170D24F-42B7-40CF-AA1B-6395CE562354}\ARPPRODUCTICON.exe
+ 2008-03-09 08:53:33 45,056 ----a-r C:\WINDOWS\Installer\{D873FA4B-C374-4F8A-8D9A-130DB56FAB16}\NewShortcut10_656D5B05040941EEBBEED9C4D6388972.exe
+ 2008-03-09 08:53:32 45,056 ----a-r C:\WINDOWS\Installer\{D873FA4B-C374-4F8A-8D9A-130DB56FAB16}\NewShortcut11_656D5B05040941EEBBEED9C4D6388972.exe
+ 2008-03-09 08:53:32 45,056 ----a-r C:\WINDOWS\Installer\{D873FA4B-C374-4F8A-8D9A-130DB56FAB16}\NewShortcut14_656D5B05040941EEBBEED9C4D6388972.exe
+ 2008-03-09 08:53:32 45,056 ----a-r C:\WINDOWS\Installer\{D873FA4B-C374-4F8A-8D9A-130DB56FAB16}\NewShortcut15_656D5B05040941EEBBEED9C4D6388972.exe
+ 2008-03-09 08:53:32 45,056 ----a-r C:\WINDOWS\Installer\{D873FA4B-C374-4F8A-8D9A-130DB56FAB16}\NewShortcut8_656D5B05040941EEBBEED9C4D6388972.exe
+ 2008-03-09 08:53:32 45,056 ----a-r C:\WINDOWS\Installer\{D873FA4B-C374-4F8A-8D9A-130DB56FAB16}\NewShortcut9_656D5B05040941EEBBEED9C4D6388972.exe
+ 2008-03-26 20:49:45 216,358 ----a-r C:\WINDOWS\Installer\{E48469CC-635E-4FD5-A122-1497C286D217}\ARPPRODUCTICON.exe
- 2005-03-19 00:23:10 53,248 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2005-03-19 01:23:10 53,248 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.AudioVideoPlayback.dll
- 2005-03-19 00:23:10 12,800 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Diagnostics.dll
+ 2005-03-19 01:23:10 12,800 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Diagnostics.dll
- 2005-03-19 00:23:14 473,600 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll
+ 2005-03-19 01:23:14 473,600 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll
- 2005-03-19 00:23:10 145,920 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.dll
+ 2005-03-19 01:23:10 145,920 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.dll
- 2005-03-19 00:23:10 159,232 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.dll
+ 2005-03-19 01:23:10 159,232 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.dll
- 2005-03-19 00:23:14 364,544 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectPlay.dll
+ 2005-03-19 01:23:14 364,544 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectPlay.dll
- 2005-03-19 00:23:12 178,176 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll
+ 2005-03-19 01:23:12 178,176 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll
- 2005-03-19 00:23:14 223,232 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.dll
+ 2005-03-19 01:23:14 223,232 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.dll
- 2000-08-31 16:00:00 51,200 ----a-w C:\WINDOWS\NirCmd.exe
+ 2000-08-31 16:00:00 28,160 ----a-w C:\WINDOWS\NirCmd.exe
+ 2007-09-05 03:26:30 450,560 ----a-w C:\WINDOWS\ntuneoem.dll
+ 2007-09-05 03:25:34 1,646,592 ----a-w C:\WINDOWS\NVBenchMarks.dll
+ 2007-03-12 20:01:30 217,088 ----a-w C:\WINDOWS\NVGfxOgl.dll
+ 2007-09-05 03:26:32 29,696 ----a-w C:\WINDOWS\nvoclock.sys
+ 2007-12-05 08:48:38 86,528 ----a-w C:\WINDOWS\OPTIONS\CABS\lanset64.exe
+ 2007-12-05 08:48:14 56,320 ----a-w C:\WINDOWS\OPTIONS\CABS\lansetm.exe
+ 2007-12-05 08:48:28 60,928 ----a-w C:\WINDOWS\OPTIONS\CABS\lansetup.exe
+ 2007-12-05 08:48:34 58,368 ----a-w C:\WINDOWS\OPTIONS\CABS\lansetx.exe
+ 2007-11-21 03:09:02 101,888 ----a-w C:\WINDOWS\OPTIONS\CABS\Rtnic.sys
+ 2007-11-21 03:09:44 124,928 ----a-w C:\WINDOWS\OPTIONS\CABS\Rtnic64.sys
+ 2007-11-21 03:09:22 104,320 ----a-w C:\WINDOWS\OPTIONS\CABS\Rtnicxp.sys
+ 2002-02-28 02:50:00 197,120 ----a-w C:\WINDOWS\patchw32.dll
+ 2005-01-25 16:33:00 1,049,088 ----a-w C:\WINDOWS\RegisteredPackages\{1D099D24-8FDF-46DD-9EA3-31D6E9A73E9F}\msxml3.dll
+ 2005-02-11 05:04:02 44,032 ----a-w C:\WINDOWS\RegisteredPackages\{1D099D24-8FDF-46DD-9EA3-31D6E9A73E9F}\msxml3r.dll
+ 2000-08-31 16:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 16:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 16:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 16:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2004-08-04 12:00:00 73,376 ----a-w C:\WINDOWS\system\MCIAVI.DRV
+ 2004-08-04 12:00:00 25,264 ----a-w C:\WINDOWS\system\MCISEQ.DRV
+ 2004-08-04 12:00:00 28,160 ----a-w C:\WINDOWS\system\MCIWAVE.DRV
+ 2004-08-04 12:00:00 3,360 ----a-w C:\WINDOWS\system\SYSTEM.DRV
+ 2004-08-04 12:00:00 4,048 ----a-w C:\WINDOWS\system\TIMER.DRV
+ 2004-08-04 12:00:00 13,600 ----a-w C:\WINDOWS\system\WFWNET.DRV
+ 2004-08-04 12:00:00 146,432 ----a-w C:\WINDOWS\system\WINSPOOL.DRV
+ 2008-04-13 00:24:36 63,893 ----a-w C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll-uninst.exe
+ 2008-04-07 16:27:48 329,728 ----a-w C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll
+ 2008-12-22 04:58:56 1,155,808 ----a-w C:\WINDOWS\system32\3ivx.dll
+ 2008-12-22 04:59:00 332,512 ----a-w C:\WINDOWS\system32\3ivxVfWCodec.dll
+ 2006-10-19 05:47:08 276,992 ------w C:\WINDOWS\system32\audiodev.dll
+ 2008-04-02 12:32:16 32,768 ----a-w C:\WINDOWS\system32\bharebio01\bharebio011065.exe
- 2005-01-28 21:44:28 294,912 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2006-10-19 05:47:10 542,720 ----a-w C:\WINDOWS\system32\blackbox.dll
- 2005-02-22 15:37:48 589,824 ----a-w C:\WINDOWS\system32\CDDBControl.dll
+ 2006-09-28 21:04:40 655,360 ----a-w C:\WINDOWS\system32\CDDBControl.dll
+ 2006-09-28 21:04:40 98,304 ----a-w C:\WINDOWS\system32\CddbLangDE.dll
+ 2006-09-28 21:04:40 98,304 ----a-w C:\WINDOWS\system32\CddbLangES.dll
+ 2006-09-28 21:04:40 98,304 ----a-w C:\WINDOWS\system32\CddbLangFR.dll
+ 2006-09-28 21:04:40 102,400 ----a-w C:\WINDOWS\system32\CddbLangIT.dll
+ 2006-09-28 21:04:40 77,824 ----a-w C:\WINDOWS\system32\CddbLangJA.dll
+ 2006-09-28 21:04:40 98,304 ----a-w C:\WINDOWS\system32\CddbLangNL.dll
- 2005-02-22 15:36:50 765,952 ----a-w C:\WINDOWS\system32\CDDBUI.dll
+ 2006-09-28 21:04:40 765,952 ----a-w C:\WINDOWS\system32\CDDBUI.dll
- 2005-01-28 21:44:28 164,864 ----a-w C:\WINDOWS\system32\cewmdm.dll
+ 2006-10-19 05:47:10 229,376 ----a-w C:\WINDOWS\system32\cewmdm.dll
- 2007-12-31 11:37:12 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
+ 2008-02-08 17:18:05 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
+ 2008-02-25 07:01:17 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
+ 2004-08-04 12:00:00 10,544 ----a-w C:\WINDOWS\system32\comm.drv
+ 2007-07-20 02:14:42 1,358,192 ----a-w C:\WINDOWS\system32\D3DCompiler_35.dll
+ 2007-07-20 02:14:42 444,776 ----a-w C:\WINDOWS\system32\d3dx10_35.dll
+ 2007-07-20 02:14:42 3,727,720 ----a-w C:\WINDOWS\system32\d3dx9_35.dll
+ 2002-12-18 01:23:52 29,244 ------w C:\WINDOWS\system32\DBmsLPCn.dll
+ 2008-12-22 04:59:26 25,312 ----a-w C:\WINDOWS\system32\DivXVfWCodec.dll
- 2005-01-28 21:44:28 294,912 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
+ 2006-10-19 05:47:10 542,720 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
- 2005-01-28 21:44:28 164,864 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
+ 2006-10-19 05:47:10 229,376 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
- 2005-01-28 21:44:28 502,272 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
+ 2006-10-19 05:47:10 991,744 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
- 2005-01-28 21:44:28 6,656 -c--a-w C:\WINDOWS\system32\dllcache\laprxy.dll
+ 2006-10-19 05:47:14 11,264 -c--a-w C:\WINDOWS\system32\dllcache\LAPRXY.dll
- 2005-01-28 21:44:28 96,768 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2006-10-19 04:03:58 100,864 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2004-08-04 12:00:00 73,376 -c--a-w C:\WINDOWS\system32\dllcache\mciavi.drv
+ 2004-08-04 12:00:00 25,264 -c--a-w C:\WINDOWS\system32\dllcache\mciseq.drv
+ 2004-08-04 12:00:00 28,160 -c--a-w C:\WINDOWS\system32\dllcache\mciwave.drv
- 2004-08-04 12:00:00 310,272 -c--a-w C:\WINDOWS\system32\dllcache\mp43dmod.dll
+ 2006-10-19 05:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP43DMOD.dll
- 2004-08-04 12:00:00 384,512 -c--a-w C:\WINDOWS\system32\dllcache\mp4sdmod.dll
+ 2006-10-19 05:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP4SDMOD.dll
- 2004-08-04 12:00:00 240,640 -c--a-w C:\WINDOWS\system32\dllcache\mpg4dmod.dll
+ 2006-10-19 05:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MPG4DMOD.dll
- 2005-01-28 21:44:28 142,336 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
+ 2006-10-19 05:47:16 179,712 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
- 2005-01-28 21:44:28 25,088 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
+ 2006-10-19 05:47:16 27,136 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
- 2005-01-28 21:44:28 173,568 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
+ 2006-10-19 05:47:16 175,616 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
- 2005-01-28 21:44:28 364,784 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-10-19 05:47:16 414,208 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2005-01-28 21:44:28 315,904 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
+ 2006-10-19 05:47:16 321,536 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
- 2004-08-04 12:00:00 44,032 -c--a-w C:\WINDOWS\system32\dllcache\msxml3r.dll
+ 2005-02-11 05:04:02 44,032 -c--a-w C:\WINDOWS\system32\dllcache\msxml3r.dll
- 2005-01-28 21:44:28 221,184 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
+ 2006-10-19 05:47:18 211,456 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
+ 2004-08-04 12:00:00 3,360 -c--a-w C:\WINDOWS\system32\dllcache\system.drv
+ 2004-08-04 12:00:00 4,048 -c--a-w C:\WINDOWS\system32\dllcache\timer.drv
+ 2004-08-04 08:56:58 23,552 -c--a-w C:\WINDOWS\system32\dllcache\wdmaud.drv
+ 2004-08-04 12:00:00 13,600 -c--a-w C:\WINDOWS\system32\dllcache\wfwnet.drv
+ 2004-08-04 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\winspool.drv
- 2005-01-28 21:44:28 396,528 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
+ 2006-10-19 05:47:18 757,248 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOD.dll
- 2005-01-28 21:44:28 716,288 -c--a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll
+ 2006-10-19 05:47:18 1,117,696 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOE.dll
- 2005-01-28 21:44:28 224,768 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2006-10-19 05:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
- 2005-01-28 21:44:28 28,160 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
+ 2006-10-19 05:47:18 33,792 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
- 2005-01-28 21:44:28 33,792 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
+ 2006-10-19 05:47:18 37,376 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
- 2005-01-28 21:44:28 150,016 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
+ 2006-10-19 05:47:20 157,184 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
- 2005-01-28 21:44:28 1,027,072 -c--a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll
+ 2006-10-19 05:47:20 937,984 -c--a-w C:\WINDOWS\system32\dllcache\WMNetMgr.dll
- 2005-01-28 21:44:28 774,904 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2006-10-19 05:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
- 2005-01-28 21:44:28 1,119,744 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
+ 2006-10-19 05:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
- 2005-01-28 21:44:28 413,944 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmod.dll
+ 2006-10-19 05:47:22 603,648 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOD.dll
- 2005-01-28 21:44:28 940,544 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmoe.dll
+ 2006-10-19 05:47:22 1,329,152 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOE.dll
- 2005-01-28 21:44:28 2,370,296 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-10-19 05:47:22 2,450,944 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2005-01-28 21:44:28 895,736 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
+ 2006-10-19 05:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
- 2005-01-28 21:44:28 1,003,008 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-19 05:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2003-09-18 21:50:02 129,904 ----a-w C:\WINDOWS\system32\drivers\e10002ke.sys
+ 2004-08-19 20:25:24 154,112 ----a-w C:\WINDOWS\system32\drivers\e100b325.sys
+ 2004-08-25 18:12:44 25,360 ----a-w C:\WINDOWS\system32\drivers\E100ENT.sys
- 2004-03-04 04:30:54 5,504 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
+ 2007-11-22 01:31:48 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
- 2004-03-04 04:30:54 125,184 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
+ 2007-11-22 01:31:48 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
+ 2005-08-02 21:10:13 32,512 ----a-w C:\WINDOWS\system32\drivers\npf.sys
+ 2008-02-09 07:54:48 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
+ 2007-11-21 03:09:22 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
+ 2008-01-20 07:07:58 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
- 2007-12-28 06:12:49 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
+ 2008-02-08 16:51:25 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
+ 2006-10-19 05:47:22 671,232 ------w C:\WINDOWS\system32\drivers\UMDF\wpdmtpdr.dll
- 2005-01-28 21:44:28 18,944 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-10-19 04:00:00 38,528 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-09-29 02:55:50 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-29 03:00:34 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-10-19 04:00:46 249,856 ------w C:\WINDOWS\system32\drmupgds.exe
- 2005-01-28 21:44:28 502,272 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-10-19 05:47:10 991,744 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-09-29 19:26:22 176,165 ----a-w C:\WINDOWS\system32\drv23260.dll
+ 2006-09-29 19:25:38 208,935 ----a-w C:\WINDOWS\system32\drv33260.dll
+ 2006-09-29 19:24:48 217,127 ----a-w C:\WINDOWS\system32\drv43260.dll
+ 2007-08-14 21:22:50 25,105 ----a-w C:\WINDOWS\system32\ExTmp\bmv35gui.exe
- 2007-12-08 02:28:42 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
+ 2008-02-23 05:21:32 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
+ 1997-04-08 02:19:00 391,680 ----a-w C:\WINDOWS\system32\I263_32.drv
+ 2008-04-04 21:31:58 126,976 ----a-w C:\WINDOWS\system32\IDE2\mdllcom2.exe
+ 2006-03-17 19:45:52 1,757,184 ----a-w C:\WINDOWS\system32\imagX7.dll
+ 2006-03-17 19:45:54 497,296 ----a-w C:\WINDOWS\system32\imagXpr7.dll
+ 2006-03-17 19:45:54 258,048 ----a-w C:\WINDOWS\system32\imagXR7.dll
+ 2006-03-17 19:45:54 802,816 ----a-w C:\WINDOWS\system32\imagXRA7.dll
+ 2002-08-29 17:10:24 24,669 ------w C:\WINDOWS\system32\java.exe
+ 2002-08-29 17:10:24 24,671 ------w C:\WINDOWS\system32\javaw.exe
+ 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2004-08-04 12:00:00 221,600 ----a-w C:\WINDOWS\system32\lanman.drv
- 2005-01-28 21:44:28 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll
+ 2006-10-19 05:47:14 11,264 ----a-w C:\WINDOWS\system32\LAPRXY.dll
+ 2008-12-22 04:52:02 66,272 ----a-w C:\WINDOWS\system32\libfaac.dll
- 2005-01-28 21:44:28 96,768 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-19 04:03:58 100,864 ----a-w C:\WINDOWS\system32\logagent.exe
- 2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2008-03-07 09:06:13 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2008-01-04 02:22:04 53,248 ----a-w C:\WINDOWS\system32\Macromed\Common\SwSupport.dll
+ 2008-01-07 19:26:46 181,672 ----a-w C:\WINDOWS\system32\Macromed\Director\swdir.dll
+ 2008-01-07 19:27:04 54,696 ----a-w C:\WINDOWS\system32\Macromed\Director\SwDnld.exe
+ 2008-01-04 02:19:34 581,632 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
+ 2008-01-04 02:01:46 1,490,944 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
+ 2008-01-04 02:20:14 24,576 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2008-01-08 19:57:12 1,112,576 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
+ 2008-01-04 01:46:46 52,288 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
+ 2008-01-04 01:59:14 606,208 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
+ 2008-01-04 02:18:56 339,968 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
+ 2008-01-04 02:19:06 475,136 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2008-01-04 02:11:48 180,224 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
+ 2008-01-07 19:26:28 390,568 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1030024.exe
+ 2008-01-04 02:22:06 77,824 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
+ 2008-01-04 02:18:50 86,016 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
+ 2008-01-04 02:22:08 98,304 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
+ 2008-01-04 01:46:44 50,808 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL
+ 1999-06-25 18:55:30 149,504 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
+ 2004-08-04 12:00:00 73,376 ----a-w C:\WINDOWS\system32\mciavi.drv
+ 2004-08-04 12:00:00 25,264 ----a-w C:\WINDOWS\system32\mciseq.drv
+ 2004-08-04 12:00:00 28,160 ----a-w C:\WINDOWS\system32\mciwave.drv
+ 2007-07-04 00:40:06 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
+ 2006-10-19 05:47:14 212,992 ------w C:\WINDOWS\system32\MFPLAT.dll
+ 2006-10-19 05:47:14 259,072 ------w C:\WINDOWS\system32\MP43DECD.dll
- 2004-08-04 12:00:00 310,272 ----a-w C:\WINDOWS\system32\mp43dmod.dll
+ 2006-10-19 05:47:14 4,096 ----a-w C:\WINDOWS\system32\MP43DMOD.dll
+ 2006-10-19 05:47:14 317,440 ------w C:\WINDOWS\system32\MP4SDECD.dll
- 2004-08-04 12:00:00 384,512 ----a-w C:\WINDOWS\system32\mp4sdmod.dll
+ 2006-10-19 05:47:14 4,096 ----a-w C:\WINDOWS\system32\MP4SDMOD.dll
+ 2006-10-19 05:47:14 259,072 ------w C:\WINDOWS\system32\MPG4DECD.dll
- 2004-08-04 12:00:00 240,640 ----a-w C:\WINDOWS\system32\mpg4dmod.dll
+ 2006-10-19 05:47:14 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
+ 2004-08-04 12:00:00 20,480 ----a-w C:\WINDOWS\system32\msacm32.drv
+ 2004-08-04 12:00:00 188,416 ----a-w C:\WINDOWS\system32\msh261.drv
+ 2004-08-04 12:00:00 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
- 2005-01-28 21:44:28 142,336 ----a-w C:\WINDOWS\system32\msnetobj.dll
+ 2006-10-19 05:47:16 179,712 ----a-w C:\WINDOWS\system32\msnetobj.dll
- 2005-01-28 21:44:28 25,088 ----a-w C:\WINDOWS\system32\MsPMSNSv.dll
+ 2006-10-19 05:47:16 27,136 ----a-w C:\WINDOWS\system32\mspmsnsv.dll
- 2005-01-28 21:44:28 173,568 ----a-w C:\WINDOWS\system32\MsPMSP.dll
+ 2006-10-19 05:47:16 175,616 ----a-w C:\WINDOWS\system32\mspmsp.dll
- 2005-01-28 21:44:28 364,784 ----a-w C:\WINDOWS\system32\MSSCP.dll
+ 2006-10-19 05:47:16 414,208 ----a-w C:\WINDOWS\system32\msscp.dll
+ 1999-01-22 01:40:08 94,208 ----a-w C:\WINDOWS\system32\msstkprp.dll
+ 2008-02-23 05:21:32 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
- 2002-01-05 19:37:26 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
+ 2002-12-18 21:46:26 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
- 2005-01-28 21:44:28 315,904 ----a-w C:\WINDOWS\system32\MSWMDM.dll
+ 2006-10-19 05:47:16 321,536 ----a-w C:\WINDOWS\system32\mswmdm.dll
- 2004-08-04 12:00:00 1,236,480 ----a-w C:\WINDOWS\system32\msxml3.dll
+ 2005-01-25 16:33:00 1,049,088 ----a-w C:\WINDOWS\system32\msxml3.dll
- 2004-08-04 12:00:00 44,032 ----a-w C:\WINDOWS\system32\msxml3r.dll
+ 2005-02-11 05:04:02 44,032 ----a-w C:\WINDOWS\system32\msxml3r.dll
+ 2003-04-19 00:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2003-04-19 00:29:26 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
+ 2001-07-09 18:50:42 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2007-12-04 02:04:12 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
+ 2007-06-26 06:21:00 1,073,152 ----a-w C:\WINDOWS\system32\nvCplUIR.dll
- 2008-01-10 18:28:34 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
+ 2007-12-05 09:41:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
+ 2008-12-22 04:59:08 447,200 ----a-w C:\WINDOWS\system32\OpenQuicktimeLib.dll
+ 2005-08-02 21:08:09 81,920 ----a-w C:\WINDOWS\system32\Packet.dll
- 2008-01-13 09:29:42 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-28 01:53:32 67,124 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-13 09:29:42 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-28 01:53:32 413,030 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-02-14 14:42:16 49,152 ----a-w C:\WINDOWS\system32\pinz1\cegmgr76.exe
+ 2008-03-26 20:49:55 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
+ 2008-03-26 20:50:02 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2006-10-19 05:47:18 284,160 ------w C:\WINDOWS\system32\PortableDeviceApi.dll
+ 2006-10-19 05:47:18 101,888 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-10-19 05:47:18 166,912 ------w C:\WINDOWS\system32\PortableDeviceTypes.dll
+ 2006-10-19 05:47:18 132,096 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
+ 2006-10-19 05:47:18 199,168 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
+ 2008-02-23 05:21:32 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
+ 2005-08-02 21:24:01 53,299 ----a-w C:\WINDOWS\system32\pthreadVC.dll
+ 2007-06-08 02:46:44 86,070 ----a-w C:\WINDOWS\system32\pthreadVC2.dll
- 2005-01-28 21:44:28 221,184 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2006-10-19 05:47:18 211,456 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2004-08-04 07:07:48 68,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\pci.sys
- 2004-08-04 12:00:00 68,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\pci.sys
+ 2004-08-04 07:07:48 68,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\pci.sys
+ 2001-08-17 21:58:02 35,840 ----a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\isapnp.sys
- 2004-08-04 12:00:00 95,360 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
+ 2004-08-04 06:59:44 95,360 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
- 2004-08-04 12:00:00 3,328 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\pciide.sys
+ 2001-08-17 21:51:52 3,328 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\pciide.sys
- 2004-08-04 12:00:00 25,088 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\pciidex.sys
+ 2004-08-04 06:59:42 25,088 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\pciidex.sys
+ 2004-08-04 07:08:44 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\usbhub.sys
+ 2004-08-04 07:08:44 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\usbport.sys
+ 2004-08-04 07:08:38 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\usbuhci.sys
+ 2004-08-04 08:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\usbui.dll
- 2004-08-04 12:00:00 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbhub.sys
+ 2004-08-04 07:08:44 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbhub.sys
- 2004-08-04 12:00:00 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbport.sys
+ 2004-08-04 07:08:44 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbport.sys
- 2004-08-04 12:00:00 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbuhci.sys
+ 2004-08-04 07:08:38 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbuhci.sys
- 2004-08-04 00:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
+ 2004-08-04 08:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
+ 2004-08-04 12:00:00 7,168 ----a-w C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\hccoin.dll
+ 2004-08-04 07:08:38 26,624 ----a-w C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\usbehci.sys

Edited by k0rr, 12 April 2008 - 05:31 PM.

  • 0

#4
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
+ 2004-08-03 22:31:34 20,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\RTL8139.sys
+ 2004-08-04 06:59:44 95,360 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\atapi.sys
+ 2001-08-17 21:51:52 3,328 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\pciide.sys
+ 2004-08-04 06:59:42 25,088 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\pciidex.sys
+ 2007-12-05 09:41:00 5,773,568 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nv4_disp.dll
+ 2007-12-05 09:41:00 7,435,392 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nv4_mini.sys
+ 2007-12-05 09:41:00 385,024 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvapi.dll
+ 2007-12-05 09:41:00 35,328 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvcod.dll
+ 2007-12-05 09:41:00 8,523,776 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvcpl.dll
+ 2007-12-05 09:41:00 1,089,536 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvcuda.dll
+ 2007-12-05 09:41:00 6,549,504 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvdisps.dll
+ 2007-12-05 09:41:00 3,420,160 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvgames.dll
+ 2007-12-05 09:41:00 229,376 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvmccs.dll
+ 2007-12-05 09:41:00 188,416 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvmccss.dll
+ 2007-12-05 09:41:00 81,920 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvmctray.dll
+ 2007-12-05 09:41:00 1,228,800 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvmobls.dll
+ 2007-12-05 09:41:00 286,720 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvnt4cpl.dll
+ 2007-12-05 09:41:00 6,901,760 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvoglnt.dll
+ 2007-12-05 09:41:00 155,716 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvsvc32.exe
+ 2007-12-05 09:41:00 3,710,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvvitvs.dll
+ 2007-12-05 09:41:00 81,920 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvwddi.dll
+ 2007-12-05 09:41:00 2,498,560 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\nvwss.dll
+ 2006-09-28 21:04:30 233,472 ----a-w C:\WINDOWS\system32\ReWire.dll
+ 2008-12-22 04:59:24 25,312 ----a-w C:\WINDOWS\system32\SamsungVfWCodec.dll
+ 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2005-02-25 03:35:05 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-16 09:05:22 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2004-08-04 12:00:00 3,360 ----a-w C:\WINDOWS\system32\system.drv
+ 2004-08-04 12:00:00 4,048 ----a-w C:\WINDOWS\system32\timer.drv
+ 2006-03-17 22:49:46 368,640 ----a-w C:\WINDOWS\system32\TwnLib4.dll
- 2005-01-28 21:44:28 47,104 ----a-w C:\WINDOWS\system32\uwdf.exe
+ 2006-10-19 05:58:00 8,704 ----a-w C:\WINDOWS\system32\uwdf.exe
+ 2005-08-02 21:08:06 61,440 ----a-w C:\WINDOWS\system32\WanPacket.dll
- 2005-01-28 21:44:28 15,872 ----a-w C:\WINDOWS\system32\wdfapi.dll
+ 2006-10-19 05:47:18 4,096 ----a-w C:\WINDOWS\system32\wdfapi.dll
- 2005-01-28 21:44:28 38,912 ----a-w C:\WINDOWS\system32\wdfmgr.exe
+ 2006-10-19 05:58:00 8,704 ----a-w C:\WINDOWS\system32\wdfmgr.exe
+ 2004-08-04 08:56:58 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
+ 2004-08-04 12:00:00 13,600 ----a-w C:\WINDOWS\system32\wfwnet.drv
+ 2008-03-13 00:22:40 139,457 ----a-w C:\WINDOWS\system32\wii\HTgn1dll.exe
+ 2004-08-04 12:00:00 146,432 ----a-w C:\WINDOWS\system32\winspool.drv
- 2005-01-28 21:44:28 396,528 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2006-10-19 05:47:18 757,248 ----a-w C:\WINDOWS\system32\WMADMOD.dll
- 2005-01-28 21:44:28 716,288 ----a-w C:\WINDOWS\system32\wmadmoe.dll
+ 2006-10-19 05:47:18 1,117,696 ----a-w C:\WINDOWS\system32\WMADMOE.dll
- 2005-01-28 21:44:28 224,768 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2006-10-19 05:47:18 222,208 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2005-01-28 21:44:28 28,160 ----a-w C:\WINDOWS\system32\WMDMLOG.dll
+ 2006-10-19 05:47:18 33,792 ----a-w C:\WINDOWS\system32\wmdmlog.dll
- 2005-01-28 21:44:28 33,792 ----a-w C:\WINDOWS\system32\WMDMPS.dll
+ 2006-10-19 05:47:18 37,376 ----a-w C:\WINDOWS\system32\wmdmps.dll
- 2005-01-28 21:44:28 335,872 ----a-w C:\WINDOWS\system32\WMDRMdev.dll
+ 2006-10-19 05:47:18 429,056 ----a-w C:\WINDOWS\system32\wmdrmdev.dll
- 2005-01-28 21:44:28 290,816 ----a-w C:\WINDOWS\system32\WMDRMNet.dll
+ 2006-10-19 05:47:20 348,672 ----a-w C:\WINDOWS\system32\wmdrmnet.dll
+ 2006-10-19 05:47:20 535,040 ------w C:\WINDOWS\system32\wmdrmsdk.dll
- 2005-01-28 21:44:28 150,016 ----a-w C:\WINDOWS\system32\wmidx.dll
+ 2006-10-19 05:47:20 157,184 ----a-w C:\WINDOWS\system32\wmidx.dll
- 2005-01-28 21:44:28 1,027,072 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
+ 2006-10-19 05:47:20 937,984 ----a-w C:\WINDOWS\system32\WMNetMgr.dll
- 2005-01-28 21:44:28 774,904 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2006-10-19 05:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2005-01-28 21:44:28 1,119,744 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2006-10-19 05:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
- 2005-01-28 21:44:28 413,944 ----a-w C:\WINDOWS\system32\wmspdmod.dll
+ 2006-10-19 05:47:22 603,648 ----a-w C:\WINDOWS\system32\WMSPDMOD.dll
- 2005-01-28 21:44:28 940,544 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
+ 2006-10-19 05:47:22 1,329,152 ----a-w C:\WINDOWS\system32\WMSPDMOE.dll
- 2005-01-28 21:44:28 1,218,808 ----a-w C:\WINDOWS\system32\wmvadvd.dll
+ 2006-10-19 05:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVD.dll
- 2005-01-28 21:44:28 1,512,448 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
+ 2006-10-19 05:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
- 2005-01-28 21:44:28 2,370,296 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 05:47:22 2,450,944 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 05:47:22 1,543,680 ------w C:\WINDOWS\system32\WMVDECOD.dll
- 2005-01-28 21:44:28 895,736 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2006-10-19 05:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
- 2005-01-28 21:44:28 1,003,008 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 05:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 05:47:22 1,574,912 ------w C:\WINDOWS\system32\WMVENCOD.dll
+ 2006-10-19 05:47:22 1,382,912 ------w C:\WINDOWS\system32\WMVSDECD.dll
+ 2006-10-19 05:47:22 767,488 ------w C:\WINDOWS\system32\WMVSENCD.dll
+ 2006-10-19 05:47:22 656,896 ------w C:\WINDOWS\system32\WMVXENCD.dll
+ 2005-08-02 21:18:45 233,472 ----a-w C:\WINDOWS\system32\wpcap.dll
- 2005-01-28 21:44:28 38,912 ----a-w C:\WINDOWS\system32\wpd_ci.dll
+ 2006-10-19 05:47:22 629,760 ----a-w C:\WINDOWS\system32\wpd_ci.dll
- 2005-01-28 21:44:28 61,952 ----a-w C:\WINDOWS\system32\wpdconns.dll
+ 2006-10-19 05:47:22 35,840 ----a-w C:\WINDOWS\system32\wpdconns.dll
- 2005-01-28 21:44:28 114,176 ----a-w C:\WINDOWS\system32\wpdmtp.dll
+ 2006-10-19 05:47:22 154,624 ----a-w C:\WINDOWS\system32\wpdmtp.dll
- 2005-01-28 21:44:28 66,560 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 05:47:22 63,488 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 05:47:22 2,603,008 ------w C:\WINDOWS\system32\WpdShext.dll
+ 2006-10-19 04:00:14 17,408 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-19 05:47:22 38,400 ------w C:\WINDOWS\system32\wpdshextres.dll
+ 2006-10-19 05:47:22 133,632 ------w C:\WINDOWS\system32\WPDShServiceObj.dll
- 2005-01-28 21:44:28 331,264 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-10-19 05:47:22 356,352 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-09-29 04:13:26 95,344 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-29 02:56:38 146,432 ------w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-29 02:56:16 165,376 ------w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-29 02:56:14 55,808 ------w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-29 02:56:38 316,416 ------w C:\WINDOWS\system32\WUDFx.dll
- 2007-06-21 04:45:20 18,280 ----a-w C:\WINDOWS\system32\x3daudio1_2.dll
+ 2007-07-20 08:54:28 18,280 ----a-w C:\WINDOWS\system32\x3daudio1_2.dll
+ 2007-07-20 08:57:12 267,112 ----a-w C:\WINDOWS\system32\xactengine2_9.dll
+ 2008-04-13 00:24:28 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_f8.dat
+ 2007-03-21 04:22:04 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
+ 2007-12-14 03:09:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
+ 2007-02-28 23:41:02 972,336 ----a-w C:\WINDOWS\UNNeroShowTime.exe
+ 2007-03-22 04:02:12 972,336 ----a-w C:\WINDOWS\UNNeroVision.exe
+ 2007-12-04 17:59:22 972,072 ----a-w C:\WINDOWS\UNRecode.exe
+ 2000-08-31 16:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2008-02-07 20:02:43 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-02-07 20:02:43 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2000-08-31 16:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0872088-ebc0-fcdf-b579-7d3614d57366}]
2008-04-07 08:27 329728 --a------ C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}]
2008-03-13 11:20 204800 --a------ C:\WINDOWS\TinyBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 08:51 486856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"Teso"="C:\DOCUME~1\Van\APPLIC~1\WNSXS~1\regedit.exe" [ ]
"Akywe"="C:\Documents and Settings\Van\Application Data\S?mantec\w?nspool.exe" [ ]
"Lwoqvhhp"="C:\Program Files\Common Files\W?nSxS\??rvices.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"{84-40-0C-C8-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-12 16:24 49174]
"spa_start"="C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll" [2008-04-07 08:27 329728]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\rcntpkdn.exe" [2008-04-12 16:24 196682]

C:\Documents and Settings\Van\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\rcntpkdn.exe [2008-04-12 16:24:33 196682]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-12 16:24:24 49174]
MemTurbo.lnk - C:\Program Files\MemTurbo30\MemTurbo.exe [2008-01-04 19:37:30 424448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-26 12:13 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=

S3 E100E;E100E;C:\WINDOWS\system32\DRIVERS\e100ent.sys [2004-08-25 10:12]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 16:24:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\rcntpkdn.exe DWram"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mff]
"ImagePath"="System32\drivers\mff.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\MemTurbo30\cpurocket.dll
.
Completion time: 2008-04-12 16:28:18
ComboFix-quarantined-files.txt 2008-04-13 00:28:12
ComboFix2.txt 2008-01-21 22:48:28
ComboFix3.txt 2008-01-18 10:02:01
ComboFix4.txt 2008-01-15 18:16:58
ComboFix5.txt 2008-01-13 21:40:45
Pre-Run: 69,244,383,232 bytes free
Post-Run: 74,131,107,840 bytes free

there seems to be more popups than before the combofix scan

Edited by k0rr, 12 April 2008 - 06:13 PM.

  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yeah, I think we're bugging it out now :) We revealed a lot of the infected files and will start removing them now....hopefully you will see some improvement after the below steps....

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::

Driver::
mff

File::
C:\WINDOWS\system32\g79.exe
C:\WINDOWS\system32\rcntpkdn.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\jgeb.ini
C:\WINDOWS\system32\kynnviuq.dll
C:\WINDOWS\system32\itkowlts.dll
C:\WINDOWS\upmk.ini
C:\WINDOWS\pmhe.ini
C:\WINDOWS\system32\tlxlgjnl.dll
C:\WINDOWS\wqnl.ini
C:\WINDOWS\system32\vcffvwyl.dll
C:\WINDOWS\nkif.ini
C:\WINDOWS\rpjg.ini
C:\WINDOWS\BMabeb73fb.xml
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\xvpn.ini
C:\WINDOWS\xvpm.ini
C:\WINDOWS\spnz.ini
C:\WINDOWS\zxrp.ini
C:\WINDOWS\vtqo.ini
C:\WINDOWS\nljd.ini
C:\WINDOWS\sqnl.ini
C:\WINDOWS\sqni.ini
C:\WINDOWS\rpmk.ini
C:\WINDOWS\pjhe.ini
C:\WINDOWS\wuom.ini
C:\WINDOWS\urmj.ini
C:\WINDOWS\TinyBHO.dll
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\rcntpkdn.exe
C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll
C:\Documents and Settings\Van\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Van\Start Menu\Programs\Startup\DW_Start.lnk
c:\windows\System32\drivers\mff.sys

Folder::
C:\WINDOWS\system32\wii
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\bharebio01
C:\Temp\wdlw14
C:\Logs

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0872088-ebc0-fcdf-b579-7d3614d57366}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Teso"=-
"Akywe"=-
"Lwoqvhhp"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{84-40-0C-C8-DW}"=-
"spa_start"=-
"g]eeV\mWhjlnspB"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#6
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
the script fails when i try to run it
says it couldnt find certain files

does not run its stages, and does not produce a log, though it does restart my comp
the CFScript.txt remains on the desktop after the reboot

i have something called anti-virus pro? installed
its a virus in itself from my observations.
my desktop's background is the following:
http://www.freewebs.com/k0rr/dtv.JPG

heres an updated HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13, on 2008-04-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rcntpkdn.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVANTB~1\avant.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Van\Desktop\misc\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{84-40-0C-C8-DW}] C:\WINDOWS\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\rcntpkdn.exe DWram
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll" DllInit
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Van\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Teso] "C:\DOCUME~1\Van\APPLIC~1\WNSXS~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Akywe] "C:\Documents and Settings\Van\Application Data\S?mantec\w?nspool.exe"
O4 - HKCU\..\Run: [Lwoqvhhp] "C:\Program Files\Common Files\W?nSxS\??rvices.exe"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Van\cftmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: DiyNOAlDVLv - {A8D840C9-0272-EA63-78AC-B6E29E022336} - C:\WINDOWS\system32\hizl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

--
End of file - 8021 bytes
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete ComboFix and download the tool again from the link given earlier. Try running CFScript through it again....post the log here if you can run it.

Either way, do the following when ready:

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download AVG Anti-Spyware at http://www.ewido.net/en/download/ and install it.
- Locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
- On the main screen select the Update icon, then select the Update now link.
- Next select the Start Update button. The update will start and a progress bar will show the updates being installed.
- Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
- Once in the Settings screen click on Recommended actions and then select Quarantine.
- Under Reports, select Automatically generate report after every scan.
- Unselect Only if threats were found.

Close AVG Anti-Spyware. Do not run a scan just yet.


Download ATF Cleaner at http://www.atribune..../click.php?id=1. Don't run it yet.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop. Do not run it yet.

Restart your computer and boot into Safe Mode. If you don't know how, go to http://www.bleepingc...tutorial61.html

Once in Safe Mode, open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #2 - Clean by typing 2 and press Enter to delete infected files. You will be prompted Registry cleaning - Do you want to clean the registry? Answer Yes by typing Y and press Enter in order to remove the desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found). Answer Yes by typing Y and press Enter.

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it manually to get back to Normal Mode. A text file will appear onscreen, with results from the cleaning process. Copy and paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

WARNING: Running option #2 on a non infected computer will remove your desktop background.


Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser click Opera at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Run a scan in HijackThis. Check each of the following if they still exist and hit Fix checked when ready:

O4 - HKLM\..\Run: [{84-40-0C-C8-DW}] C:\WINDOWS\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\rcntpkdn.exe DWram
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll" DllInit
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Van\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKCU\..\Run: [Teso] "C:\DOCUME~1\Van\APPLIC~1\WNSXS~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Akywe] "C:\Documents and Settings\Van\Application Data\S?mantec\w?nspool.exe"
O4 - HKCU\..\Run: [Lwoqvhhp] "C:\Program Files\Common Files\W?nSxS\??rvices.exe"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Van\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O21 - SSODL: DiyNOAlDVLv - {A8D840C9-0272-EA63-78AC-B6E29E022336} - C:\WINDOWS\system32\hizl.dll
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe


Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop Schedule
sc delete Schedule
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Uninstall AntiVirusPro via the Add/Remove Programs panel if still found.

Delete the following if found:

C:\DOCUME~1\Van\APPLIC~1\WNSXS~1\
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\Van\Application Data\S?mantec\
C:\Documents and Settings\Van\cftmon.exe
C:\Program Files\AntiVirusPro\
C:\Program Files\Common Files\W?nSxS\
C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\hizl.dll
C:\WINDOWS\system32\rcntpkdn.exe
C:\WINDOWS\system32\rwwnw64d.exe


Run AVG Anti-Spyware.
- Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
- AVG Anti-Spyware will now begin the scanning process. Be patient as this may take a little time.

Once the scan is complete do the following:
- If you have any infections you will prompted on what action to take. Select Apply all actions.
- Next select the Reports icon at the top.
- Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).


Post the rapport.txt, AVG Anti-Spyware report and a new HijackThis log here.
  • 0

#8
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

AVG installation error ^

================================================================================
==========

SmitFraudFix v2.312

Scan done at 20:43:08.10, 2008-04-13
Run from C:\Documents and Settings\Van\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A5E90A98-1C74-49C1-933E-79129C51740E}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A5E90A98-1C74-49C1-933E-79129C51740E}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A5E90A98-1C74-49C1-933E-79129C51740E}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

================================================================================
========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09, on 2008-04-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Van\Desktop\misc\HiJackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01A33D85-4706-452A-B71A-99510ADA8C0C} - C:\WINDOWS\system32\mlJBRKBU.dll
O2 - BHO: (no name) - {DA261CEA-2AA8-438D-963A-7C796E56CD1C} - C:\WINDOWS\system32\iifcDWol.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Van\cftmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Van\cftmon.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: mlJBRKBU - C:\WINDOWS\SYSTEM32\mlJBRKBU.dll
O21 - SSODL: DiyNOAlDVLv - {A8D840C9-0272-EA63-78AC-B6E29E022336} - C:\WINDOWS\system32\hizl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6538 bytes

================================================================================
==========

could not delete C:\WINDOWS\system32\hizl.dll, explorer shuts down/restarts when i press the delete key or right click --> delete.
combofix still cant run that script
background is still intact even after the smitfraudfix scan

Edited by k0rr, 13 April 2008 - 11:10 PM.

  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Were you able to delete the other files/folders and also fix those entries in HijackThis?

Try fixing those entries in HijackThis again and then do the below:

1. Download The Avenger (http://swandog46.gee...com/avenger.zip) to your Desktop and unzip/extract it.

2. Copy all the below text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\Van\cftmon.exe
C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\hizl.dll
C:\WINDOWS\system32\rcntpkdn.exe
C:\WINDOWS\system32\rwwnw64d.exe

Folders to delete:
C:\Documents and Settings\Van\Application Data\S?mantec\
C:\DOCUME~1\Van\APPLIC~1\WNSXS~1\
C:\Program Files\AntiVirusPro\
C:\Program Files\Common Files\W?nSxS\

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Start The Avenger program from your desktop.
- Under 'Script file to execute', choose 'Input Script Manually'.
- Click on the Magnifying Glass icon which will open a new window titled 'View/edit script'.
- Paste the text you copied to the notepad earlier into this window.
- Click Done.
- Now click on the Green Light to begin execution of the script.
- Answer 'Yes' twice when prompted.

4. The Avenger will automatically do the following:
- Restart your computer. In cases where the code to execute contains 'Drivers to Unload', The Avenger will actually restart your system twice.
- On reboot, it briefly opens a black command window on your desktop. This is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Copy and paste all the contents of avenger.txt into your reply along with a new HijackThis log.

Rename ComboFix.exe to k0rr.exe instead and then try running it again.
  • 0

#10
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
ComboFix 08-04-13.2 - Van 2008-04-14 18:34:25.16 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1662 [GMT -8:00]
Running from: C:\Documents and Settings\Van\Desktop\k0rr.exe
Command switches used :: C:\Documents and Settings\Van\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Van\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Van\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\BMabeb73fb.xml
C:\WINDOWS\jgeb.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\nkif.ini
C:\WINDOWS\nljd.ini
C:\WINDOWS\pjhe.ini
C:\WINDOWS\pmhe.ini
C:\WINDOWS\rpjg.ini
C:\WINDOWS\rpmk.ini
C:\WINDOWS\spnz.ini
C:\WINDOWS\sqni.ini
C:\WINDOWS\sqnl.ini
C:\WINDOWS\system32\{2cbaaf65-30f2-56dc-e2a3-13ecbb587b13}.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
c:\windows\System32\drivers\mff.sys
C:\WINDOWS\system32\g79.exe
C:\WINDOWS\system32\itkowlts.dll
C:\WINDOWS\system32\kynnviuq.dll
C:\WINDOWS\system32\rcntpkdn.exe
C:\WINDOWS\system32\rwwnw64d.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\tlxlgjnl.dll
C:\WINDOWS\system32\vcffvwyl.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TinyBHO.dll
C:\WINDOWS\upmk.ini
C:\WINDOWS\urmj.ini
C:\WINDOWS\vtqo.ini
C:\WINDOWS\wqnl.ini
C:\WINDOWS\wuom.ini
C:\WINDOWS\xvpm.ini
C:\WINDOWS\xvpn.ini
C:\WINDOWS\zxrp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Van\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\Van\Application Data\inst.exe
C:\Logs
C:\Logs\Launcher-warnings.log
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Temp\wdlw14
C:\Temp\wdlw14\maxN1bo.log
C:\WINDOWS\BMabeb73fb.xml
C:\WINDOWS\jgeb.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\nkif.ini
C:\WINDOWS\nljd.ini
C:\WINDOWS\pjhe.ini
C:\WINDOWS\pmhe.ini
C:\WINDOWS\rpjg.ini
C:\WINDOWS\rpmk.ini
C:\WINDOWS\spnz.ini
C:\WINDOWS\sqni.ini
C:\WINDOWS\sqnl.ini
C:\WINDOWS\system32\bharebio01
C:\WINDOWS\system32\bharebio01\bharebio011065.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\OHXI56.sys
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\ExTmp\bmv35gui.exe
C:\WINDOWS\system32\g79.exe
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\IDE2\mdllcom2.exe
C:\WINDOWS\system32\itkowlts.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\kynnviuq.dll
C:\WINDOWS\system32\loWDcfii.ini
C:\WINDOWS\system32\loWDcfii.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJBRKBU.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\pinz1\cegmgr76.exe
C:\WINDOWS\system32\qoMgeExW.dll
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\tlxlgjnl.dll
C:\WINDOWS\system32\tmp10.tmp
C:\WINDOWS\system32\tmp42.tmp
C:\WINDOWS\system32\tmp43.tmp
C:\WINDOWS\system32\vcffvwyl.dll
C:\WINDOWS\system32\wii
C:\WINDOWS\system32\wii\HTgn1dll.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TinyBHO.dll
C:\WINDOWS\upmk.ini
C:\WINDOWS\urmj.ini
C:\WINDOWS\vtqo.ini
C:\WINDOWS\wqnl.ini
C:\WINDOWS\wuom.ini
C:\WINDOWS\xvpm.ini
C:\WINDOWS\xvpn.ini
C:\WINDOWS\zxrp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OHXI56
-------\Service_Ohxi56
-------\Service_OHXI56


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 18:21 . 2008-04-14 18:21 135,168 --a------ C:\zip.exe
2008-04-14 18:21 . 2008-04-14 18:21 19,286 --a------ C:\cleanup.exe
2008-04-14 18:21 . 2008-04-14 18:21 574 --a------ C:\cleanup.bat
2008-04-14 03:48 . 2008-04-14 18:21 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-04-13 22:05 . 2008-04-13 22:06 <DIR> d-------- C:\ComboFix
2008-04-13 20:48 . 2008-04-13 20:48 269,334 --a------ C:\WINDOWS\system32\pcjml.bmp
2008-04-13 20:43 . 2008-04-13 20:43 3,274 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 17:36 . 2008-04-13 17:36 269,334 --a------ C:\WINDOWS\system32\jqpormlsrqdsr.bmp
2008-04-13 17:30 . 2008-04-13 17:30 269,334 --a------ C:\WINDOWS\system32\qpsritkreh.bmp
2008-04-13 15:18 . 2008-04-13 15:18 269,334 --a------ C:\WINDOWS\system32\etsjmlsrahknad.bmp
2008-04-13 10:58 . 2008-04-13 10:58 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-13 06:58 . 2008-04-13 06:58 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-04-13 02:57 . 2008-04-13 02:57 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-12 18:56 . 2008-04-12 18:56 269,334 --a------ C:\WINDOWS\system32\apknadofql.bmp
2008-04-12 18:52 . 2008-04-12 18:52 269,334 --a------ C:\WINDOWS\system32\jmhkretcr.bmp
2008-04-12 18:51 . 2008-04-12 18:51 <DIR> d-------- C:\Documents and Settings\Van\WINDOWS
2008-04-12 18:35 . 2008-04-12 18:35 29 --a------ C:\WINDOWS\system32\qtsqagwa.tmp
2008-04-12 18:34 . 2008-04-12 18:34 269,334 --a------ C:\WINDOWS\system32\pcrelojqp.bmp
2008-04-12 18:33 . 2008-04-12 18:33 12,800 --a------ C:\bB3b.exe
2008-04-12 17:18 . 2008-04-12 17:18 315,744 --a------ C:\WINDOWS\system32\iifcDWol.dll
2008-04-12 16:24 . 2008-04-13 15:19 938 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-09 23:56 . 2008-04-09 23:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 23:56 . 2008-04-09 23:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-29 14:18 . 2008-03-29 14:18 <DIR> d-------- C:\Program Files\Outsim
2008-03-29 14:13 . 2008-03-29 14:13 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Publish Providers
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\NetMedia Providers
2008-03-27 17:53 . 2008-03-27 17:53 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-03-27 17:53 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-27 17:53 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-03-27 17:53 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Program Files\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-03-27 17:51 . 2008-03-27 17:51 <DIR> d-------- C:\Program Files\Sony Setup
2008-03-27 13:21 . 2008-03-27 13:22 <DIR> d-------- C:\Program Files\VirtualDJ
2008-03-27 12:20 . 2008-04-01 11:20 <DIR> d-------- C:\Program Files\VstPlugins
2008-03-27 12:20 . 2008-03-27 12:20 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-03-27 12:18 . 2008-04-01 11:19 <DIR> d-------- C:\Program Files\Image-Line
2008-03-26 12:40 . 2008-03-26 12:40 <DIR> d-------- C:\Program Files\Activision
2008-03-26 10:42 . 2008-03-26 12:50 22,328 --a------ C:\Documents and Settings\Van\Application Data\PnkBstrK.sys
2008-03-26 10:31 . 2008-04-09 02:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-25 10:16 . 2008-03-25 10:16 <DIR> d-------- C:\Program Files\WinPcap
2008-03-25 10:16 . 2008-03-25 11:03 <DIR> d-------- C:\Program Files\WC3Banlist
2008-03-21 02:21 . 2005-01-22 11:12 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-03-21 01:43 . 2008-03-21 01:54 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-03-21 01:43 . 2008-03-21 02:11 75,965 --a------ C:\WINDOWS\War3Unin.dat
2008-03-21 01:43 . 2008-03-21 01:54 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-21 01:41 . 2008-04-13 04:55 <DIR> d-------- C:\Program Files\Warcraft III
2008-03-17 23:09 . 2008-03-31 19:23 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-17 00:40 . 2008-03-17 00:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-16 21:20 . 2008-03-16 21:20 <DIR> d-------- C:\Program Files\Magnus Brading
2008-03-16 21:20 . 2008-03-16 21:20 495,104 --a------ C:\WINDOWS\system32\mp3tsshx.dll
2008-03-16 19:09 . 2008-04-08 17:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 09:02 --------- d-----w C:\Program Files\Steam
2008-04-09 10:23 --------- d-----w C:\Program Files\THQ
2008-04-08 21:51 --------- d-----w C:\Program Files\Avant Browser
2008-04-07 09:51 --------- d-----w C:\Documents and Settings\Van\Application Data\.BitTornado
2008-04-05 06:09 --------- d-----w C:\Program Files\World of Warcraft
2008-04-04 01:25 --------- d-----w C:\Documents and Settings\Van\Application Data\Aim
2008-03-30 22:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-03-29 22:13 --------- d-----w C:\Program Files\Stardock
2008-03-28 17:04 --------- d-----w C:\Program Files\coolpro2
2008-03-26 20:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-26 01:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 03:52 --------- d-----w C:\Program Files\America's Army
2008-03-11 06:21 --------- d-----w C:\Program Files\AIM
2008-03-07 18:05 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-03-07 18:04 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-03-07 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-05 06:30 --------- d-----w C:\Program Files\PowerISO
2008-03-02 01:47 --------- d-----w C:\Program Files\Java Web Start
2008-03-02 01:47 --------- d-----w C:\Program Files\Java
2008-02-29 21:36 --------- d-----w C:\Documents and Settings\Van\Application Data\Microsoft Games
2008-02-29 20:02 --------- d-----w C:\Program Files\Microsoft Games
2008-02-27 07:59 --------- d-----w C:\Program Files\3ivx
2008-02-26 01:15 --------- d-----w C:\Program Files\Realtek
2008-02-25 07:01 --------- d-----w C:\Documents and Settings\Van\Application Data\Atari
2008-02-24 09:18 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-02-24 09:18 --------- d-----w C:\Documents and Settings\Van\Application Data\Leadertech
2008-02-24 09:15 --------- d-----w C:\Program Files\Atari
2008-02-17 03:00 --------- d-----w C:\Documents and Settings\Van\Application Data\InstallShield
2008-02-09 07:54 47,360 ----a-w C:\Documents and Settings\Van\Application Data\pcouffin.sys
2003-09-18 21:50 129,904 ----a-w C:\Documents and Settings\Van\e10002ke.sys
.

------- Sigcheck -------

2004-08-04 04:00 17408 bf36170ea928c6c92f20809393468b6a C:\WINDOWS\system32\svchost.exe

2004-08-04 04:00 506368 2b87a29834b0fb967784ad274636e2d6 C:\WINDOWS\system32\winlogon.exe

2004-08-04 04:00 1034752 d13cc9dfe4917e1d3f056c7a42330cb5 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot_2008-04-12_16.27.46.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-15 02:39:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 04:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-03-09 08:53:33 2,238 ----a-r C:\WINDOWS\Installer\{D873FA4B-C374-4F8A-8D9A-130DB56FAB16}\NewShortcut17_656D5B05040941EEBBEED9C4D6388972.exe
+ 2007-12-26 23:58:07 2,722 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2004-08-04 12:00:00 2,000 ----a-w C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-08-04 12:00:00 2,032 ----a-w C:\WINDOWS\system\MOUSE.DRV
+ 2004-08-04 12:00:00 1,744 ----a-w C:\WINDOWS\system\SOUND.DRV
+ 2004-08-04 12:00:00 2,176 ----a-w C:\WINDOWS\system\VGA.DRV
- 2007-12-25 22:07:34 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-13 02:52:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-25 22:07:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-13 02:52:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-25 22:07:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-13 02:52:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 12:00:00 1,788 ----a-w C:\WINDOWS\system32\Dcache.bin
+ 2004-08-04 07:07:58 2,944 -c--a-w C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2004-08-04 12:00:00 2,000 -c--a-w C:\WINDOWS\system32\dllcache\keyboard.drv
+ 2004-08-04 12:00:00 2,560 -c--a-w C:\WINDOWS\system32\dllcache\lz32.dll
+ 2004-08-04 12:00:00 2,032 -c--a-w C:\WINDOWS\system32\dllcache\mouse.drv
+ 2004-08-04 12:00:00 2,944 -c--a-w C:\WINDOWS\system32\dllcache\null.sys
+ 2004-08-04 12:00:00 1,744 -c--a-w C:\WINDOWS\system32\dllcache\sound.drv
+ 2004-08-04 12:00:00 2,176 -c--a-w C:\WINDOWS\system32\dllcache\vga.drv
+ 2004-08-04 12:00:00 2,864 -c--a-w C:\WINDOWS\system32\dllcache\winsock.dll
+ 2004-08-04 12:00:00 2,112 -c--a-w C:\WINDOWS\system32\dllcache\winspool.exe
+ 2004-08-04 12:00:00 2,736 -c--a-w C:\WINDOWS\system32\dllcache\wowdeb.exe
+ 2004-08-04 07:07:58 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-08-04 12:00:00 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
+ 2008-01-05 03:13:33 1,612 ----a-w C:\WINDOWS\system32\errdbg.dat
+ 2004-08-04 12:00:00 2,000 ----a-w C:\WINDOWS\system32\keyboard.drv
- 2004-08-04 12:00:00 13,312 ----a-w C:\WINDOWS\system32\lsass.exe
+ 2004-08-04 12:00:00 14,848 ----a-w C:\WINDOWS\system32\lsass.exe
+ 2004-08-04 12:00:00 2,560 ----a-w C:\WINDOWS\system32\lz32.dll
+ 2004-08-04 12:00:00 2,032 ----a-w C:\WINDOWS\system32\mouse.drv
+ 2004-08-04 12:00:00 2,656 ----a-w C:\WINDOWS\system32\netware.drv
- 2004-08-04 12:00:00 108,032 ----a-w C:\WINDOWS\system32\services.exe
+ 2004-08-04 12:00:00 110,592 ----a-w C:\WINDOWS\system32\services.exe
+ 2004-08-04 12:00:00 1,744 ----a-w C:\WINDOWS\system32\sound.drv
- 2004-08-04 12:00:00 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2004-08-04 12:00:00 58,880 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2008-01-05 03:13:04 2,490 ----a-w C:\WINDOWS\system32\v_str.dat
+ 2004-08-04 12:00:00 2,176 ----a-w C:\WINDOWS\system32\vga.drv
+ 2004-08-04 12:00:00 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 12:00:00 2,112 ----a-w C:\WINDOWS\system32\winspool.exe
+ 2004-08-04 12:00:00 2,736 ----a-w C:\WINDOWS\system32\wowdeb.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3543D8CC-CF7D-48BE-837D-158BD0E3BDCC}]
2008-04-12 17:18 315744 --a------ C:\WINDOWS\system32\iifcDWol.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 08:51 486856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

C:\Documents and Settings\Van\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo30\MemTurbo.exe [2008-01-04 19:37:30 424448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DiyNOAlDVLv"= {A8D840C9-0272-EA63-78AC-B6E29E022336} - C:\WINDOWS\system32\hizl.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJBRKBU]
mlJBRKBU.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-26 12:13 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\iifcDWol.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=

S3 E100E;E100E;C:\WINDOWS\system32\DRIVERS\e100ent.sys [2004-08-25 10:12]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 13:10]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 18:39:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-14 18:44:06 - machine was rebooted [Van]
ComboFix-quarantined-files.txt 2008-04-15 02:44:03
ComboFix2.txt 2008-04-13 00:28:19
ComboFix3.txt 2008-01-21 22:48:28
ComboFix4.txt 2008-01-18 10:02:01
ComboFix5.txt 2008-01-15 18:16:58

Pre-Run: 73,052,839,936 bytes free
Post-Run: 73,198,096,384 bytes free

========================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:39 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Van\Desktop\misc\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {3543D8CC-CF7D-48BE-837D-158BD0E3BDCC} - C:\WINDOWS\system32\iifcDWol.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: mlJBRKBU - mlJBRKBU.dll (file missing)
O21 - SSODL: DiyNOAlDVLv - {A8D840C9-0272-EA63-78AC-B6E29E022336} - C:\WINDOWS\system32\hizl.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6722 bytes

the avenger script won't run. it restarts my computer but no black command box and no avenger.txt
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What happened? Now you can run Combofix and not Avenger?

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\zip.exe
C:\cleanup.exe
C:\cleanup.bat
C:\WINDOWS\system32\pcjml.bmp
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\jqpormlsrqdsr.bmp
C:\WINDOWS\system32\qpsritkreh.bmp
C:\WINDOWS\system32\etsjmlsrahknad.bmp
C:\WINDOWS\system32\vaio3-011.ico
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\iphone-6y.ico
C:\WINDOWS\system32\apknadofql.bmp
C:\WINDOWS\system32\jmhkretcr.bmp
C:\WINDOWS\system32\qtsqagwa.tmp
C:\WINDOWS\system32\pcrelojqp.bmp
C:\bB3b.exe
C:\WINDOWS\system32\iifcDWol.dll
C:\WINDOWS\system32\winpfz33.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3543D8CC-CF7D-48BE-837D-158BD0E3BDCC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DiyNOAlDVLv"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJBRKBU]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#12
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
ComboFix 08-04-13.2 - Van 2008-04-15 0:44:42.17 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1580 [GMT -8:00]
Running from: C:\Documents and Settings\Van\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Van\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\bB3b.exe
C:\cleanup.bat
C:\cleanup.exe
C:\WINDOWS\system32\apknadofql.bmp
C:\WINDOWS\system32\etsjmlsrahknad.bmp
C:\WINDOWS\system32\iifcDWol.dll
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\iphone-6y.ico
C:\WINDOWS\system32\jmhkretcr.bmp
C:\WINDOWS\system32\jqpormlsrqdsr.bmp
C:\WINDOWS\system32\pcjml.bmp
C:\WINDOWS\system32\pcrelojqp.bmp
C:\WINDOWS\system32\qpsritkreh.bmp
C:\WINDOWS\system32\qtsqagwa.tmp
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\vaio3-011.ico
C:\WINDOWS\system32\winpfz33.sys
C:\zip.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bB3b.exe
C:\WINDOWS\system32\apknadofql.bmp
C:\WINDOWS\system32\etsjmlsrahknad.bmp
C:\WINDOWS\system32\iifcDWol.dll
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\iphone-6y.ico
C:\WINDOWS\system32\jmhkretcr.bmp
C:\WINDOWS\system32\jqpormlsrqdsr.bmp
C:\WINDOWS\system32\loWDcfii.ini
C:\WINDOWS\system32\loWDcfii.ini2
C:\WINDOWS\system32\pcjml.bmp
C:\WINDOWS\system32\pcrelojqp.bmp
C:\WINDOWS\system32\qpsritkreh.bmp
C:\WINDOWS\system32\qtsqagwa.tmp
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\vaio3-011.ico
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 18:33 . 2008-04-14 19:01 <DIR> d-------- C:\k0rr
2008-04-14 03:48 . 2008-04-15 00:47 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-04-12 18:51 . 2008-04-12 18:51 <DIR> d-------- C:\Documents and Settings\Van\WINDOWS
2008-04-09 23:56 . 2008-04-09 23:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 23:56 . 2008-04-09 23:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-29 14:18 . 2008-03-29 14:18 <DIR> d-------- C:\Program Files\Outsim
2008-03-29 14:13 . 2008-03-29 14:13 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Publish Providers
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\NetMedia Providers
2008-03-27 17:53 . 2008-03-27 17:53 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-03-27 17:53 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-27 17:53 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-03-27 17:53 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Program Files\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-03-27 17:51 . 2008-03-27 17:51 <DIR> d-------- C:\Program Files\Sony Setup
2008-03-27 13:21 . 2008-03-27 13:22 <DIR> d-------- C:\Program Files\VirtualDJ
2008-03-27 12:20 . 2008-04-01 11:20 <DIR> d-------- C:\Program Files\VstPlugins
2008-03-27 12:20 . 2008-03-27 12:20 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-03-27 12:18 . 2008-04-01 11:19 <DIR> d-------- C:\Program Files\Image-Line
2008-03-26 12:40 . 2008-03-26 12:40 <DIR> d-------- C:\Program Files\Activision
2008-03-26 10:42 . 2008-03-26 12:50 22,328 --a------ C:\Documents and Settings\Van\Application Data\PnkBstrK.sys
2008-03-26 10:31 . 2008-04-09 02:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-25 10:16 . 2008-03-25 10:16 <DIR> d-------- C:\Program Files\WinPcap
2008-03-25 10:16 . 2008-03-25 11:03 <DIR> d-------- C:\Program Files\WC3Banlist
2008-03-21 02:21 . 2005-01-22 11:12 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-03-21 01:43 . 2008-03-21 01:54 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-03-21 01:43 . 2008-03-21 02:11 75,965 --a------ C:\WINDOWS\War3Unin.dat
2008-03-21 01:43 . 2008-03-21 01:54 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-21 01:41 . 2008-04-13 04:55 <DIR> d-------- C:\Program Files\Warcraft III
2008-03-17 23:09 . 2008-03-31 19:23 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-17 00:40 . 2008-03-17 00:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-16 21:20 . 2008-03-16 21:20 <DIR> d-------- C:\Program Files\Magnus Brading
2008-03-16 21:20 . 2008-03-16 21:20 495,104 --a------ C:\WINDOWS\system32\mp3tsshx.dll
2008-03-16 19:09 . 2008-04-08 17:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 09:02 --------- d-----w C:\Program Files\Steam
2008-04-09 10:23 --------- d-----w C:\Program Files\THQ
2008-04-08 21:51 --------- d-----w C:\Program Files\Avant Browser
2008-04-07 09:51 --------- d-----w C:\Documents and Settings\Van\Application Data\.BitTornado
2008-04-05 06:09 --------- d-----w C:\Program Files\World of Warcraft
2008-04-04 01:25 --------- d-----w C:\Documents and Settings\Van\Application Data\Aim
2008-03-30 22:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-03-29 22:13 --------- d-----w C:\Program Files\Stardock
2008-03-28 17:04 --------- d-----w C:\Program Files\coolpro2
2008-03-26 20:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-26 01:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 03:52 --------- d-----w C:\Program Files\America's Army
2008-03-11 06:21 --------- d-----w C:\Program Files\AIM
2008-03-07 18:05 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-03-07 18:04 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-03-07 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-05 06:30 --------- d-----w C:\Program Files\PowerISO
2008-03-02 01:47 --------- d-----w C:\Program Files\Java Web Start
2008-03-02 01:47 --------- d-----w C:\Program Files\Java
2008-02-29 21:36 --------- d-----w C:\Documents and Settings\Van\Application Data\Microsoft Games
2008-02-29 20:02 --------- d-----w C:\Program Files\Microsoft Games
2008-02-27 07:59 --------- d-----w C:\Program Files\3ivx
2008-02-26 01:15 --------- d-----w C:\Program Files\Realtek
2008-02-25 07:01 --------- d-----w C:\Documents and Settings\Van\Application Data\Atari
2008-02-24 09:18 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-02-24 09:18 --------- d-----w C:\Documents and Settings\Van\Application Data\Leadertech
2008-02-24 09:15 --------- d-----w C:\Program Files\Atari
2008-02-17 03:00 --------- d-----w C:\Documents and Settings\Van\Application Data\InstallShield
2008-02-09 07:54 47,360 ----a-w C:\Documents and Settings\Van\Application Data\pcouffin.sys
2003-09-18 21:50 129,904 ----a-w C:\Documents and Settings\Van\e10002ke.sys
.

------- Sigcheck -------

2004-08-04 04:00 17408 bf36170ea928c6c92f20809393468b6a C:\WINDOWS\system32\svchost.exe

2004-08-04 04:00 506368 2b87a29834b0fb967784ad274636e2d6 C:\WINDOWS\system32\winlogon.exe

2004-08-04 04:00 1034752 d13cc9dfe4917e1d3f056c7a42330cb5 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot_2008-04-14_18.43.38.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 02:39:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 08:49:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 08:51 486856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

C:\Documents and Settings\Van\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo30\MemTurbo.exe [2008-01-04 19:37:30 424448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-26 12:13 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=

S3 E100E;E100E;C:\WINDOWS\system32\DRIVERS\e100ent.sys [2004-08-25 10:12]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 13:10]

*Newly Created Service* - PGFILTER
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 00:49:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-15 0:54:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 08:54:05
ComboFix2.txt 2008-04-15 02:44:07
ComboFix3.txt 2008-04-13 00:28:19
ComboFix4.txt 2008-01-21 22:48:28
ComboFix5.txt 2008-01-18 10:02:01

Pre-Run: 73,242,775,552 bytes free
Post-Run: 73,232,355,328 bytes free
  • 0

#13
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
programs are locking up a lot more commonly now (namely explorer)
and i cant seem to end those frozen tasks in task manager either, they stay open
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run a new HijackThis scan and post the log here.

Does restarting the computer help with the programs lockup issue?
  • 0

#15
k0rr

k0rr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:08 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Van\Desktop\misc\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6317 bytes


no, restarting doesn't seem to help. the programs that lock up are mainly whatever i'm using and explorer, commonly.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP