Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sulimo.dat Infection


  • Please log in to reply
10 replies to this topic

#1 homer killer

homer killer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:55044
  • Local time:05:48 PM

Posted 24 October 2007 - 02:27 PM

I need help with this.

My info is:

barracuda web filter 310
trendmicro antivirus software for a business network
and Cisco Firewall 5520

We have an Engineer that we send to china on a regular basis and this time he came back with an infection on his laptop. When I log onto his computer as Administrator everything comes up and I can get to the control Panel, but when I log on as the enduser the control panel is missing. All of our settings for the network allow the enduser to access these features, so its not a network permissions problem. I did find a sulimo.dat file in the system directory and i did delete it. Our barracuda has a spyware removal tool that I have used and deleted anything that was found.

If you need to know any information just let me know.

Jason


here is the log file from that computer from hijack this



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:33 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\proeWildfire 3.0\i486_nt\nms\nmsd.exe
C:\Program Files\proeWildfire 3.0\i486_nt\obj\xtop.exe
C:\Program Files\proeWildfire 3.0\i486_nt\obj\pro_comm_msg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Internet May Be Monitored
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - https://192.168.1.20/cleanup/tool/BarracudaSpyRemoval.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imperialplastics.com
O17 - HKLM\Software\..\Telephony: DomainName = imperialplastics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imperialplastics.com

there was a 020 - here but i already got rid of it

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9152 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2007 - 06:55 AM

Hi homer killer and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 homer killer

homer killer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:55044

Posted 31 October 2007 - 10:17 AM

Here you go.

I still cannot see control panel as the enduser.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16, on 2007-10-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TSC.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://ip-fs1:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - https://192.168.1.20/cleanup/tool/BarracudaSpyRemoval.cab
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://ip-fs1:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imperialplastics.com
O17 - HKLM\Software\..\Telephony: DomainName = imperialplastics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imperialplastics.com
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7743 bytes







ComboFix 07-10-29.1** - Administrator 2007-10-31 10:01:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.178 [GMT -5:00]
Running from: K:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.IPI\Desktop\internet.lnk
C:\Program Files\s2f.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mgrs.exe
C:\WINDOWS\mraerea.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\xlavra3.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-31 09:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 09:39 <DIR> d-------- C:\New Folder
2007-10-30 09:35 12,800 --a------ C:\WINDOWS\system32\bronto.dll
2007-10-30 09:35 6,144 --a------ C:\WINDOWS\system32\skuns.dat
2007-10-25 09:52 11,776 --a------ C:\Program Files\7555046.exe
2007-10-24 07:49 <DIR> d-------- C:\Program Files\E404 Helper
2007-10-23 13:55 <DIR> d-------- C:\WINDOWS\pss
2007-10-22 13:10 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-22 11:28 <DIR> d-------- C:\Documents and Settings\Administrator.IPI\.housecall6.6
2007-10-22 09:27 <DIR> d-------- C:\Documents and Settings\Administrator.IPI\Application Data\PC Tools
2007-10-17 10:30 <DIR> d-------- C:\Documents and Settings\Administrator.IPI\Application Data\Research In Motion
2007-10-17 10:23 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-16 21:29 <DIR> d-------- C:\Program Files\Adsense Helper Object
2007-10-07 20:06 11,776 --a------ C:\Program Files\9297046.exe
2007-09-05 07:03 <DIR> d-------- C:\Program Files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 18:32 --------- d-----w C:\Program Files\Trend Micro
2007-10-24 20:23 256 ----a-w C:\Documents and Settings\sboysen\pool.bin
2007-10-08 01:15 --------- d-----w C:\Program Files\palmOne
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 15:18]
"BCMSMMSG"="BCMSMMSG.exe" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-20 09:10]
"nwiz"="nwiz.exe" [2003-11-20 09:10 C:\WINDOWS\system32\nwiz.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 12:23]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 13:28]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 23:32]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-07-16 11:16]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-07-16 11:16]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 11:17]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 11:17]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-02-23 22:17:46]
DLO Agent.lnk - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe [2005-04-25 16:17:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-1127\Scripts\Logon\0\0]
"Script"=\\ipi\netlogon\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-1127\Scripts\Logon\1\0]
"Script"=trend.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-500\Scripts\Logon\0\0]
"Script"=\\ipi\netlogon\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-500\Scripts\Logon\1\0]
"Script"=trend.bat

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacket.sys
R2 VRTSChangeJournalReader;VERITAS Backup Exec DLO Agent Change Journal Reader;"C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe"
R3 Cpmt;Cisco Media Termination;C:\WINDOWS\system32\Drivers\Cpmt.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 15:11:07 C:\WINDOWS\Tasks\DLOClientu.exe - IPI_Administrator.job"
- C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 10:10:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-31 10:11:39 - machine was rebooted
.
--- E O F ---

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 November 2007 - 01:07 PM

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-1127\Scripts\Logon\0\0]
"Script"=\\ipi\netlogon\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-1127\Scripts\Logon\1\0]
"Script"=trend.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-500\Scripts\Logon\0\0]
"Script"=\\ipi\netlogon\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-500\Scripts\Logon\1\0]
"Script"=trend.bat


I assume this is something done by you?


Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\skuns.dat
C:\Program Files\7555046.exe
C:\Program Files\9297046.exe
Folder::
C:\Program Files\E404 Helper
C:\Documents and Settings\Administrator.IPI\.housecall6.6
C:\Program Files\Adsense Helper Object

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.

Once completed,post the new CombFix log.


Please run the F-Secure Online Scanner Beta

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 homer killer

homer killer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:55044
  • Local time:05:48 PM

Posted 02 November 2007 - 01:12 PM

Here is the latest log file from combo fix




ComboFix 07-10-29.1** - sboysen 2007-11-02 13:02:23.2 - NTFSx86
Running from: K:\Fixes\ComboFix.exe
Command switches used :: K:\Fixes\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\7555046.exe
C:\Program Files\9297046.exe
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\skuns.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.IPI\.housecall6.6
C:\Documents and Settings\Administrator.IPI\.housecall6.6\8ball.txt
C:\Documents and Settings\Administrator.IPI\.housecall6.6\AU_Log\TmuDump.txt
C:\Documents and Settings\Administrator.IPI\.housecall6.6\aucfg.ini
C:\Documents and Settings\Administrator.IPI\.housecall6.6\BPMNT.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\ciussi32.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\client-defaults.profile.xml
C:\Documents and Settings\Administrator.IPI\.housecall6.6\dsvout.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\engine.stat
C:\Documents and Settings\Administrator.IPI\.housecall6.6\fullscan.profile.xml
C:\Documents and Settings\Administrator.IPI\.housecall6.6\getMac.exe
C:\Documents and Settings\Administrator.IPI\.housecall6.6\GetServer.ini
C:\Documents and Settings\Administrator.IPI\.housecall6.6\jlea.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\jsapi.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\jupdate.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\lea.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\local.conf
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\2007-10-22-14-35-14.infections
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\2007-10-22-16-20-19.infections
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\2007-10-30-12-06-15.infections
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\dsvout.log
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\engine0.log
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\engine0.log.lck
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\error0.log
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\error0.log.lck
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\everything0.log
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\execution0.log
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\execution0.log.lck
C:\Documents and Settings\Administrator.IPI\.housecall6.6\log\hc_update.log
C:\Documents and Settings\Administrator.IPI\.housecall6.6\mfc80.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\mfc80u.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\mfcm80.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\mfcm80u.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Microsoft.VC80.CRT.manifest
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Microsoft.VC80.MFC.manifest
C:\Documents and Settings\Administrator.IPI\.housecall6.6\msvcm80.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\msvcp80.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\msvcr80.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\patch.exe
C:\Documents and Settings\Administrator.IPI\.housecall6.6\PATCHW32.DLL
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Pattern\lpt$vpn.787
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Pattern\lpt$vpn.789
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Pattern\lpt$vpn.803
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Pattern\tmaptn.545
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Pattern\tmaptn.547
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Pattern\tmvamain.ptn
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Pattern\tsc.ptn
C:\Documents and Settings\Administrator.IPI\.housecall6.6\server-defaults.profile.xml
C:\Documents and Settings\Administrator.IPI\.housecall6.6\ssapi32.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\ssapiptn.da5
C:\Documents and Settings\Administrator.IPI\.housecall6.6\tmcomm.sys
C:\Documents and Settings\Administrator.IPI\.housecall6.6\TmEngDrv.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\TmUpdate.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\tsc.exe
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\ini_xml.zip
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\ini_xml.zip.etag
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\server.ini
C:\Documents and Settings\Administrator.IPI\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\server.ini.etag
C:\Documents and Settings\Administrator.IPI\.housecall6.6\usrbl.dat
C:\Documents and Settings\Administrator.IPI\.housecall6.6\usrwl.dat
C:\Documents and Settings\Administrator.IPI\.housecall6.6\vsapi32.dll
C:\Documents and Settings\Administrator.IPI\.housecall6.6\vscan.dat
C:\Program Files\7555046.exe
C:\Program Files\9297046.exe
C:\Program Files\Adsense Helper Object
C:\Program Files\Adsense Helper Object\aho.v1.dll
C:\Program Files\E404 Helper
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\skuns.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-10-31 12:17 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-31 12:16 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-31 11:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-31 11:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-31 09:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 09:39 <DIR> d-------- C:\New Folder
2007-10-23 13:55 <DIR> d-------- C:\WINDOWS\pss
2007-10-22 13:10 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-22 09:27 <DIR> d-------- C:\Documents and Settings\Administrator.IPI\Application Data\PC Tools
2007-10-17 10:30 <DIR> d-------- C:\Documents and Settings\Administrator.IPI\Application Data\Research In Motion
2007-10-17 10:23 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 14:57 256 ----a-w C:\Documents and Settings\sboysen\pool.bin
2007-10-31 17:27 --------- d-----w C:\Program Files\Trend Micro
2007-10-08 01:15 --------- d-----w C:\Program Files\palmOne
2007-09-05 12:03 --------- d-----w C:\Program Files\MSXML 4.0
.

((((((((((((((((((((((((((((( snapshot@2007-10-31_10.11.08.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-31 10:55:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-10-31 16:50:58 6,758,400 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-31 16:50:58 446,464 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-31 10:55:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-10-31 16:50:55 6,758,400 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-10-31 16:50:55 446,464 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-06-27 14:34:51 124,928 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\advpack.dll
+ 2006-10-17 17:57:50 214,528 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\dxtrans.dll
+ 2007-06-27 14:34:51 132,608 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\extmgr.dll
+ 2006-10-17 17:58:20 61,952 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\icardie.dll
+ 2007-06-27 08:27:04 63,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ie4uinit.exe
+ 2007-06-27 14:34:51 153,088 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakeng.dll
+ 2007-06-27 14:34:51 230,400 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieaksie.dll
+ 2007-06-27 07:00:33 161,792 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakui.dll
+ 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieapfltr.dll
+ 2007-06-27 14:34:51 384,512 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iedkcs32.dll
+ 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieframe.dll
+ 2007-06-27 14:34:55 44,544 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iernonce.dll
+ 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iertutil.dll
+ 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieudinit.exe
+ 2007-06-27 08:27:30 625,152 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe
+ 2007-06-27 14:34:56 27,648 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\jsproxy.dll
+ 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeeds.dll
+ 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeedsbs.dll
+ 2007-07-19 05:00:00 3,583,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtml.dll
+ 2007-06-27 14:34:57 477,696 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtmled.dll
+ 2007-06-27 14:34:58 193,024 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msrating.dll
+ 2007-06-27 14:34:58 671,232 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mstime.dll
+ 2007-06-27 14:34:58 102,400 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\occache.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\updspapi.dll
+ 2007-06-27 14:34:58 105,984 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\url.dll
+ 2007-06-27 14:34:58 1,152,000 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\urlmon.dll
+ 2007-06-27 14:34:59 232,960 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\webcheck.dll
+ 2007-06-27 14:34:59 823,808 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
- 2007-10-26 18:28:36 593,920 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-10-31 18:16:54 593,920 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-10-26 18:28:36 12,288 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-10-31 18:16:54 12,288 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-26 18:28:37 86,016 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-10-31 18:16:54 86,016 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-10-26 18:28:36 135,168 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-10-31 18:16:53 135,168 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-26 18:28:37 11,264 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-10-31 18:16:55 11,264 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-26 18:28:37 27,136 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-10-31 18:16:55 27,136 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-26 18:28:37 4,096 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-10-31 18:16:55 4,096 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-26 18:28:37 794,624 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-10-31 18:16:55 794,624 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-26 18:28:36 249,856 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-10-31 18:16:53 249,856 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-10-26 18:28:36 61,440 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-10-31 18:16:53 61,440 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-10-26 18:28:37 23,040 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-10-31 18:16:56 23,040 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-26 18:28:36 286,720 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-10-31 18:16:53 286,720 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-10-26 18:28:36 409,600 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-10-31 18:16:52 409,600 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-06-27 14:34:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-31 00:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2007-06-27 14:34:51 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-04-17 03:45:28 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-07-31 00:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2006-10-17 17:57:50 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-06-27 14:34:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-27 08:27:04 63,488 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-06-27 14:34:51 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-06-27 14:34:51 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-06-27 07:00:33 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-06-27 14:34:51 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-06-27 14:34:55 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-06-27 08:27:30 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-05-16 15:12:02 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2007-06-27 14:34:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-07-19 05:00:00 3,583,488 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-08-20 20:34:42 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-06-27 14:34:57 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-06-27 14:34:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-06-27 14:34:58 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-06-27 14:34:58 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-06-27 14:34:58 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-06-27 14:34:58 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-06-27 14:34:59 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-06-27 14:34:59 823,808 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-04-17 03:45:48 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2007-07-31 00:19:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-04-17 03:45:20 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-07-31 00:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-04-17 03:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-07-31 00:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2007-04-17 03:45:42 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2007-07-31 00:19:32 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2007-04-17 03:47:36 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2007-07-31 00:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2007-04-17 03:45:36 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-07-31 00:19:28 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2006-10-17 17:57:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-06-27 14:34:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2006-10-17 17:58:20 61,952 ------w C:\WINDOWS\system32\icardie.dll
+ 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-06-27 08:27:04 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-06-27 14:34:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-06-27 14:34:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-06-27 07:00:33 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-06-27 14:34:51 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-06-27 14:34:51 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-06-27 14:34:55 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-06-27 14:34:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-06-27 14:34:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-06-27 08:27:05 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2007-06-27 14:34:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-03-07 17:36:34 12,619,736 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-09-28 03:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-06-27 14:34:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-06-27 14:34:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-07-19 05:00:00 3,583,488 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-08-20 20:34:42 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-06-27 14:34:57 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-06-27 14:34:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-06-27 14:34:58 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2005-05-26 10:16:24 127,208 ----a-w C:\WINDOWS\system32\mucltui.dll
+ 2007-07-31 00:19:10 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
- 2005-05-26 10:19:32 178,408 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2007-07-31 00:19:04 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
- 2007-10-31 14:55:42 100,829 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2007-11-01 11:57:17 100,739 ----a-w C:\WINDOWS\system32\nvModes.dat
- 2007-06-27 14:34:58 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2004-08-04 07:56:44 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-31 00:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2007-07-31 00:19:12 43,352 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
- 2006-01-19 19:29:19 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-01-29 08:58:06 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-06-27 14:34:58 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-06-27 14:34:58 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-06-27 14:34:59 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-06-27 14:34:59 823,808 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-31 00:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-31 00:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-31 00:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-31 00:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-31 00:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
- 2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2007-07-31 00:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
- 2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-07-31 00:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
- 2007-03-09 10:02:31 115,200 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-06-13 06:53:14 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 15:18]
"BCMSMMSG"="BCMSMMSG.exe" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-20 09:10]
"nwiz"="nwiz.exe" [2003-11-20 09:10 C:\WINDOWS\system32\nwiz.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 12:23]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 13:28]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 23:32]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-07-16 11:16]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-07-16 11:16]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 11:17]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 11:17]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 08:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-02-23 22:17:46]
DLO Agent.lnk - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe [2005-04-25 16:17:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoStartMenuNetworkPlaces"=1 (0x1)
"Intellimenus"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-1127\Scripts\Logon\0\0]
"Script"=\\ipi\netlogon\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-1127\Scripts\Logon\1\0]
"Script"=trend.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-500\Scripts\Logon\0\0]
"Script"=\\ipi\netlogon\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-823518204-725345543-500\Scripts\Logon\1\0]
"Script"=trend.bat

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacket.sys
R3 Cpmt;Cisco Media Termination;C:\WINDOWS\system32\Drivers\Cpmt.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8737a67-e1f7-11db-ad9c-000d56b65b78}]
AutoRun\command - E:\PortableVault.exe

.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 13:07:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 13:10:00 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-31 10:11
.
--- E O F ---

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 November 2007 - 04:57 AM

How bout the F-Secure report?

#7 homer killer

homer killer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:55044

Posted 05 November 2007 - 10:33 AM

where do i get that

#8 homer killer

homer killer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:55044
  • Local time:05:48 PM

Posted 07 November 2007 - 02:55 PM

Here is the f-secure report that you asked about


F-Secure Online Scanner 3.2.3 - Scanning Report - Wednesday, November 07, 2007 13:18:00Scanning
Report
Wednesday, November 07, 2007 10:48:21 - 13:17:41
Computer name: STEVE306
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\



Result: 0 malware found



Statistics
Scanned:
Files: 68251
System: 0
Not scanned: 4
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL



Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-06
F-Secure AVP: 7.0.171, 2007-11-07
F-Secure Orion: 1.2.37, 2007-11-07
F-Secure Blacklight: 1.0.64
F-Secure Pegasus: 1.19.0, 2007-10-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB
BAT CMD LSP MAP MHT MIF PHP POT WMF NWS TAR
Use Advanced heuristics



Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the
material you make available may be published in the F-Secure World Wide Pages
or hard-copy publications. You will reach F-Secure public web site by clicking
on underlined links. While doing this, your access will be logged to our
private access statistics with your domain name.This information will not be
given to any third party. You agree not to take action against us in relation
to material that you submit. Unless you have clearly stated otherwise, by
submitting material you warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications without liability.

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 November 2007 - 03:39 PM

Please post an uninstall list,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.
How does the PC seem to be running now?

#10 homer killer

homer killer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:55044

Posted 07 November 2007 - 03:54 PM

Here you go



Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
BCM V.92 56K Modem
BlackBerry Desktop Software 4.2.2
BlackBerry Desktop Software 4.2.2
Broadcom 440x 10/100 Integrated Controller
Call of Duty
Call of Duty - United Offensive
Call of Duty® 2
Chinese (Simplified) Language Support
Cisco IP Communicator
C-Major Audio
Dell Digital Jukebox Driver
Dell Media Experience
Dell ResourceCD
Dell TrueMobile 1400 Dual Band WLAN Mini-PCI Card
Easy CD Creator 5 Basic
eDrawings 2006
eDrawings 2007
Google Earth
Google Toolbar for Internet Explorer
HASCO Digital Catalogue R2-2006 Build 10_GB
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Java 2 Runtime Environment, SE v1.4.2
Logitech Gaming Software
Macromedia Flash Player 8
MetaFrame Presentation Server Client
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
NVIDIA Windows 2000/XP Display Drivers
palmOne
palmOne
Pro/ENGINEER Release Wildfire 3.0 Datecode F000
PTC License Server Release Wildfire 3.0 Datecode F000
PTC ProductView Express - Wildfire 3.0 (F000)
QuickSet
Roxio Media Manager
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Warlords
SigmaTel AC97 Audio Drivers
Trend Micro Client/Server Security Agent
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VERITAS Backup Exec DLO Agent
VPN Client
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip
Yahoo! Toolbar

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 November 2007 - 05:15 AM

Adobe Reader 7.0.8<--- Keep this updated,is at version 8 now.

Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.

Consider using Erunt for a backup to System Restore in case the machine ever does crash.
http://silentrunners.org/sr_eruntuse.html

Be sure to read through the entire page and pay close attention to Emergency Procedures should you ever need it.


PC being User Friendly today?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users