Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Wicked


  • This topic is locked This topic is locked
16 replies to this topic

#1 ecpirates

ecpirates

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 09 March 2008 - 10:44 PM

I have something here, but don't know what it is.

AVG anti-virus and AVG anti-spyware are installed, as well as SpyBot. Below is my HijackThis log and the log from ComboFix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:33 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\paprport\pptd40nt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\~PCShoppe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Pagis Schedule Monitor.lnk = C:\Program Files\ScanSoft\Pagis\Monitor.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198765011043
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6414 bytes


ComboFix 08-03-07.1 - Owner 2008-03-07 14:46:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1455 [GMT -5:00]
Running from: C:\~PCShoppe\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\WINDOWS\BM075c1cf7.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\Rxd05.sys
C:\WINDOWS\system32\hrelqpdf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\onlkjajr.ini
C:\WINDOWS\system32\pxkoaajc.ini
C:\WINDOWS\system32\rimxtpjk.ini
C:\WINDOWS\system32\rtvwa.bak1
C:\WINDOWS\system32\rtvwa.bak2
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2
C:\WINDOWS\system32\rtvwa.tmp
C:\WINDOWS\system32\umaodcpx.ini
C:\WINDOWS\system32\xcpfhtua.ini
C:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RXD05
-------\NtmlSvc
-------\Rxd05
-------\xpdx


((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 14:32 . 2008-03-07 14:32 0 --a------ C:\WINDOWS\system32\0_exception.nls
2008-03-07 10:37 . 2008-03-07 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-07 10:17 . 2008-03-07 10:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-07 07:57 . 2008-03-07 07:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-07 07:57 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-07 07:53 . 2008-03-07 07:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-07 07:43 . 2008-03-07 07:43 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-03-07 07:43 . 2008-03-07 07:43 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-03-07 07:42 . 2008-03-07 07:42 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-03-07 07:21 . 2008-03-07 07:21 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-07 07:21 . 2008-03-07 07:21 <DIR> d-------- C:\Program Files\DIFX
2008-03-07 07:21 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-03-07 07:19 . 2006-08-01 02:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-03-07 07:18 . 2008-03-07 07:19 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-03-07 07:16 . 2007-02-26 02:03 16,125,440 -r------- C:\WINDOWS\RTHDCPL.exe
2008-03-07 07:16 . 2006-05-04 03:35 9,709,568 -r------- C:\WINDOWS\RTLCPL.exe
2008-03-07 07:16 . 2007-03-01 04:27 4,484,608 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-07 07:16 . 2006-05-16 05:04 2,879,488 -r------- C:\WINDOWS\SkyTel.exe
2008-03-07 07:16 . 2006-10-11 04:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-03-07 07:16 . 2007-01-15 21:39 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2008-03-07 07:16 . 2006-08-17 17:58 282,624 -r------- C:\WINDOWS\system32\RTSndMgr.cpl
2008-03-07 07:16 . 2006-07-21 03:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-03-07 07:15 . 2008-03-07 07:15 <DIR> d-------- C:\Program Files\Realtek
2008-03-07 07:15 . 2006-05-04 03:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-03-07 07:15 . 2007-01-12 03:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-03-07 07:15 . 2005-09-20 21:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-03-07 07:15 . 2005-05-03 05:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-03-07 07:13 . 2008-03-07 07:13 14,696 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-03-07 07:08 . 2008-03-07 07:08 56,576 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-03-07 00:17 . 2006-09-27 02:03 1,163,008 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-03-07 00:17 . 2006-09-11 04:06 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-03-07 00:17 . 2006-09-27 02:03 261,632 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys
2008-03-07 00:17 . 2006-09-27 02:02 201,728 -ra------ C:\WINDOWS\system32\fdco1.dll
2008-03-07 00:17 . 2006-09-27 02:04 110,592 -ra------ C:\WINDOWS\system32\drivers\nvtcp.sys
2008-03-07 00:17 . 2006-09-27 02:04 57,856 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-03-07 00:17 . 2006-09-11 04:06 35,840 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-03-07 00:17 . 2006-09-27 02:04 19,968 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-03-07 00:17 . 2006-09-27 02:02 11,264 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-03-07 00:17 . 2006-09-11 03:14 3,903 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-03-06 23:50 . 2008-03-06 23:50 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-06 23:36 . 2004-08-04 07:00 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2008-03-06 23:36 . 2004-08-04 07:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-03-06 23:36 . 2004-08-04 07:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-03-06 23:34 . 2004-08-04 07:00 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2008-03-06 23:33 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-06 23:31 . 2008-03-06 23:31 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-06 23:18 . 2004-08-04 07:00 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-03-06 15:38 . 2001-08-08 01:28 577,536 --a------ C:\WINDOWS\system32\igfxres.dll
2008-03-06 14:28 . 2004-08-04 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-06 14:27 . 2004-08-04 07:00 1,086,058 -ra------ C:\WINDOWS\SET6E.tmp
2008-03-06 14:27 . 2004-08-04 07:00 13,753 -ra------ C:\WINDOWS\SET7A.tmp
2008-03-06 14:27 . 2004-08-04 07:00 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat
2008-03-06 14:26 . 2004-08-04 07:00 1,042,903 -ra------ C:\WINDOWS\SET6B.tmp
2008-03-05 10:50 . 2008-03-05 10:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-05 10:44 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002245_.tmp
2008-03-05 10:43 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-05 10:40 . 2008-03-05 10:40 <DIR> d-------- C:\WINDOWS\EHome
2008-03-05 10:11 . 2008-03-07 14:31 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-03-05 10:08 . 2006-10-17 19:31 363,008 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-03-05 10:08 . 2006-10-17 19:31 105,472 -ra------ C:\WINDOWS\system32\drivers\nvata.sys
2008-03-05 10:07 . 2008-03-05 10:11 <DIR> d-------- C:\WINDOWS\NV20042008.TMP
2008-03-05 10:07 . 2006-09-27 02:02 201,728 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-03-05 10:07 . 2006-09-27 02:02 11,264 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-03-05 08:45 . 2008-03-05 08:45 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-03-05 06:40 . 2008-03-05 08:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-05 06:40 . 2008-03-05 06:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-05 06:39 . 2008-03-07 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 06:39 . 2008-03-07 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-04 20:47 . 2008-03-04 20:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-04 20:47 . 2008-03-04 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-04 20:47 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-03-04 20:47 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-04 12:28 . 2008-03-04 12:28 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-03-04 12:28 . 2006-10-17 19:31 363,008 --a------ C:\WINDOWS\system32\idecoi.dll
2008-03-04 12:28 . 2006-10-04 19:35 356,352 --a------ C:\WINDOWS\system32\nvuide.exe
2008-03-04 12:28 . 2006-10-04 19:35 35,840 --a------ C:\WINDOWS\system32\NVCOI.DLL
2008-03-04 12:28 . 2006-09-10 18:14 1,570 --a------ C:\WINDOWS\system32\nvide.nvu
2008-03-04 12:28 . 2006-08-13 23:09 1,428 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-03-04 12:27 . 2008-03-07 14:53 81,496 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-04 12:25 . 2006-12-18 16:33 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-04 12:25 . 2006-10-30 17:35 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-04 12:24 . 2008-03-04 12:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-04 12:24 . 2006-12-18 16:33 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-04 12:24 . 2008-03-07 07:13 14,734 --a------ C:\WINDOWS\Ascd_log.ini
2008-03-04 12:24 . 2004-08-11 11:00 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-03-04 12:23 . 2006-10-10 22:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-03-04 12:20 . 2008-03-07 08:01 1,516 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-04 08:48 . 2008-03-04 08:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-04 08:48 . 2008-03-04 08:48 2,550 --a------ C:\WINDOWS\unins000.dat
2008-03-04 07:45 . 2008-03-04 07:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-04 07:45 . 2008-03-04 07:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 07:43 . 2008-03-07 14:44 <DIR> d-------- C:\~PCShoppe
2008-03-04 07:26 . 2002-04-20 01:24 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-04 07:26 . 2002-04-20 01:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-03-04 07:26 . 2002-04-25 21:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-04 07:26 . 2002-04-20 01:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 18:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-07 12:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 13:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-05 01:43 --------- d-----w C:\Program Files\WildTangent
2008-03-04 14:01 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-03-04 13:57 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-31 15:05 21,760 ----a-w C:\WINDOWS\Bfj61.sys
2002-03-07 14:02 995,383 --sha-w C:\WINDOWS\system32\mfc42loc.dll
1995-09-20 20:16 35,088 -csha-w C:\WINDOWS\system32\msjint32.dll
1995-09-20 20:13 977,680 -csha-w C:\WINDOWS\system32\msjt3032.dll
1995-09-20 20:16 23,824 -csha-w C:\WINDOWS\system32\msjter32.dll
1995-09-24 15:02 243,472 -csha-w C:\WINDOWS\system32\vbar2232.dll
1998-05-18 07:06 368,912 -csha-w C:\WINDOWS\system32\vbar332.dll
2007-08-28 17:02 1,599,733 -csha-w C:\WINDOWS\system32\yccdd.bak1
2007-10-06 12:21 6,505 -csha-w C:\WINDOWS\system32\yccdd.bak2
2007-10-09 15:35 6,726 -csha-w C:\WINDOWS\system32\yccdd.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-13 01:05 36864]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 22:56 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-08 02:25 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-08 01:36 90112]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-30 17:35 7634944]
"nwiz"="nwiz.exe" [2006-10-30 17:35 1622016 C:\WINDOWS\system32\nwiz.exe]
"PaperPort PTD"="c:\paprport\pptd40nt.exe" [1998-03-10 13:48 22528]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 07:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-30 17:35 86016]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 22:13 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 02:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-07 12:37 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-07 12:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2002-04-20 19:17:31 69632]
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2002-04-20 19:17:31 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]
Pagis Schedule Monitor.lnk - C:\Program Files\ScanSoft\Pagis\Monitor.exe [2003-11-12 09:28:00 17920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-03-07 14:31 11776 C:\WINDOWS\system32\WLCtrl32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=

R0 Bfj61;Bfj61;C:\WINDOWS\system32\Drivers\Bfj61.sys [2007-12-27 09:10]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-21 00:35]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2008-03-07 07:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43127006-769b-11dc-ab71-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 12:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 14:53:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Agl43]
"ImagePath"="System32\Drivers\Agl43.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Oub38]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\Oub38.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-03-07 14:58:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 19:58:24
.
2008-03-07 19:38:45 --- E O F ---

BC AdBot (Login to Remove)

 


#2 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 10 March 2008 - 12:44 PM

Spybot reports Win32.Small.Of and Nurech, alternately, but I think I have a rootkit.

Thanks in advance.

#3 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 11 March 2008 - 06:33 AM

I have Win XP sp2, AVG anti-spyware, Spybot S&D (w/ tea timer active), SpywareBlaster, and AVG anti-virus. All tools were installed AFTER the infection.

AVG anti-virus now shows clean, but AVG anti-spy and Spybot find entries. AVG finds download.agent.ggt consistently, while SpyBot reports Win32.Small.Of and Nurech alternately.



//Mod edit: to merge separate posts and remove a duplicate HJT log file in this post.

Edited by KoanYorel, 11 March 2008 - 07:53 AM.


#4 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 March 2008 - 06:12 AM

While waiting for response here over the last three weeks, I have posted to the forums at safer-networking.org seeking assistance.

Your guidance is much appreciated.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 29 March 2008 - 06:21 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 30 March 2008 - 12:41 PM

The HijackThis log below is from a scan made today.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:59 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\paprport\pptd40nt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\wuauclt.exe
C:\~PCShoppe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198765011043
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6570 bytes

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 30 March 2008 - 06:26 PM

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

===================


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 30 March 2008 - 08:59 PM

I am unable to run an online scan from F-Secure Online Scanner.

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 31 March 2008 - 06:11 AM

I am unable to run an online scan from F-Secure Online Scanner.

Why not? :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 31 March 2008 - 06:54 AM

My connection is constantly reset, causing a timeout and subsequent failure on downloading the scan control/software.

This is related to the infection, as the other computers are able to connect and process Internet requests; however, when this machine is connected, the speed of my connection is very slow.

Edited by ecpirates, 31 March 2008 - 09:01 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 31 March 2008 - 06:19 PM

Let's try something else then.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb and a new combofix log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 01 April 2008 - 07:47 PM

That worked and the report is listed below.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ahm30.sys;c:\windows\system32\drivers;Trojan.DownLoader.50037;Deleted.;
bfj61.sys;c:\windows\system32\drivers;BackDoor.Bulknet.112;Deleted.;
wlctrl32.dll;c:\windows\system32;Trojan.DownLoader.50037;Deleted.;
05817296.FIL;C:\$VAULT$.AVG;Trojan.NtRootKit.927;Deleted.;
16640171.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640578.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640593.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640609.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640671.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640687.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640734.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640765.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
16640796.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50037;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Deleted.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
EN_CA-ie.reg;C:\hp\REGION;Trojan.StartPage.1505;Deleted.;
rebootnt.exe;C:\Program Files\HPSelect\frontend\thirdparty\qt5;Tool.Reboot;Incurable.Deleted.;
A0002564.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP10;Trojan.DownLoader.50037;Deleted.;
A0003564.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP10;Trojan.DownLoader.50037;Deleted.;
A0004564.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP10;Trojan.DownLoader.50037;Deleted.;
A0005564.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP10;Trojan.DownLoader.50037;Deleted.;
A0005580.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP10;Trojan.DownLoader.50037;Deleted.;
A0005597.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP10;Trojan.DownLoader.50037;Deleted.;
A0005604.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP10;Trojan.DownLoader.50037;Deleted.;
A0005632.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP11;Trojan.DownLoader.50037;Deleted.;
A0006632.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
A0007632.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
A0008632.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
A0008636.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
A0009636.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
A0009659.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
A0010659.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
A0011704.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP19;Trojan.DownLoader.50037;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP20\snapshot;Trojan.DownLoader.54123;Deleted.;
A0011746.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP21;Trojan.DownLoader.50037;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP21\snapshot;Trojan.DownLoader.54123;Deleted.;
A0011820.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP29;Trojan.DownLoader.50037;Deleted.;
A0011845.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;Trojan.DownLoader.50037;Deleted.;
A0011849.sys;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;BackDoor.Bulknet.157;Deleted.;
A0011851.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;Trojan.DownLoader.50037;Deleted.;
A0011855.sys;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;Trojan.NtRootKit.927;Deleted.;
A0011856.sys;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;Trojan.DownLoader.50037;Deleted.;
A0011857.sys;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;BackDoor.Bulknet.112;Deleted.;
A0011858.exe;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;Trojan.KillApp.30208;Deleted.;
A0011859.reg;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP30;Trojan.StartPage.1505;Deleted.;
A0001270.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP4;Trojan.DownLoader.50037;Deleted.;
A0001334.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP5;Trojan.DownLoader.50037;Deleted.;
A0001350.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP5;Trojan.DownLoader.50037;Deleted.;
A0001391.bat;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP7;Probably BATCH.Virus;Incurable.Deleted.;
A0001432.bat;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP7;Probably SCRIPT.Virus;Incurable.Deleted.;
A0002474.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP8;Trojan.DownLoader.50037;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP8\snapshot;Trojan.DownLoader.50037;Deleted.;
MFEX-2.DAT;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP8\snapshot;Trojan.DownLoader.50037;Deleted.;
A0002527.dll;C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP9;Trojan.DownLoader.50037;Deleted.;

#13 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 02 April 2008 - 06:15 AM

And here is the ComboFix log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix 08-03-30.2 - Owner 2008-04-02 5:37:48.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1661 [GMT -5:00]
Running from: C:\~PCShoppe\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\TEMP\124093.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV
-------\Service_lanmandrv


((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-01 06:29 . 2008-04-01 06:29 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-03-30 19:40 . 2008-03-30 19:40 <DIR> d-------- C:\fsaua.data
2008-03-11 09:22 . 2008-03-11 09:22 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-11 09:21 . 2008-03-11 09:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-11 09:20 . 2008-03-11 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-11 09:15 . 2008-03-11 09:15 <DIR> d-------- C:\Program Files\Nero
2008-03-11 09:15 . 2008-03-11 09:20 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-11 09:15 . 2008-03-11 09:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-09 18:46 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-03-09 18:05 . 2008-03-09 18:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-07 16:15 . 2008-04-01 18:57 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-07 10:37 . 2008-03-07 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-07 10:36 . 2008-03-19 19:51 2,012,626,944 --a------ C:\WINDOWS\MEMORY.DMP
2008-03-07 10:17 . 2008-03-07 10:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-07 07:57 . 2008-03-07 07:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-07 07:57 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-07 07:53 . 2008-03-07 07:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-07 07:43 . 2008-03-07 07:43 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-03-07 07:43 . 2008-03-07 07:43 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-03-07 07:42 . 2008-03-07 07:42 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-03-07 07:21 . 2008-03-07 07:21 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-07 07:21 . 2008-03-07 07:21 <DIR> d-------- C:\Program Files\DIFX
2008-03-07 07:21 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-03-07 07:19 . 2006-08-01 02:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-03-07 07:18 . 2008-03-07 07:19 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-03-07 07:16 . 2007-02-26 02:03 16,125,440 -r------- C:\WINDOWS\RTHDCPL.exe
2008-03-07 07:16 . 2006-05-04 03:35 9,709,568 -r------- C:\WINDOWS\RTLCPL.exe
2008-03-07 07:16 . 2007-03-01 04:27 4,484,608 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-07 07:16 . 2006-05-16 05:04 2,879,488 -r------- C:\WINDOWS\SkyTel.exe
2008-03-07 07:16 . 2006-10-11 04:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-03-07 07:16 . 2007-01-15 21:39 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2008-03-07 07:16 . 2006-08-17 17:58 282,624 -r------- C:\WINDOWS\system32\RTSndMgr.cpl
2008-03-07 07:16 . 2006-07-21 03:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-03-07 07:15 . 2008-03-07 07:15 <DIR> d-------- C:\Program Files\Realtek
2008-03-07 07:15 . 2006-05-04 03:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-03-07 07:15 . 2007-01-12 03:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-03-07 07:15 . 2005-09-20 21:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-03-07 07:15 . 2005-05-03 05:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-03-07 07:13 . 2008-03-07 07:13 14,696 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-03-07 00:17 . 2006-09-27 02:03 1,163,008 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-03-07 00:17 . 2006-09-11 04:06 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-03-07 00:17 . 2006-09-27 02:03 261,632 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys
2008-03-07 00:17 . 2006-09-27 02:02 201,728 -ra------ C:\WINDOWS\system32\fdco1.dll
2008-03-07 00:17 . 2006-09-27 02:04 110,592 -ra------ C:\WINDOWS\system32\drivers\nvtcp.sys
2008-03-07 00:17 . 2006-09-27 02:04 57,856 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-03-07 00:17 . 2006-09-11 04:06 35,840 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-03-07 00:17 . 2006-09-27 02:04 19,968 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-03-07 00:17 . 2006-09-27 02:02 11,264 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-03-07 00:17 . 2006-09-11 03:14 3,903 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-03-06 23:50 . 2008-03-06 23:50 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-06 23:36 . 2004-08-04 07:00 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2008-03-06 23:36 . 2004-08-04 07:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-03-06 23:36 . 2004-08-04 07:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-03-06 23:34 . 2004-08-04 07:00 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2008-03-06 23:33 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-06 23:31 . 2008-03-06 23:31 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-06 23:31 . 2008-03-06 23:31 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-06 23:18 . 2004-08-04 07:00 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-03-06 15:38 . 2001-08-08 01:28 577,536 --a------ C:\WINDOWS\system32\igfxres.dll
2008-03-06 14:28 . 2004-08-04 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-06 14:27 . 2004-08-04 07:00 1,086,058 -ra------ C:\WINDOWS\SET6E.tmp
2008-03-06 14:27 . 2004-08-04 07:00 13,753 -ra------ C:\WINDOWS\SET7A.tmp
2008-03-06 14:27 . 2004-08-04 07:00 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat
2008-03-06 14:26 . 2004-08-04 07:00 1,042,903 -ra------ C:\WINDOWS\SET6B.tmp
2008-03-05 10:50 . 2008-03-05 10:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-05 10:44 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002245_.tmp
2008-03-05 10:43 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-05 10:40 . 2008-03-05 10:40 <DIR> d-------- C:\WINDOWS\EHome
2008-03-05 10:08 . 2006-10-17 19:31 363,008 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-03-05 10:08 . 2006-10-17 19:31 105,472 -ra------ C:\WINDOWS\system32\drivers\nvata.sys
2008-03-05 10:07 . 2006-09-27 02:02 201,728 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-03-05 10:07 . 2006-09-27 02:02 11,264 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-03-05 08:45 . 2008-03-05 08:45 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-03-05 06:40 . 2008-03-05 08:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-05 06:39 . 2008-03-07 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 06:39 . 2008-04-01 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-04 20:47 . 2008-03-19 18:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-04 20:47 . 2008-03-19 18:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-04 20:47 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-03-04 20:47 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-04 12:28 . 2008-03-04 12:28 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-03-04 12:28 . 2006-10-17 19:31 363,008 --a------ C:\WINDOWS\system32\idecoi.dll
2008-03-04 12:28 . 2006-10-04 19:35 356,352 --a------ C:\WINDOWS\system32\nvuide.exe
2008-03-04 12:28 . 2006-10-04 19:35 35,840 --a------ C:\WINDOWS\system32\NVCOI.DLL
2008-03-04 12:28 . 2006-09-10 18:14 1,570 --a------ C:\WINDOWS\system32\nvide.nvu
2008-03-04 12:28 . 2006-08-13 23:09 1,428 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-03-04 12:27 . 2008-04-02 05:45 81,496 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-04 12:25 . 2006-12-18 16:33 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-04 12:25 . 2006-10-30 17:35 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-04 12:24 . 2008-03-04 12:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-04 12:24 . 2006-12-18 16:33 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-04 12:24 . 2008-03-07 07:13 14,734 --a------ C:\WINDOWS\Ascd_log.ini
2008-03-04 12:24 . 2004-08-11 11:00 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-03-04 12:23 . 2006-10-10 22:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-03-04 12:20 . 2008-03-07 08:01 1,516 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-04 08:48 . 2008-03-04 08:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-04 08:48 . 2008-03-04 08:48 2,550 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 18:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-07 12:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 13:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-05 01:43 --------- d-----w C:\Program Files\WildTangent
2008-03-04 14:01 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-03-04 13:57 --------- d-----w C:\Program Files\Norton AntiVirus
2002-03-07 14:02 995,383 --sha-w C:\WINDOWS\system32\mfc42loc.dll
1995-09-20 20:16 35,088 -csha-w C:\WINDOWS\system32\msjint32.dll
1995-09-20 20:13 977,680 -csha-w C:\WINDOWS\system32\msjt3032.dll
1995-09-20 20:16 23,824 -csha-w C:\WINDOWS\system32\msjter32.dll
1995-09-24 15:02 243,472 -csha-w C:\WINDOWS\system32\vbar2232.dll
1998-05-18 07:06 368,912 -csha-w C:\WINDOWS\system32\vbar332.dll
2007-08-28 17:02 1,599,733 -csha-w C:\WINDOWS\system32\yccdd.bak1
2007-10-06 12:21 6,505 -csha-w C:\WINDOWS\system32\yccdd.bak2
2007-10-09 15:35 6,726 -csha-w C:\WINDOWS\system32\yccdd.ini2
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_14.57.53.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-11 00:17:13 57,856 ----a-w C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spuninst.exe
+ 2005-06-29 21:54:32 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\updspapi.dll
+ 2006-05-05 10:16:39 454,400 ----a-w C:\WINDOWS\$hf_mig$\KB914389\SP2QFE\mrxsmb.sys
+ 2006-05-05 10:22:52 174,592 ----a-w C:\WINDOWS\$hf_mig$\KB914389\SP2QFE\rdbss.sys
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB914389\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB914389\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB914389\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB914389\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB914389\update\updspapi.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB928843\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB928843\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB928843\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928843\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB928843\update\updspapi.dll
+ 2008-02-27 20:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 20:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2006-05-05 09:41:45 453,120 ------w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys
- 2001-07-17 05:57:00 1,069,056 -c--a-w C:\WINDOWS\Help\SBSI\Training\orun32.exe
+ 2006-08-21 20:57:14 1,077,321 ----a-w C:\WINDOWS\Help\SBSI\Training\orun32.exe
+ 2008-03-11 14:20:23 25,214 ----a-r C:\WINDOWS\Installer\{8E72B982-D54F-486F-B35A-C24B6F171033}\ARPPRODUCTICON.exe
+ 2008-03-09 23:05:31 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
+ 2008-03-11 14:22:44 15,086 ----a-r C:\WINDOWS\Installer\{CC4A73BF-938E-4C19-A553-853C035C9BA1}\ARPPRODUCTICON.exe
+ 2008-03-11 14:22:44 323,584 ----a-r C:\WINDOWS\Installer\{CC4A73BF-938E-4C19-A553-853C035C9BA1}\NewShortcut1_C673DF680CDE41FC9DFBF63D31DE4F28.exe
+ 2008-03-11 14:22:44 335,872 ----a-r C:\WINDOWS\Installer\{CC4A73BF-938E-4C19-A553-853C035C9BA1}\NewShortcut1_FE82206EF6124B479F4EDD27A1E056A4.exe
+ 2008-03-11 14:22:44 323,584 ----a-r C:\WINDOWS\Installer\{CC4A73BF-938E-4C19-A553-853C035C9BA1}\NewShortcut2_C673DF680CDE41FC9DFBF63D31DE4F28.exe
- 2001-01-13 06:10:24 6,550 -c--a-w C:\WINDOWS\jautoexp.dat
+ 2003-02-28 21:35:26 6,550 ----a-w C:\WINDOWS\jautoexp.dat
+ 2007-06-25 13:47:36 238,888 ----a-w C:\WINDOWS\NuNInst.exe
+ 2002-11-27 00:03:32 159,232 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\cewmdm.dll
+ 2004-08-04 12:00:00 52,224 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
+ 2004-08-04 12:00:00 201,728 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSP.dll
+ 2004-08-04 12:00:00 356,352 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MSSCP.dll
+ 2002-11-27 00:03:32 245,760 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MSWMDM.dll
+ 2002-11-27 00:03:32 27,136 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\WMDMLOG.dll
+ 2002-11-27 00:03:32 23,552 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\WMDMPS.dll
+ 2004-08-11 06:45:04 161,792 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\cewmdm.dll
+ 2004-08-11 06:45:04 25,088 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
+ 2004-08-11 06:45:04 169,472 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSP.dll
+ 2004-08-11 06:45:04 360,176 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSSCP.dll
+ 2004-08-11 06:45:04 311,296 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSWMDM.dll
+ 2004-08-11 06:45:04 30,208 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMLOG.dll
+ 2004-08-11 06:45:04 34,304 ----a-w C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMPS.dll
+ 2004-08-11 06:45:04 47,104 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\uwdf.exe
+ 2004-08-11 06:45:04 15,872 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfapi.dll
+ 2004-08-11 06:45:04 38,912 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfmgr.exe
+ 2004-08-11 06:45:06 38,912 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpd_ci.dll
+ 2004-08-11 06:45:06 61,952 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdconns.dll
+ 2004-08-11 06:45:06 114,176 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtp.dll
+ 2004-08-11 06:45:06 331,776 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpdr.dll
+ 2004-08-11 06:45:06 66,560 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpus.dll
+ 2004-08-11 06:45:06 327,680 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdsp.dll
+ 2004-08-11 06:45:06 10,752 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdtrace.dll
+ 2004-08-11 06:45:06 18,944 ----a-w C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdusb.sys
+ 2004-08-04 12:00:00 408,064 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmadmod.dll
+ 2004-08-04 12:00:00 759,296 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmsdmod.dll
+ 2004-08-04 12:00:00 484,864 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmspdmod.dll
+ 2004-08-04 12:00:00 809,984 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmvdmod.dll
+ 2004-08-11 06:45:04 380,144 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmadmod.dll
+ 2004-08-11 06:45:04 773,368 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmsdmod.dll
+ 2004-08-11 06:45:06 531,192 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmspdmod.dll
+ 2004-08-11 06:45:06 1,181,944 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvadvd.dll
+ 2004-08-11 06:45:06 871,160 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvdmod.dll
+ 2004-08-04 12:00:00 6,656 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\laprxy.dll
+ 2004-08-04 12:00:00 103,936 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\logagent.exe
+ 2004-08-04 12:00:00 237,568 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\qasf.dll
+ 2004-08-04 12:00:00 670,720 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmadmoe.dll
+ 2007-10-27 22:39:20 230,912 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmasf.dll
+ 2004-08-04 12:00:00 151,552 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmidx.dll
+ 2004-08-04 12:00:00 1,050,624 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmnetmgr.dll
+ 2004-08-04 12:00:00 1,119,744 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmsdmoe2.dll
+ 2004-08-04 12:00:00 896,512 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmspdmoe.dll
+ 2007-10-27 22:37:38 2,109,440 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmvcore.dll
+ 2004-08-04 12:00:00 1,001,472 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmvdmoe2.dll
+ 2004-08-11 06:45:04 6,656 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\laprxy.dll
+ 2004-08-11 06:45:04 96,768 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\logagent.exe
+ 2004-08-11 06:45:04 221,184 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\qasf.dll
+ 2004-08-11 06:45:04 712,704 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmadmoe.dll
+ 2004-08-11 06:45:04 229,376 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmasf.dll
+ 2004-08-11 06:45:04 344,064 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMdev.dll
+ 2004-08-11 06:45:04 290,816 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMNet.dll
+ 2004-08-11 06:45:04 150,016 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmidx.dll
+ 2004-08-11 06:45:04 1,027,072 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmnetmgr.dll
+ 2004-08-11 06:45:04 1,116,160 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmsdmoe2.dll
+ 2004-08-11 06:45:06 936,960 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmspdmoe.dll
+ 2004-08-11 06:45:06 1,509,376 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMVADVE.DLL
+ 2004-08-11 06:45:06 2,362,104 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvcore.dll
+ 2004-08-11 06:45:06 999,424 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvdmoe2.dll
+ 2004-08-04 12:00:00 286,208 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\blackbox.dll
+ 2004-08-04 12:00:00 299,520 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmclien.dll
+ 2004-08-04 12:00:00 87,040 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmstor.dll
+ 2004-08-04 12:00:00 695,296 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmv2clt.dll
+ 2004-08-04 12:00:00 259,072 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\msnetobj.dll
+ 2004-08-11 06:45:04 233,472 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
+ 2004-08-11 06:45:04 253,688 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmclien.dll
+ 2004-08-11 06:45:04 95,232 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmstor.dll
+ 2004-08-11 06:45:04 527,360 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
+ 2004-08-11 06:45:04 141,312 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
- 2001-01-13 08:04:08 46,352 -c--a-w C:\WINDOWS\setdebug.exe
+ 2003-02-28 23:26:30 46,352 ----a-w C:\WINDOWS\setdebug.exe
- 2001-01-13 08:04:06 49,424 -c--a-w C:\WINDOWS\system32\clspack.exe
+ 2003-02-28 23:26:26 49,424 ----a-w C:\WINDOWS\system32\clspack.exe
- 2008-03-07 18:49:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-31 01:37:32 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-07 18:49:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-31 01:37:32 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-31 01:37:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-12-05 23:09:18 2,323,664 ----a-w C:\WINDOWS\system32\d3dx9_28.dll
+ 2006-03-31 17:40:58 2,388,176 ----a-w C:\WINDOWS\system32\d3dx9_30.dll
- 2004-08-04 12:00:00 286,208 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
+ 2004-08-11 06:45:04 233,472 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
- 2002-11-27 00:03:32 159,232 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
+ 2004-08-11 06:45:04 161,792 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
- 2004-08-04 12:00:00 299,520 -c--a-w C:\WINDOWS\system32\dllcache\drmclien.dll
+ 2004-08-11 06:45:04 253,688 -c--a-w C:\WINDOWS\system32\dllcache\drmclien.dll
- 2004-08-04 12:00:00 87,040 -c--a-w C:\WINDOWS\system32\dllcache\drmstor.dll
+ 2004-08-11 06:45:04 95,232 -c--a-w C:\WINDOWS\system32\dllcache\drmstor.dll
- 2004-08-04 12:00:00 695,296 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
+ 2004-08-11 06:45:04 527,360 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
- 2004-08-04 12:00:00 498,205 -c--a-w C:\WINDOWS\system32\dllcache\dxmasf.dll
+ 2006-08-22 09:05:26 498,742 -c--a-w C:\WINDOWS\system32\dllcache\dxmasf.dll
- 2004-08-04 12:00:00 1,082,368 -c--a-w C:\WINDOWS\system32\dllcache\esent.dll
+ 2005-10-20 22:20:03 1,082,368 -c--a-w C:\WINDOWS\system32\dllcache\esent.dll
- 2004-08-04 05:56:44 16,896 -c--a-w C:\WINDOWS\system32\dllcache\fltlib.dll
+ 2006-08-21 12:21:06 16,896 -c--a-w C:\WINDOWS\system32\dllcache\fltlib.dll
- 2004-08-04 05:56:50 22,528 -c--a-w C:\WINDOWS\system32\dllcache\fltmc.exe
+ 2006-08-21 09:14:58 23,040 -c--a-w C:\WINDOWS\system32\dllcache\fltmc.exe
- 2004-08-04 04:01:20 124,800 -c--a-w C:\WINDOWS\system32\dllcache\fltmgr.sys
+ 2006-08-21 09:14:58 128,896 -c--a-w C:\WINDOWS\system32\dllcache\fltmgr.sys
- 2004-08-04 12:00:00 134,912 -c--a-w C:\WINDOWS\system32\dllcache\ipnat.sys
+ 2004-09-29 22:28:37 134,912 -c--a-w C:\WINDOWS\system32\dllcache\ipnat.sys
- 2004-08-04 12:00:00 6,656 -c--a-w C:\WINDOWS\system32\dllcache\laprxy.dll
+ 2004-08-11 06:45:04 6,656 -c--a-w C:\WINDOWS\system32\dllcache\laprxy.dll
- 2004-08-04 12:00:00 103,936 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2004-08-11 06:45:04 96,768 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2006-05-05 09:41:45 453,120 -c----w C:\WINDOWS\system32\dllcache\mrxsmb.sys
- 2004-08-04 12:00:00 2,804,224 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll
+ 2007-04-18 16:12:23 2,854,400 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll
- 2004-08-04 12:00:00 77,312 -c--a-w C:\WINDOWS\system32\dllcache\msiexec.exe
+ 2005-05-04 19:45:36 78,848 -c--a-w C:\WINDOWS\system32\dllcache\msiexec.exe
- 2004-08-04 12:00:00 331,264 -c--a-w C:\WINDOWS\system32\dllcache\msihnd.dll
+ 2005-05-04 19:45:36 271,360 -c--a-w C:\WINDOWS\system32\dllcache\msihnd.dll
- 2004-08-04 12:00:00 884,736 -c--a-w C:\WINDOWS\system32\dllcache\msimsg.dll
+ 2005-05-04 19:45:36 884,736 -c--a-w C:\WINDOWS\system32\dllcache\msimsg.dll
- 2004-08-04 12:00:00 44,032 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
+ 2005-05-04 19:45:36 15,360 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
- 2004-08-04 12:00:00 259,072 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
+ 2004-08-11 06:45:04 141,312 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
- 2004-08-04 12:00:00 52,224 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
+ 2004-08-11 06:45:04 25,088 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
- 2004-08-04 12:00:00 201,728 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
+ 2004-08-11 06:45:04 169,472 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
- 2004-08-04 12:00:00 356,352 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2004-08-11 06:45:04 360,176 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2002-11-27 00:03:32 245,760 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
+ 2004-08-11 06:45:04 311,296 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
- 2004-08-04 05:56:46 364,544 -c--a-w C:\WINDOWS\system32\dllcache\npdsplay.dll
+ 2005-11-29 21:27:06 364,544 -c--a-w C:\WINDOWS\system32\dllcache\npdsplay.dll
- 2004-08-04 12:00:00 237,568 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
+ 2004-08-11 06:45:04 221,184 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
- 2004-08-04 12:00:00 176,512 -c--a-w C:\WINDOWS\system32\dllcache\rdbss.sys
+ 2006-05-05 09:47:57 174,592 -c--a-w C:\WINDOWS\system32\dllcache\rdbss.sys
- 2004-08-04 12:00:00 200,064 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2004-08-04 12:00:00 581,120 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2004-08-04 12:00:00 8,384,000 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2004-08-04 12:00:00 57,856 -c--a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
+ 2005-06-10 23:53:32 57,856 -c--a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
- 2004-08-04 12:00:00 246,302 -c--a-w C:\WINDOWS\system32\dllcache\strmdll.dll
+ 2006-08-21 14:52:08 246,814 -c--a-w C:\WINDOWS\system32\dllcache\strmdll.dll
- 2004-08-04 12:00:00 408,064 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
+ 2004-08-11 06:45:04 380,144 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
- 2004-08-04 12:00:00 670,720 -c--a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll
+ 2004-08-11 06:45:04 712,704 -c--a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll
- 2004-08-04 12:00:00 230,400 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2004-08-11 06:45:04 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2002-11-27 00:03:32 27,136 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
+ 2004-08-11 06:45:04 30,208 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
- 2002-11-27 00:03:32 23,552 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
+ 2004-08-11 06:45:04 34,304 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
- 2004-08-04 12:00:00 151,552 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
+ 2004-08-11 06:45:04 150,016 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
- 2004-08-04 12:00:00 1,050,624 -c--a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll
+ 2004-08-11 06:45:04 1,027,072 -c--a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll
- 2004-08-04 12:00:00 4,874,240 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-04-30 07:22:16 4,734,976 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
- 2004-08-04 12:00:00 759,296 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2004-08-11 06:45:04 773,368 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
- 2004-08-04 12:00:00 1,119,744 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
+ 2004-08-11 06:45:04 1,116,160 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
- 2004-08-04 12:00:00 484,864 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmod.dll
+ 2004-08-11 06:45:06 531,192 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmod.dll
- 2004-08-04 12:00:00 896,512 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmoe.dll
+ 2004-08-11 06:45:06 936,960 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmoe.dll
- 2004-08-04 12:00:00 2,105,344 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2004-08-11 06:45:06 2,362,104 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2004-08-04 12:00:00 809,984 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
+ 2004-08-11 06:45:06 871,160 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
- 2004-08-04 12:00:00 1,001,472 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2004-08-11 06:45:06 999,424 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
- 2004-08-04 04:01:20 124,800 ------w C:\WINDOWS\system32\drivers\fltmgr.sys
+ 2006-08-21 09:14:58 128,896 ------w C:\WINDOWS\system32\drivers\fltmgr.sys
+ 2007-06-25 13:47:02 119,080 ----a-w C:\WINDOWS\system32\drivers\InCDfs.sys
+ 2007-06-25 13:47:12 36,776 ----a-w C:\WINDOWS\system32\drivers\InCDPass.sys
+ 2007-06-25 13:47:12 16,040 ----a-w C:\WINDOWS\system32\drivers\InCDrec.sys
+ 2007-06-25 13:47:12 38,440 ----a-w C:\WINDOWS\system32\drivers\InCDRm.sys
- 2004-08-04 12:00:00 134,912 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
+ 2004-09-29 22:28:37 134,912 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
- 2004-08-04 12:00:00 451,456 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
+ 2006-05-05 09:41:45 453,120 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
- 2004-08-04 12:00:00 176,512 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
+ 2006-05-05 09:47:57 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
- 2004-08-04 12:00:00 200,064 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
+ 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2004-08-11 06:45:06 18,944 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
- 2001-01-13 06:09:58 313,856 -c--a-w C:\WINDOWS\system32\dx3j.dll
+ 2003-02-28 21:34:42 313,856 ----a-w C:\WINDOWS\system32\dx3j.dll
- 2004-08-04 12:00:00 498,205 ----a-w C:\WINDOWS\system32\dxmasf.dll
+ 2006-08-22 09:05:26 498,742 ----a-w C:\WINDOWS\system32\dxmasf.dll
- 2004-08-04 12:00:00 1,082,368 ----a-w C:\WINDOWS\system32\esent.dll
+ 2005-10-20 22:20:03 1,082,368 ----a-w C:\WINDOWS\system32\esent.dll
- 2004-08-04 05:56:44 16,896 ----a-w C:\WINDOWS\system32\fltlib.dll
+ 2006-08-21 12:21:06 16,896 ----a-w C:\WINDOWS\system32\fltlib.dll
- 2004-08-04 05:56:50 22,528 ----a-w C:\WINDOWS\system32\fltmc.exe
+ 2006-08-21 09:14:58 23,040 ----a-w C:\WINDOWS\system32\fltmc.exe
+ 2004-07-26 22:16:10 1,568,768 ----a-w C:\WINDOWS\system32\imagX7.dll
+ 2004-07-26 22:16:10 476,320 ----a-w C:\WINDOWS\system32\imagXpr7.dll
+ 2004-07-26 22:16:10 262,144 ----a-w C:\WINDOWS\system32\imagXR7.dll
+ 2004-07-26 22:16:10 471,040 ----a-w C:\WINDOWS\system32\imagXRA7.dll
- 2001-01-13 08:04:00 187,152 -c--a-w C:\WINDOWS\system32\javacypt.dll
+ 2003-02-28 23:26:16 187,152 ----a-w C:\WINDOWS\system32\javacypt.dll
- 2001-01-13 08:04:00 63,248 -c--a-w C:\WINDOWS\system32\javaprxy.dll
+ 2003-02-28 23:26:18 63,248 ----a-w C:\WINDOWS\system32\javaprxy.dll
- 2001-01-13 08:04:02 404,752 -c--a-w C:\WINDOWS\system32\javart.dll
+ 2003-02-28 23:26:18 404,752 ----a-w C:\WINDOWS\system32\javart.dll
- 2001-01-13 08:04:08 15,120 -c--a-w C:\WINDOWS\system32\jdbgmgr.exe
+ 2003-02-28 23:26:30 15,120 ----a-w C:\WINDOWS\system32\jdbgmgr.exe
- 2001-01-13 08:04:02 171,280 -c--a-w C:\WINDOWS\system32\jit.dll
+ 2003-02-28 23:26:20 171,280 ----a-w C:\WINDOWS\system32\jit.dll
- 2001-01-13 08:04:08 172,304 -c--a-w C:\WINDOWS\system32\jview.exe
+ 2003-02-28 23:26:30 172,304 ----a-w C:\WINDOWS\system32\jview.exe
- 2001-01-13 08:04:02 154,896 -c--a-w C:\WINDOWS\system32\msawt.dll
+ 2003-02-28 23:26:20 154,384 ----a-w C:\WINDOWS\system32\msawt.dll
- 2004-08-04 12:00:00 2,804,224 ----a-w C:\WINDOWS\system32\msi.dll
+ 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
- 2004-08-04 12:00:00 77,312 ----a-w C:\WINDOWS\system32\msiexec.exe
+ 2005-05-04 19:45:36 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
- 2004-08-04 12:00:00 331,264 ----a-w C:\WINDOWS\system32\msihnd.dll
+ 2005-05-04 19:45:36 271,360 ----a-w C:\WINDOWS\system32\msihnd.dll
- 2004-08-04 12:00:00 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
+ 2005-05-04 19:45:36 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
- 2004-08-04 12:00:00 44,032 ----a-w C:\WINDOWS\system32\msisip.dll
+ 2005-05-04 19:45:36 15,360 ----a-w C:\WINDOWS\system32\msisip.dll
- 2001-01-13 08:04:06 945,424 -c--a-w C:\WINDOWS\system32\msjava.dll
+ 2003-02-28 23:26:26 947,472 ----a-w C:\WINDOWS\system32\msjava.dll
- 2001-01-13 08:04:06 21,264 -c--a-w C:\WINDOWS\system32\msjdbc10.dll
+ 2003-02-28 23:26:26 21,264 ----a-w C:\WINDOWS\system32\msjdbc10.dll
- 2003-04-18 21:46:22 1,233,920 -c--a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 20:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-16 14:18:44 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
- 2008-03-07 12:48:10 34,966 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 23:37:00 34,966 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-07 12:48:10 293,708 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 23:37:00 293,708 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2004-08-04 12:00:00 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2004-08-04 12:00:00 8,384,000 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2004-08-04 12:00:00 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2005-06-10 23:53:32 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
- 2004-08-04 12:00:00 246,302 ----a-w C:\WINDOWS\system32\strmdll.dll
+ 2006-08-21 14:52:08 246,814 ----a-w C:\WINDOWS\system32\strmdll.dll
+ 2004-07-09 14:43:56 364,544 ----a-w C:\WINDOWS\system32\TwnLib4.dll
+ 2004-08-11 06:45:04 47,104 ----a-w C:\WINDOWS\system32\uwdf.exe
- 2001-01-13 08:04:06 286,992 -c--a-w C:\WINDOWS\system32\vmhelper.dll
+ 2003-02-28 23:26:26 286,992 ----a-w C:\WINDOWS\system32\vmhelper.dll
+ 2004-08-11 06:45:04 15,872 ----a-w C:\WINDOWS\system32\wdfapi.dll
+ 2004-08-11 06:45:04 38,912 ----a-w C:\WINDOWS\system32\wdfmgr.exe
- 2001-01-13 08:04:08 171,792 -c--a-w C:\WINDOWS\system32\wjview.exe
+ 2003-02-28 23:26:32 171,792 ----a-w C:\WINDOWS\system32\wjview.exe
- 2004-08-04 12:00:00 230,400 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 22:39:20 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2004-08-11 06:45:04 344,064 ----a-w C:\WINDOWS\system32\WMDRMdev.dll
+ 2004-08-11 06:45:04 290,816 ----a-w C:\WINDOWS\system32\WMDRMNet.dll
- 2004-08-04 12:00:00 4,874,240 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-04-30 07:22:16 4,734,976 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2004-08-11 06:45:06 1,181,944 ----a-w C:\WINDOWS\system32\wmvadvd.dll
+ 2004-08-11 06:45:06 1,509,376 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
- 2004-08-04 12:00:00 2,105,344 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2007-10-27 22:37:38 2,109,440 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2004-08-11 06:45:06 38,912 ----a-w C:\WINDOWS\system32\wpd_ci.dll
+ 2004-08-11 06:45:06 61,952 ----a-w C:\WINDOWS\system32\wpdconns.dll
+ 2004-08-11 06:45:06 114,176 ----a-w C:\WINDOWS\system32\wpdmtp.dll
+ 2004-08-11 06:45:06 331,776 ----a-w C:\WINDOWS\system32\wpdmtpdr.dll
+ 2004-08-11 06:45:06 66,560 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2004-08-11 06:45:06 327,680 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2004-08-11 06:45:06 10,752 ----a-w C:\WINDOWS\system32\wpdtrace.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-03-21 02:22:04 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
+ 2007-06-28 00:05:02 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
+ 2007-02-28 21:41:02 972,336 ----a-w C:\WINDOWS\UNNeroShowTime.exe
+ 2007-08-03 19:58:48 972,072 ----a-w C:\WINDOWS\UNNeroVision.exe
+ 2007-08-03 20:04:08 972,072 ----a-w C:\WINDOWS\UNRecode.exe
+ 2007-05-08 20:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 17:36 455968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-13 01:05 36864]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 22:56 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-08 02:25 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-08 01:36 90112]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-30 17:35 7634944]
"nwiz"="nwiz.exe" [2006-10-30 17:35 1622016 C:\WINDOWS\system32\nwiz.exe]
"PaperPort PTD"="c:\paprport\pptd40nt.exe" [1998-03-10 13:48 22528]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 07:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-30 17:35 86016]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 22:13 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 02:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-07 12:37 579072]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-07 12:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2002-04-20 19:17:31 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Agl43.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oub38.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=

S0 Agl43;Agl43;C:\WINDOWS\system32\Drivers\Agl43.sys []
S0 Oub38;Oub38;C:\WINDOWS\system32\Drivers\Oub38.sys []
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-21 00:35]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43127006-769b-11dc-ab71-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 12:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 05:45:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-02 5:51:18 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-02 10:51:16
ComboFix2.txt 2008-03-07 19:58:39
Pre-Run: 14,072,864,768 bytes free
Post-Run: 12,039,020,544 bytes free
.
2008-04-01 23:57:45 --- E O F ---

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 02 April 2008 - 06:57 AM

There are a couple files that show up in your log now that I'd like to have you submit to a virus scanner.
Go to this site.

http://www.virustotal.com/

And upload these files.

C:\WINDOWS\system32\Drivers\Agl43.sys

and

C:\WINDOWS\system32\Drivers\Oub38.sys


It may take a few minutes for each one, so be patient until you get the entire result.
Then copy that text and post it back here in your next reply.


How is your computer working now? Are you still having problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 ecpirates

ecpirates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 02 April 2008 - 09:12 PM

Alright . . . These two files no longer exist on this machine. I left ComboFix running and went to bed. After ComboFix ran, the computer rebooted and a scheduled AVG anti-virus update and scan completed before I came back to the computer.

The performance is much improved and there are no threats found on any scans.

It seems all is well!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users