Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

 
Closed TopicStart new topic
> Infected, Two sets of viruses
SilicontC
post Jan 20 2008, 10:24 PM
Post #1


New Member
*

Group: Members
Posts: 13
Joined: 20-January 08
From: Lubbock, TX
Member No.: 184,820
Okay. Normally I can fix viruses without a problem but these two seem to be giving me a ton of grief. I'll start first with a list of symptoms that I have encountered. First the computer is a little sluggish the longer I leave it on. Secondly, I receive popups which is normal for the type of malware I have encountered. Lastly, when my computer starts up, there is a cmd prompt that is only on the monitor for a split second and disappears. I'm pretty sure that is the malware loading up on boot. That's the easy part. Below are the list of viruses I have along with the locations the files are at:

Troj_vundo.aca
C:\Windows\system32\awttutu.dll

Pe_Trats.A-O
C:\Windows\system32\geeba.exe

I used trend micro housecall as the virus scanner. I used ad-aware and spybot search & destroy and removed all the ad-ware and spyware from those programs on numerous occassion. I also ran stinger and it did not produce any results or ways to remove it. As far as using vundofix and virtumondebegone, vundofix never finds the infection and virtumonde is unable to remove the infection from the computer (I was in safe mode at the time like it was recommended). Also, all temp files were deleted. I also read that java might need to be updated as the monde normally attacts it as a vulnerability. I went to the java website and it said i was using the correct version. Then again I was using the Java platform updater. Maybe there is a different java application that needs to be updated?

QUOTE("HJTLogs")
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:11 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\geeba.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200180631824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200180623481
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB\webserver\bin\win32\matlabserver.exe

--
End of file - 3963 bytes


EDIT: Sorry about the original post in the wrong forum.
Go to the top of the page
 
+Quote Post
teacup61
post Jan 20 2008, 10:33 PM
Post #2


Bleepin' Texan!
******

Group: HJT Team Coach
Posts: 8,274
Joined: 5-April 06
From: Planet Texas!
Member No.: 62,846
Hello SilicontC,

Welcome to Bleeping Computer smile.gif

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea


--------------------

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!





Error reading poptart in Drive A: Delete kids y/n?
Go to the top of the page
 
+Quote Post
SilicontC
post Jan 20 2008, 10:56 PM
Post #3


New Member
*

Group: Members
Posts: 13
Joined: 20-January 08
From: Lubbock, TX
Member No.: 184,820
Thanks very much for the help tea. I'm not too bad with computers but I've been frustrated the past 3 days trying to get these nasty ones off haha. Once again thanks for the speedy reply. Here are the logs:

QUOTE("Combofix")
ComboFix 08-01-20.1 - Greg Nichols 2008-01-20 21:41:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.553 [GMT -6:00]
Running from: C:\Program Files\Trend Micro\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\akmbhijv.dll
C:\WINDOWS\system32\amytdxki.dll
C:\WINDOWS\system32\awttutu.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dovpbecd.dll
C:\WINDOWS\system32\eoexgrhr.dll
C:\WINDOWS\system32\eolxkhuy.ini
C:\WINDOWS\system32\eupargtt.dll
C:\WINDOWS\system32\fogtkrjw.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
C:\WINDOWS\system32\ikxdtyma.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\numfvkfm.dll
C:\WINDOWS\system32\oajdxubp.ini
C:\WINDOWS\system32\pbuxdjao.dll
C:\WINDOWS\system32\pqfalfll.dll
C:\WINDOWS\system32\sembly~1
C:\WINDOWS\system32\wapisvtr.exe
C:\WINDOWS\system32\yuhkxloe.dll

CODE
<pre>
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe ---> QooBox
C:\Program Files\QuickTime\qttask              .exe ---> QooBox
C:\Program Files\QuickTime\qttask             .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask            .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask           .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask          .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask         .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask        .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask       .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask      .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask     .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask    .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask   .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask  .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 21:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 12:13 . 2008-01-20 12:13 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 04:07 . 2008-01-20 04:07 92 --a------ C:\WINDOWS\wininit.ini
2008-01-18 06:35 . 2008-01-18 06:35 1,076,041 --ahs---- C:\WINDOWS\system32\noovgidh.ini
2008-01-16 10:06 . 2008-01-18 06:29 1,062,492 --ahs---- C:\WINDOWS\system32\hkjsspoh.ini
2008-01-15 23:37 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-15 22:45 . 2008-01-20 07:11 <DIR> d-------- C:\Documents and Settings\Greg Nichols\.housecall6.6
2008-01-15 21:56 . 2008-01-15 21:56 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\MathWorks
2008-01-15 21:56 . 2008-01-15 22:27 157 --a------ C:\WINDOWS\matlab.ini
2008-01-15 21:51 . 2004-03-01 21:05 407,104 --a------ C:\WINDOWS\system32\MSHFLXGD.OCX
2008-01-15 21:51 . 2004-02-11 13:37 203,976 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-01-15 21:50 . 2007-08-18 01:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-01-15 21:49 . 2008-01-15 21:50 <DIR> d-------- C:\Program Files\AC3Filter
2008-01-15 21:46 . 2002-02-14 09:26 647,872 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-01-15 21:46 . 2002-02-13 09:20 2,362 --a------ C:\WINDOWS\system32\mscomct2.dep
2008-01-15 21:45 . 2004-09-06 08:05 645,120 --a------ C:\WINDOWS\system32\config.gms
2008-01-15 21:24 . 2008-01-15 21:52 <DIR> d-------- C:\Program Files\MATLAB
2008-01-15 21:19 . 2008-01-15 21:19 <DIR> d-------- C:\Program Files\MagicDisc
2008-01-15 21:19 . 2007-09-05 01:46 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-01-15 20:58 . 2008-01-15 20:58 1,061,668 --ahs---- C:\WINDOWS\system32\sqyusmff.ini
2008-01-14 20:04 . 2008-01-14 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-14 20:00 . 2008-01-15 16:45 1,061,626 --ahs---- C:\WINDOWS\system32\uifyumac.ini
2008-01-14 13:32 . 2008-01-14 13:32 <DIR> d-------- C:\Program Files\MagicISO
2008-01-14 08:22 . 2008-01-14 08:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 08:22 . 2008-01-14 08:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-13 12:09 . 2008-01-13 12:09 <DIR> d-------- C:\Program Files\Xvid
2008-01-13 12:09 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-13 12:09 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-13 12:09 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-01-13 06:27 . 2008-01-13 06:27 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\DivX
2008-01-13 05:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-13 05:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-13 05:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-13 05:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-13 05:25 . 2008-01-13 05:38 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Ventrilo
2008-01-13 02:30 . 2008-01-15 14:23 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Azureus
2008-01-13 02:30 . 2008-01-13 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-13 00:09 . 2008-01-13 00:09 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-13 00:09 . 2008-01-13 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-12 23:33 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-12 23:33 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-12 23:33 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-12 23:33 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-12 23:33 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-12 23:33 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-12 23:33 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-12 23:33 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-12 23:33 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Lavasoft
2008-01-12 23:32 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-12 23:22 . 2008-01-13 02:25 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-12 23:11 . 2007-07-09 07:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-12 23:01 . 2008-01-12 23:01 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\DAEMON Tools
2008-01-12 21:47 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-12 20:08 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-12 20:07 . 2008-01-12 20:07 <DIR> d-------- C:\Program Files\MSBuild
2008-01-12 20:07 . 2008-01-12 20:07 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-12 20:01 . 2008-01-12 20:06 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-12 20:00 . 2008-01-20 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-12 19:59 . 2008-01-12 19:59 <DIR> dr-h----- C:\MSOCache
2008-01-12 19:41 . 2008-01-13 19:57 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-12 19:35 . 2008-01-12 19:35 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-01-12 19:24 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-12 19:23 . 2008-01-12 19:23 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-12 19:23 . 2008-01-12 19:23 <DIR> d-------- C:\WINDOWS\peernet
2008-01-12 19:21 . 2008-01-12 19:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-12 19:16 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-12 19:14 . 2008-01-12 19:14 <DIR> d-------- C:\WINDOWS\EHome
2008-01-12 19:10 . 2008-01-12 19:10 <DIR> d-------- C:\Program Files\Azureus
2008-01-12 19:07 . 2008-01-12 19:07 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Apple Computer
2008-01-12 19:06 . 2008-01-12 19:07 <DIR> d-------- C:\Program Files\iTunes
2008-01-12 19:06 . 2008-01-12 19:06 <DIR> d-------- C:\Program Files\iPod
2008-01-12 19:04 . 2008-01-20 21:49 <DIR> d-------- C:\Program Files\QuickTime
2008-01-12 19:04 . 2008-01-12 19:04 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-12 19:04 . 2008-01-12 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-12 19:04 . 2008-01-12 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-12 19:02 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-01-12 19:02 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-01-12 19:02 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-01-12 19:00 . 2008-01-12 19:00 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\acccore
2008-01-12 19:00 . 2008-01-20 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-12 18:59 . 2008-01-12 18:59 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-12 18:59 . 2008-01-12 19:00 <DIR> d-------- C:\Program Files\AIM6
2008-01-12 18:59 . 2008-01-12 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-12 18:59 . 2008-01-12 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-12 18:59 . 2008-01-12 19:00 505 --ah----- C:\IPH.PH
2008-01-12 18:52 . 2008-01-12 21:19 <DIR> d-------- C:\Media
2008-01-12 18:49 . 2004-08-04 01:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-12 18:49 . 2004-08-04 01:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-12 18:49 . 2004-08-04 01:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-12 18:49 . 2004-08-04 01:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-01-12 18:49 . 2007-03-08 09:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-01-12 18:45 . 2008-01-12 18:45 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-01-12 18:44 . 2008-01-12 18:44 <DIR> d-------- C:\Program Files\DivX
2008-01-12 18:19 . 2008-01-12 18:19 <DIR> d-------- C:\Program Files\Service Pack 2
2008-01-12 18:15 . 2004-08-04 01:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-01-12 18:15 . 2008-01-12 18:15 12,980 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-12 18:14 . 2008-01-20 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 18:13 . 2008-01-12 18:48 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 08:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 00:48 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-13 00:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-12 23:50 --------- d-----w C:\Program Files\Lan
2008-01-12 23:47 --------- d-----w C:\Program Files\Wireless
2008-01-12 23:47 --------- d-----w C:\Program Files\Broadcom
2008-01-12 23:45 --------- d-----w C:\Program Files\HD Audi
2008-01-12 23:44 --------- d-----w C:\Program Files\CONEXANT
2008-01-12 23:42 --------- d-----w C:\Program Files\Audio Drivers
2008-01-12 23:38 --------- d-----w C:\Program Files\Java
2008-01-12 23:37 --------- d-----w C:\Program Files\Ventrilo
2008-01-12 23:37 --------- d-----w C:\Program Files\Common Files\Java
2008-01-12 23:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 23:34 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-12 23:30 --------- d-----w C:\Program Files\ATI Technologies
2008-01-12 23:15 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-12 23:12 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 10:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-02-01 21:05 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-15 23:45 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-11-14 16:02 815104 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 21:49:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 21:53:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 03:53:48
.
2008-01-14 03:37:45 --- E O F ---


QUOTE("HijackThis")
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:31 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200180631824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200180623481
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB\webserver\bin\win32\matlabserver.exe

--
End of file - 4443 bytes
Go to the top of the page
 
+Quote Post
teacup61
post Jan 20 2008, 11:18 PM
Post #4


Bleepin' Texan!
******

Group: HJT Team Coach
Posts: 8,274
Joined: 5-April 06
From: Planet Texas!
Member No.: 62,846
Hello,

You're welcome. smile.gif

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

QUOTE
RenV::
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe ---> QooBox
C:\Program Files\QuickTime\qttask .exe ---> QooBox
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\WINDOWS\system32\ctfmon .exe ---> QooBox


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea


--------------------

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!





Error reading poptart in Drive A: Delete kids y/n?
Go to the top of the page
 
+Quote Post
SilicontC
post Jan 20 2008, 11:35 PM
Post #5


New Member
*

Group: Members
Posts: 13
Joined: 20-January 08
From: Lubbock, TX
Member No.: 184,820
Okay. Here are the results good sir:

QUOTE("HijackThis")
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:09 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200180631824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200180623481
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB\webserver\bin\win32\matlabserver.exe

--
End of file - 4631 bytes


QUOTE("CFScript.txt")
ComboFix 08-01-20.1 - Greg Nichols 2008-01-20 22:22:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.606 [GMT -6:00]
Running from: C:\Program Files\Trend Micro\ComboFix.exe
Command switches used :: C:\Program Files\Trend Micro\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- Unknown downloads made by BITS: ----
http://wwj+|C̛v+@J:NGD_DQ{zt һHG.X5KEAWU Client Download S-1-5-18 `HT4?? 6VwoQZCDHMsC:\WINDOWS\SoftwareDistribution\Download\a0ae8c3968cd611503a987ecb831e782\68f0f463e06124a977d724c8a97d817be0c289d7

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 22:14 . 2008-01-20 22:14 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-20 22:13 . 2008-01-20 22:13 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-20 22:12 . 2006-10-04 08:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-20 22:12 . 2006-10-04 08:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-20 22:12 . 2006-10-04 08:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-20 22:12 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-20 22:11 . 2008-01-20 22:11 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-20 22:10 . 2008-01-20 22:17 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-20 22:10 . 2008-01-20 22:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-20 22:04 . 2008-01-20 22:04 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-01-20 22:02 . 2006-11-13 00:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-20 22:02 . 2006-11-13 00:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-20 22:02 . 2006-11-13 00:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-20 21:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 12:13 . 2008-01-20 12:13 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 04:07 . 2008-01-20 04:07 92 --a------ C:\WINDOWS\wininit.ini
2008-01-18 06:35 . 2008-01-18 06:35 1,076,041 --ahs---- C:\WINDOWS\system32\noovgidh.ini
2008-01-16 10:06 . 2008-01-18 06:29 1,062,492 --ahs---- C:\WINDOWS\system32\hkjsspoh.ini
2008-01-15 23:37 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-15 22:45 . 2008-01-20 07:11 <DIR> d-------- C:\Documents and Settings\Greg Nichols\.housecall6.6
2008-01-15 21:56 . 2008-01-15 21:56 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\MathWorks
2008-01-15 21:56 . 2008-01-15 22:27 157 --a------ C:\WINDOWS\matlab.ini
2008-01-15 21:51 . 2004-03-01 21:05 407,104 --a------ C:\WINDOWS\system32\MSHFLXGD.OCX
2008-01-15 21:51 . 2004-02-11 13:37 203,976 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-01-15 21:50 . 2007-08-18 01:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-01-15 21:49 . 2008-01-15 21:50 <DIR> d-------- C:\Program Files\AC3Filter
2008-01-15 21:46 . 2002-02-14 09:26 647,872 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-01-15 21:46 . 2002-02-13 09:20 2,362 --a------ C:\WINDOWS\system32\mscomct2.dep
2008-01-15 21:45 . 2004-09-06 08:05 645,120 --a------ C:\WINDOWS\system32\config.gms
2008-01-15 21:24 . 2008-01-15 21:52 <DIR> d-------- C:\Program Files\MATLAB
2008-01-15 21:19 . 2008-01-15 21:19 <DIR> d-------- C:\Program Files\MagicDisc
2008-01-15 21:19 . 2007-09-05 01:46 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-01-15 20:58 . 2008-01-15 20:58 1,061,668 --ahs---- C:\WINDOWS\system32\sqyusmff.ini
2008-01-14 20:04 . 2008-01-14 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-14 20:00 . 2008-01-15 16:45 1,061,626 --ahs---- C:\WINDOWS\system32\uifyumac.ini
2008-01-14 13:32 . 2008-01-14 13:32 <DIR> d-------- C:\Program Files\MagicISO
2008-01-14 08:22 . 2008-01-14 08:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 08:22 . 2008-01-14 08:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-13 12:09 . 2008-01-13 12:09 <DIR> d-------- C:\Program Files\Xvid
2008-01-13 12:09 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-13 12:09 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-13 12:09 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-01-13 06:27 . 2008-01-13 06:27 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\DivX
2008-01-13 05:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-13 05:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-13 05:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-13 05:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-13 05:25 . 2008-01-13 05:38 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Ventrilo
2008-01-13 02:30 . 2008-01-15 14:23 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Azureus
2008-01-13 02:30 . 2008-01-13 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-13 00:09 . 2008-01-13 00:09 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-13 00:09 . 2008-01-13 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-12 23:33 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-12 23:33 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-12 23:33 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-12 23:33 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-12 23:33 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-12 23:33 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-12 23:33 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-12 23:33 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-12 23:33 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Lavasoft
2008-01-12 23:32 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-12 23:22 . 2008-01-13 02:25 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-12 23:11 . 2007-07-09 07:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-12 23:01 . 2008-01-12 23:01 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\DAEMON Tools
2008-01-12 21:47 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-12 20:08 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-12 20:07 . 2008-01-20 22:16 <DIR> d-------- C:\Program Files\MSBuild
2008-01-12 20:07 . 2008-01-12 20:07 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-12 20:01 . 2008-01-12 20:06 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-12 20:00 . 2008-01-20 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-12 19:59 . 2008-01-12 19:59 <DIR> dr-h----- C:\MSOCache
2008-01-12 19:41 . 2008-01-20 22:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-12 19:35 . 2008-01-20 22:06 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-01-12 19:24 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-12 19:23 . 2008-01-12 19:23 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-12 19:23 . 2008-01-12 19:23 <DIR> d-------- C:\WINDOWS\peernet
2008-01-12 19:21 . 2008-01-12 19:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-12 19:16 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-12 19:14 . 2008-01-12 19:14 <DIR> d-------- C:\WINDOWS\EHome
2008-01-12 19:10 . 2008-01-12 19:10 <DIR> d-------- C:\Program Files\Azureus
2008-01-12 19:07 . 2008-01-12 19:07 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\Apple Computer
2008-01-12 19:06 . 2008-01-12 19:07 <DIR> d-------- C:\Program Files\iTunes
2008-01-12 19:06 . 2008-01-12 19:06 <DIR> d-------- C:\Program Files\iPod
2008-01-12 19:04 . 2008-01-20 21:49 <DIR> d-------- C:\Program Files\QuickTime
2008-01-12 19:04 . 2008-01-12 19:04 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-12 19:04 . 2008-01-12 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-12 19:04 . 2008-01-12 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-12 19:02 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-01-12 19:02 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-01-12 19:02 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-01-12 19:00 . 2008-01-12 19:00 <DIR> d-------- C:\Documents and Settings\Greg Nichols\Application Data\acccore
2008-01-12 19:00 . 2008-01-20 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-12 18:59 . 2008-01-12 18:59 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-12 18:59 . 2008-01-12 19:00 <DIR> d-------- C:\Program Files\AIM6
2008-01-12 18:59 . 2008-01-12 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-12 18:59 . 2008-01-12 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-12 18:59 . 2008-01-12 19:00 505 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 04:09 --------- d-----w C:\Program Files\CONEXANT
2008-01-13 08:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 00:48 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-13 00:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-12 23:50 --------- d-----w C:\Program Files\Lan
2008-01-12 23:47 --------- d-----w C:\Program Files\Wireless
2008-01-12 23:47 --------- d-----w C:\Program Files\Broadcom
2008-01-12 23:45 --------- d-----w C:\Program Files\HD Audi
2008-01-12 23:42 --------- d-----w C:\Program Files\Audio Drivers
2008-01-12 23:38 --------- d-----w C:\Program Files\Java
2008-01-12 23:37 --------- d-----w C:\Program Files\Ventrilo
2008-01-12 23:37 --------- d-----w C:\Program Files\Common Files\Java
2008-01-12 23:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 23:34 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-12 23:30 --------- d-----w C:\Program Files\ATI Technologies
2008-01-12 23:15 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-12 23:12 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_21.53.39.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-04 14:05:26 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
+ 2008-01-21 04:04:20 7,680 ----a-w C:\WINDOWS\assembly\GAC\Accessibility\1.0.5000.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-01-21 04:04:14 12,288 ----a-w C:\WINDOWS\assembly\GAC\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-01-21 04:04:20 33,792 ----a-w C:\WINDOWS\assembly\GAC\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-01-21 04:04:26 7,168 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-01-21 04:04:20 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-01-21 04:04:21 4,608 ----a-w C:\WINDOWS\assembly\GAC\IIEHost\1.0.5000.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-01-21 04:04:21 26,112 ----a-w C:\WINDOWS\assembly\GAC\ISymWrapper\1.0.5000.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-01-21 04:04:14 716,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-01-21 04:04:13 28,672 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-01-21 04:04:14 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-01-21 04:04:14 6,144 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualC\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll
+ 2008-01-21 04:04:13 11,264 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-01-21 04:04:13 32,768 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-01-21 04:04:13 6,656 ----a-w C:\WINDOWS\assembly\GAC\Microsoft_VsaVb\7.0.5000.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-01-21 04:04:21 1,564,672 ----a-w C:\WINDOWS\assembly\GAC\mscorcfg\1.0.5000.0__b03f5f7f11d50a3a\mscorcfg.dll
+ 2008-01-21 04:04:26 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
+ 2008-01-21 04:04:21 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Configuration.Install\1.0.5000.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-01-21 04:04:28 299,008 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-01-21 04:04:22 1,290,240 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
+ 2008-01-21 04:04:22 1,699,840 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-01-21 04:04:22 86,016 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-01-21 04:04:22 65,536 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-01-21 04:04:23 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-01-21 04:04:22 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-01-21 04:04:22 64,000 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
+ 2008-01-21 04:04:24 368,640 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-01-21 04:04:24 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-01-21 04:04:24 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-01-21 04:04:24 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-01-21 04:04:24 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-01-21 04:04:24 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-01-21 04:04:28 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-01-21 04:04:25 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-01-21 04:04:25 569,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-01-21 04:04:25 1,245,184 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-21 04:04:25 2,039,808 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-01-21 04:04:26 1,335,296 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.Xml.dll
+ 2008-01-21 04:04:22 1,216,512 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-01-21 04:07:55 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-01-21 04:08:05 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-01-21 04:13:25 151,552 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll
+ 2008-01-21 04:08:06 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-01-21 04:13:54 3,915,776 ----a-w C:\WINDOWS\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2008-01-21 04:08:08 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-01-21 04:08:02 2,878,976 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-01-21 04:07:49 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-01-21 04:07:49 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-01-21 04:13:58 344,064 ----a-w C:\WINDOWS\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll
+ 2008-01-21 04:08:13 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-01-21 04:07:59 5,025,792 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-21 04:07:55 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-01-21 04:07:49 503,808 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-01-21 04:07:50 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-01-21 04:08:04 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-01-21 04:08:05 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-01-21 04:08:05 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-01-21 04:07:52 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-01-21 04:07:52 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-01-21 04:07:53 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-01-21 04:07:53 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-01-21 04:07:51 745,472 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-01-21 04:13:23 352,256 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll
+ 2008-01-21 04:08:16 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-01-21 04:08:16 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-01-21 04:07:47 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-01-21 04:08:14 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-01-21 04:08:17 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-01-21 04:07:48 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-01-21 04:07:48 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-01-21 04:07:48 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-01-21 04:13:54 593,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationBuildTasks\3.0.0.0__31bf3856ad364e35\PresentationBuildTasks.dll
+ 2008-01-21 04:13:54 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationCFFRasterizer\3.0.0.0__31bf3856ad364e35\PresentationCFFRasterizer.dll
+ 2008-01-21 04:13:58 184,320 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Aero\3.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll
+ 2008-01-21 04:13:58 126,976 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll
+ 2008-01-21 04:13:58 376,832 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Luna\3.0.0.0__31bf3856ad364e35\PresentationFramework.Luna.dll
+ 2008-01-21 04:13:58 151,552 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Royale\3.0.0.0__31bf3856ad364e35\PresentationFramework.Royale.dll
+ 2008-01-21 04:13:56 4,972,544 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
+ 2008-01-21 04:13:57 897,024 ----a-w C:\WINDOWS\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll
+ 2008-01-21 04:13:58 528,384 ----a-w C:\WINDOWS\assembly\GAC_MSIL\ReachFramework\3.0.0.0__31bf3856ad364e35\ReachFramework.dll
+ 2008-01-21 04:13:25 94,208 ----a-w C:\WINDOWS\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll
+ 2008-01-21 04:08:11 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-01-21 04:07:56 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-01-21 04:08:11 389,120 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-01-21 04:08:08 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-01-21 04:07:50 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-01-21 04:08:04 5,050,368 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-01-21 04:07:57 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-01-21 04:07:56 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-01-21 04:07:57 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-01-21 04:08:13 700,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-01-21 04:13:26 126,976 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll
+ 2008-01-21 04:13:26 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll
+ 2008-01-21 04:13:27 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll
+ 2008-01-21 04:08:09 368,640 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-01-21 04:08:13 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-01-21 04:08:10 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-01-21 04:08:10 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-01-21 04:13:27 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
+ 2008-01-21 04:07:55 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-01-21 04:13:30 159,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Install\3.0.0.0__b77a5c561934e089\System.ServiceModel.Install.dll
+ 2008-01-21 04:13:30 16,384 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
+ 2008-01-21 04:13:27 5,623,808 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
+ 2008-01-21 04:07:57 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-01-21 04:13:58 688,128 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Speech\3.0.0.0__31bf3856ad364e35\System.Speech.dll
+ 2008-01-21 04:08:14 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-01-21 04:07:59 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-01-21 04:07:59 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-01-21 04:08:00 5,316,608 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-01-21 04:16:47 1,108,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll
+ 2008-01-21 04:16:47 1,641,272 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.ComponentModel\3.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll
+ 2008-01-21 04:16:47 588,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.Runtime\3.0.0.0__31bf3856ad364e35\System.Workflow.Runtime.dll
+ 2008-01-21 04:08:01 2,035,712 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-01-21 04:08:11 3,018,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-01-21 04:13:58 163,840 ----a-w C:\WINDOWS\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\UIAutomationClient.dll
+ 2008-01-21 04:13:58 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\UIAutomationClientsideProviders.dll
+ 2008-01-21 04:13:58 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\UIAutomationProvider\3.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
+ 2008-01-21 04:13:58 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
+ 2008-01-21 04:13:54 1,167,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
+ 2008-01-21 04:13:58 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll
+ 2008-01-21 04:11:19 26,624 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\41309f79d61ada4ca619645776b2be8f\Accessibility.ni.dll
+ 2008-01-21 04:11:21 860,160 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\95489f7b48adf441b5586d61ead4ea6d\AspNetMMCExt.ni.dll
+ 2008-01-21 04:11:23 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\a205043022a4d54f98483c29b76a1de3\CustomMarshalers.ni.dll
+ 2008-01-21 04:11:21 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\5b3298846f05a0458f95e70ee51284f6\dfsvc.ni.exe
+ 2008-01-21 04:11:25 880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\cca95fc3b5bb114395c67071a7474cfa\Microsoft.Build.Engine.ni.dll
+ 2008-01-21 04:11:25 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\cc9c6d3460b6d84e9b5419ba444fbd8c\Microsoft.Build.Framework.ni.dll
+ 2008-01-21 04:11:38 1,691,648 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\fed5a63ee9762e4ca43d60bb0e828f96\Microsoft.Build.Tasks.ni.dll
+ 2008-01-21 04:11:38 163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\82c7b64b7cae1841988b671a9f73da4a\Microsoft.Build.Utilities.ni.dll
+ 2008-01-21 04:11:41 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c2e954c686d74b40a26c135cb56bf242\Microsoft.VisualBasic.ni.dll
+ 2008-01-21 04:14:24 17,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\3e660940da76f146ae5f65a93ace32a4\Microsoft.VisualC.ni.dll
+ 2008-01-21 04:08:41 11,411,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\72f6d4bdb9585c42bfdbb654bda32e6d\mscorlib.ni.dll
+ 2008-01-21 04:15:09 40,448 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\c858747f8742bd4c91b831ee76694b89\PresentationCFFRasterizer.ni.dll
+ 2008-01-21 04:15:08 12,038,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\05d5704c46773448b71e747c83f02e3d\PresentationCore.ni.dll
+ 2008-01-21 04:16:38 49,152 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\a7880ad0d882dc4db9784f6f073a6caf\PresentationFontCache.ni.exe
+ 2008-01-21 04:16:37 393,216 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\55c37c3daa1d9245ab613cd040b01e29\PresentationFramework.Aero.ni.dll
+ 2008-01-21 04:16:36 266,240 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8a4af49fa4e9cf40b7ad568455d591fc\PresentationFramework.Royale.ni.dll
+ 2008-01-21 04:16:35 548,864 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e0cb11b8f7abb4a8fc39a1687ffcb71\PresentationFramework.Luna.ni.dll
+ 2008-01-21 04:16:34 204,800 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\bdf2efc52af412498f07aa17993da490\PresentationFramework.Classic.ni.dll
+ 2008-01-21 04:16:16 14,643,200 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\d35c7afc0bec72438680c1c21a4acba0\PresentationFramework.ni.dll
+ 2008-01-21 04:16:22 1,757,184 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationUI\cfed34a7eee04f4285878d1f8e4bee37\PresentationUI.ni.dll
+ 2008-01-21 04:16:29 2,338,816 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ReachFramework\5cc2bc01da959b48abbe4e1bba8feb4a\ReachFramework.ni.dll
+ 2008-01-21 04:14:28 167,936 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\31f2a9b9626ab2418134e89d6d761968\System.Configuration.Install.ni.dll
+ 2008-01-21 04:11:44 962,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\0c54a2e32073e24db4296ea7b1c0a702\System.Configuration.ni.dll
+ 2008-01-21 04:14:27 1,179,648 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\b3e2c2623854054fa1cfd81b38799888\System.Data.OracleClient.ni.dll
+ 2008-01-21 04:14:24 2,703,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\1b0be2910bce434ca818e56ddd47ec8a\System.Data.SqlXml.ni.dll
+ 2008-01-21 04:09:33 6,688,768 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\ae53aae51611e843b2100c4b5faf5bba\System.Data.ni.dll
+ 2008-01-21 04:11:47 1,712,128 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\38e876dfcd6eb3488442727606605c8d\System.Deployment.ni.dll
+ 2008-01-21 04:09:48 10,723,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\1cfe9ae26187c743b7c72e3f1adee166\System.Design.ni.dll
+ 2008-01-21 04:11:49 1,220,608 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8bdb9b654eb0294ebf0e89961073965d\System.DirectoryServices.ni.dll
+ 2008-01-21 04:11:51 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\be9ccfe5d6aa0440877466f3a1e97412\System.DirectoryServices.Protocols.ni.dll
+ 2008-01-21 04:09:01 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\d48e3e482c88594da70f70c9f95262eb\System.Drawing.Design.ni.dll
+ 2008-01-21 04:09:04 1,626,112 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\3eb1e844fdb0aa439b5dfb4f8f128ab9\System.Drawing.ni.dll
+ 2008-01-21 04:11:53 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\d062da5c1609c24789b9d9e29c55d2f3\System.EnterpriseServices.ni.dll
+ 2008-01-21 04:11:53 294,912 ---