Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Themida Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 guschti

guschti

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 20 October 2006 - 04:33 AM

Hello

At every startup of my winxp i see a window saying something about a THEMIDA protected software. Bitdefender found and removed a virus called Win32.ExplorerHijack. Now i wonder if there are more viruses/trojans or even rootkits on my system.

Thanks for any help.

Edited by guschti, 20 October 2006 - 04:54 AM.


BC AdBot (Login to Remove)

 


#2 guschti

guschti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 20 October 2006 - 04:37 AM

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:35:02, on 20.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
D:\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE
D:\MOZILL~1\FIREFOX.EXE
D:\Mozilla Firefox\firefox.exe
D:\Thunderbird\thunderbird.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
D:\BitDefender8\bdnagent.exe
D:\BitDefender8\bdswitch.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
d:\bitdefender8\bdmcon.exe
d:\bitdefender8\bdlite.exe
D:\WinRAR\WinRAR.exe
C:\Dokumente und Einstellungen\ert\Desktop\gmer.exe
C:\Dokumente und Einstellungen\ert\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\server.exe
O4 - HKLM\..\Run: [BDMCon] "D:\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "D:\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [Skype] "D:\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.de/scan8/oscan8.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\FileZilla Server\FileZilla Server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#3 guschti

guschti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 20 October 2006 - 07:42 AM

Ad-Aware finds Win32.trojanDownloader.Agent.am

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 20 October 2006 - 10:10 AM

Hello guschti, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 20 October 2006 - 10:30 AM

Hello guschti, sorry for the delay, but I'm afraid I have some bad news...

======

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 guschti

guschti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 21 October 2006 - 11:23 AM

Hello Rookie147

Thanks for your help.
I would like to clean the computer with your help. there is no sensible data on it. i could also reinstall the machine, but it would be interessting to follow the steps you take.

greetings
guschti

#7 guschti

guschti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 22 October 2006 - 06:29 AM

i followed the "preparation guide" by the way

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 22 October 2006 - 09:20 AM

Hey guschti, sorry for the delay in getting back to you.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

You need to put HijackThis into its own folder. It makes backups and they need to be kept all in one place.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder. Put your hijackthis.exe there.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\server.exe


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Next, please find and delete the following files (if present):

C:\WINDOWS\server.exe
C:\WINDOWS\system32\scvhost.exe <--Make sure you delete the right file! There is a legitimate item with a very similar name!

======

Reboot into Normal Mode.

======

Please download Combofix to your desktop.
  • Doubleclick combo.exe
  • Follow the prompts.
  • Don't click on the window while the fix is running, because that will cause your system to hang.
  • When finished, it should produce a log, combofix.txt.
======

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
======

Post back with the following (you may need more than one reply to get it all in):
-New HijackThis log
-ComboFix log
-Panda log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 guschti

guschti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 22 October 2006 - 12:01 PM

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 18:54:07, on 22.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\WIDCOMM\5.0.1.801\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\BitDefender10\bdmcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\rundll32.exe
D:\BitDefender10\bdagent.exe
D:\Zone Labs\ZoneAlarm\zlclient.exe
D:\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
D:\WIDCOMM\5.0.1.801\BTTray.exe
D:\Logitech\SetPoint\SetPoint.exe
D:\WIDCOMM\501~1.801\BTSTAC~1.EXE
C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
D:\BitDefender10\vsserv.exe
D:\MOZILL~1\FIREFOX.EXE
D:\Thunderbird\thunderbird.exe
C:\Dokumente und Einstellungen\ert\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOKUME~1\ert\LOKALE~1\Temp\~DP35.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] "D:\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BDAgent] "D:\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "D:\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - D:\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\WIDCOMM\5.0.1.801\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\WIDCOMM\5.0.1.801\btsendto_ie.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.de/scan8/oscan8.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\WIDCOMM\5.0.1.801\bin\btwdins.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#10 guschti

guschti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 22 October 2006 - 12:02 PM

ComboFix log:
ert - 06-10-22 18:56:29.39 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Dokumente und Einstellungen\ert\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\scvhost.exe


((((((((((((((((((((((((((((((( Files Created from 2006-09-22 to 2006-10-22 ))))))))))))))))))))))))))))))))))


2006-10-22 11:12 503,808 --a------ C:\WINDOWS\system32\xreglib.dll
2006-10-21 18:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-20 15:44 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-10-20 15:44 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-10-20 15:44 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-10-20 15:44 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-10-20 15:44 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-10-20 15:44 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-10-20 15:44 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-10-20 15:43 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-20 15:05 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2006-10-20 15:05 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2006-10-20 15:05 275,200 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2006-10-20 15:05 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2006-10-20 15:05 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2006-10-20 15:05 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2006-10-20 15:05 154,112 --a------ C:\WINDOWS\system32\irftp.exe
2006-10-20 15:05 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2006-10-20 12:52 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2006-10-19 17:28 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-10-18 09:48 44,544 --a------ C:\WINDOWS\nkit.dll
2006-10-18 09:48 3,686,400 --a------ C:\WINDOWS\Steam.dll
2006-10-18 09:33 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-18 09:33 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2006-10-18 09:33 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-18 09:33 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-10-18 09:33 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2006-10-17 19:42 299,008 --------- C:\WINDOWS\system32\fpmon5.dll
2006-10-17 19:42 163,840 --------- C:\WINDOWS\system32\fpres532.dll
2006-10-17 13:33 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 13:33 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 13:33 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 13:33 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 13:05 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:01 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:58 61,952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 266,752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:27 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-15 14:04 71,936 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2006-10-15 14:04 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2006-10-15 14:04 55,936 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
2006-10-15 14:04 3,712 --a------ C:\WINDOWS\system32\drivers\LBeepKE.sys
2006-10-15 14:04 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-10-15 14:04 131,072 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-10-15 14:04 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-10-14 18:40 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-14 17:57 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-14 17:54 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
2006-10-14 17:54 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2006-10-14 17:54 328,704 --a------ C:\WINDOWS\IsUn0407.exe
2006-10-14 17:54 11,392 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2006-10-14 17:53 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-10-14 17:53 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-10-14 17:53 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll
2006-10-14 17:53 65,536 --a------ C:\WINDOWS\system32\a3d.dll
2006-10-14 17:53 65,024 --a------ C:\WINDOWS\SOUNDMAN.EXE
2006-10-14 17:53 613,244 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2006-10-14 17:53 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-10-14 17:53 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-10-14 17:53 6,964,736 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2006-10-14 17:53 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-10-14 17:53 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-10-14 17:53 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-10-14 17:53 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-10-14 17:53 400,384 --a------ C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2006-10-14 17:53 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-10-14 17:53 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-10-14 17:53 208,896 --------- C:\WINDOWS\alcupd.exe
2006-10-14 17:53 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-10-14 17:53 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-10-14 17:53 155,648 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2006-10-14 17:53 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-10-14 17:53 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-10-14 17:53 139,264 --------- C:\WINDOWS\alcrmv.exe
2006-10-14 17:50 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-10-14 17:50 27,904 --a------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2006-10-14 17:44 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2006-10-14 17:34 65,888 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2006-10-14 17:34 37,888 --a------ C:\WINDOWS\system32\setupnt.dll
2006-10-14 17:34 27,648 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2006-10-14 17:34 182,752 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2006-10-14 17:34 102,400 --a------ C:\WINDOWS\system32\snapapi.dll
2006-10-14 17:33 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-10-14 17:22 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2006-10-14 17:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-10-14 17:14 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2006-10-14 17:04 0 -rahs---- C:\MSDOS.SYS
2006-10-14 17:04 0 -rahs---- C:\IO.SYS
2006-10-14 17:04 0 --a------ C:\CONFIG.SYS
2006-10-14 17:04 0 --a------ C:\AUTOEXEC.BAT
2006-10-14 17:03 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-10-14 17:02 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-10-14 17:02 70,144 --a------ C:\WINDOWS\system32\acctres.dll
2006-10-14 17:02 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-10-14 17:02 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-10-14 17:02 466,200 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-14 17:02 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-10-14 17:02 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-10-14 17:02 194,840 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-14 17:02 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-10-14 17:02 174,872 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-14 17:02 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-10-14 17:02 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-10-14 17:02 128,280 --a------ C:\WINDOWS\system32\wucltui.dll
2006-10-14 17:02 124,696 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-10-14 17:02 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-10-14 17:02 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-10-14 17:02 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-10-14 17:01 86,016 --a------ C:\WINDOWS\system32\isign32.dll
2006-10-14 17:01 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-10-14 17:01 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-10-14 17:01 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-10-14 17:01 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-10-14 17:01 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-14 17:01 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-10-14 17:01 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-10-14 17:01 51,712 --a------ C:\WINDOWS\system32\inetres.dll
2006-10-14 17:01 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-10-14 17:01 44,032 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-10-14 17:01 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-10-14 17:01 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-10-14 17:01 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-10-14 17:01 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-10-14 17:01 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-10-14 17:01 282,624 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-10-14 17:01 280,064 --a------ C:\WINDOWS\system32\mstask.dll
2006-10-14 17:01 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-10-14 17:01 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-10-14 17:01 242,176 --a------ C:\WINDOWS\system32\srrstr.dll
2006-10-14 17:01 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-10-14 17:01 192,000 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-10-14 17:01 171,008 --a------ C:\WINDOWS\system32\srsvc.dll
2006-10-14 17:01 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-10-14 17:01 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-14 17:01 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-10-14 17:01 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-10-14 17:00 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2006-10-14 17:00 94,720 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-10-14 17:00 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-10-14 17:00 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-10-14 17:00 80,896 --a------ C:\WINDOWS\system32\charmap.exe
2006-10-14 17:00 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-10-14 17:00 683,520 --a------ C:\WINDOWS\system32\getuname.dll
2006-10-14 17:00 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-10-14 17:00 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-10-14 17:00 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-10-14 17:00 61,440 --a------ C:\WINDOWS\system32\remotepg.dll
2006-10-14 17:00 57,344 --a------ C:\WINDOWS\system32\sol.exe
2006-10-14 17:00 55,808 --a------ C:\WINDOWS\system32\freecell.exe
2006-10-14 17:00 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-10-14 17:00 539,136 --a------ C:\WINDOWS\system32\spider.exe
2006-10-14 17:00 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-10-14 17:00 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-10-14 17:00 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-10-14 17:00 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-10-14 17:00 412,672 --a------ C:\WINDOWS\system32\mstsc.exe
2006-10-14 17:00 4,608 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-10-14 17:00 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-10-14 17:00 39,424 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-10-14 17:00 356,352 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-10-14 17:00 35,840 --a------ C:\WINDOWS\system32\winchat.exe
2006-10-14 17:00 346,624 --a------ C:\WINDOWS\system32\mspaint.exe
2006-10-14 17:00 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-10-14 17:00 297,472 --a------ C:\WINDOWS\system32\termsrv.dll
2006-10-14 17:00 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-10-14 17:00 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-10-14 17:00 232,960 --a------ C:\WINDOWS\system32\avtapi.dll
2006-10-14 17:00 22,528 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-10-14 17:00 22,528 --a------ C:\WINDOWS\system32\msg.exe
2006-10-14 17:00 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-10-14 17:00 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-10-14 17:00 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-10-14 17:00 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-10-14 17:00 188,416 --a------ C:\WINDOWS\system32\accwiz.exe
2006-10-14 17:00 17,920 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-10-14 17:00 17,408 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-10-14 17:00 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-10-14 17:00 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-10-14 17:00 16,384 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-10-14 17:00 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-10-14 17:00 15,872 --a------ C:\WINDOWS\system32\logoff.exe
2006-10-14 17:00 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-10-14 17:00 15,360 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-10-14 17:00 15,360 --a------ C:\WINDOWS\system32\tscon.exe
2006-10-14 17:00 15,360 --a------ C:\WINDOWS\system32\shadow.exe
2006-10-14 17:00 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-10-14 17:00 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-10-14 17:00 142,848 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-10-14 17:00 139,776 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-10-14 17:00 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-10-14 17:00 133,120 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-10-14 17:00 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-10-14 17:00 128,000 --a------ C:\WINDOWS\system32\mshearts.exe
2006-10-14 17:00 124,928 --a------ C:\WINDOWS\system32\mplay32.exe
2006-10-14 17:00 120,320 --a------ C:\WINDOWS\system32\winmine.exe
2006-10-14 17:00 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-10-14 17:00 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-10-14 17:00 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-10-14 17:00 104,448 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-10-14 17:00 10,240 --a------ C:\WINDOWS\system32\reset.exe
2006-10-14 17:00 1,237 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-10-14 16:59 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-10-14 16:59 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-10-14 16:59 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-10-14 16:59 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-10-14 16:59 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-10-14 16:59 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-10-14 16:59 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-10-14 16:59 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-10-14 16:59 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-10-14 16:59 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-10-14 16:59 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-10-14 16:59 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-10-14 16:59 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-10-14 16:59 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-10-14 16:59 189,440 --a------ C:\WINDOWS\system32\cmprops.dll
2006-10-14 16:59 17,920 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-10-14 16:59 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-10-14 16:59 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-10-14 16:59 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-10-14 16:51 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-10-14 16:50 57,600 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-10-14 16:50 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-10-14 16:49 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2006-10-14 16:49 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2006-10-14 16:49 46,464 --a------ C:\WINDOWS\system32\drivers\GAGP30KX.SYS
2006-10-14 16:48 86,556 --a------ C:\WINDOWS\system32\dgsetup.dll
2006-10-14 16:48 8,704 --a------ C:\WINDOWS\system32\batt.dll
2006-10-14 16:48 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2006-10-14 16:48 76,288 --a------ C:\WINDOWS\system32\storprop.dll
2006-10-14 16:48 70,144 --a------ C:\WINDOWS\NOTEPAD.EXE
2006-10-14 16:48 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2006-10-14 16:48 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2006-10-14 16:48 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2006-10-14 16:48 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2006-10-14 16:48 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2006-10-14 16:48 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2006-10-14 16:48 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2006-10-14 16:48 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2006-10-14 16:48 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2006-10-14 16:48 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll
2006-10-14 16:48 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-14 16:48 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-10-14 16:48 15,872 --a------ C:\WINDOWS\TASKMAN.EXE
2006-10-14 16:48 13,824 --a------ C:\WINDOWS\system32\irclass.dll
2006-10-14 16:48 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-10-14 16:48 103,936 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-10-07 16:28 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2006-09-30 14:13 94,208 --a------ C:\WINDOWS\KHALMNPR.Exe
2006-09-30 14:13 36,736 --a------ C:\WINDOWS\system32\drivers\LHidUsbK.sys
2006-09-30 14:13 27,136 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-22 18:56 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Skype
2006-10-22 02:07 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Bitdefender
2006-10-22 02:04 -------- d-------- C:\Programme\Gemeinsame Dateien\Softwin
2006-10-22 02:04 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Azureus
2006-10-20 14:01 -------- d---s---- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Microsoft
2006-10-20 13:58 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Free Download Manager
2006-10-20 12:57 -------- d-------- C:\Programme\Gemeinsame Dateien\Microsoft Shared
2006-10-20 12:51 -------- d-------- C:\Programme\Gemeinsame Dateien\DESIGNER
2006-10-20 12:51 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-10-20 10:58 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Lavasoft
2006-10-19 18:12 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Ahead
2006-10-19 18:10 -------- d-------- C:\Programme\Gemeinsame Dateien\Ahead
2006-10-19 10:52 -------- d-------- C:\Programme\Gemeinsame Dateien\ParallelGraphics
2006-10-18 15:34 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Sun
2006-10-18 09:37 -------- d-------- C:\Programme\Gemeinsame Dateien\InstallShield
2006-10-17 13:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 13:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-16 10:24 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Apple Computer
2006-10-15 19:56 -------- d-------- C:\Programme\Gemeinsame Dateien\Java
2006-10-15 19:50 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Kana Solution
2006-10-15 18:20 -------- d-------- C:\Programme\Gemeinsame Dateien\Adobe
2006-10-15 18:20 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\AdobeUM
2006-10-15 18:20 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Adobe
2006-10-15 18:19 869 --a------ C:\Dokumente und Einstellungen\ert\Anwendungsdaten\AdobeDLM.log
2006-10-15 18:19 0 --a------ C:\Dokumente und Einstellungen\ert\Anwendungsdaten\dm.ini
2006-10-15 18:19 -------- d-------- C:\Programme\Adobe
2006-10-15 18:15 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\IDMComp
2006-10-15 14:06 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Logitech
2006-10-15 14:04 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-10-15 14:04 -------- d-------- C:\Programme\Gemeinsame Dateien\Logitech
2006-10-14 19:24 -------- d-------- C:\Programme\Windows Media Player
2006-10-14 19:24 -------- d-------- C:\Programme\Messenger
2006-10-14 19:24 -------- d-------- C:\Programme\Internet Explorer
2006-10-14 19:22 -------- d-------- C:\Programme\Outlook Express
2006-10-14 19:22 -------- d-------- C:\Programme\Gemeinsame Dateien\System
2006-10-14 17:46 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Macromedia
2006-10-14 17:34 -------- d-------- C:\Programme\Gemeinsame Dateien\Acronis
2006-10-14 17:24 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Thunderbird
2006-10-14 17:24 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla
2006-10-14 17:15 -------- d-------- C:\Programme\Marvell
2006-10-14 17:13 -------- d--h----- C:\Programme\Uninstall Information
2006-10-14 17:13 -------- d-------- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Identities
2006-10-14 17:04 -------- d-------- C:\Programme\xerox
2006-10-14 17:04 -------- d-------- C:\Programme\microsoft frontpage
2006-10-14 17:03 -------- d--h----- C:\Programme\WindowsUpdate
2006-10-14 17:03 -------- d-------- C:\Programme\Online-Dienste
2006-10-14 17:02 -------- d-------- C:\Programme\NetMeeting
2006-10-14 17:02 -------- d-------- C:\Programme\Gemeinsame Dateien\MSSoap
2006-10-14 17:02 -------- d-------- C:\Programme\Gemeinsame Dateien\Dienste
2006-10-14 17:01 -------- d-------- C:\Programme\Movie Maker
2006-10-14 17:01 -------- d-------- C:\Programme\ComPlus Applications
2006-10-14 17:00 -------- d-------- C:\Programme\Windows NT
2006-10-14 17:00 -------- d-------- C:\Programme\Online Services
2006-10-14 17:00 -------- d-------- C:\Programme\MSN Gaming Zone
2006-10-14 17:00 -------- d-------- C:\Programme\MSN
2006-10-14 16:48 62 --ahs---- C:\Dokumente und Einstellungen\ert\Anwendungsdaten\desktop.ini
2006-10-14 16:48 -------- d-------- C:\Programme\Gemeinsame Dateien\SpeechEngines
2006-10-14 16:48 -------- d-------- C:\Programme\Gemeinsame Dateien\ODBC
2006-09-13 07:02 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 11:31 30988 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2006-08-25 17:46 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-22 16:08 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2006-08-16 13:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-11 21:45 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-08-11 21:45 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-08-11 21:45 5611520 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-08-11 21:45 5251072 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-08-11 21:45 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-08-11 21:45 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-08-11 21:45 3039232 --a------ C:\WINDOWS\system32\nvgames.dll
2006-08-11 21:45 2953216 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-08-11 21:45 2928640 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-08-11 21:45 2904064 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-08-11 21:45 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-08-11 21:45 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-08-11 21:45 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-08-11 21:45 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-08-11 21:45 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-08-11 21:44 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-08-11 21:43 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-08-11 21:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-08-11 21:43 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-08-11 21:43 7630848 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-08-11 21:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-08-11 21:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-08-11 21:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-08-11 21:43 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-08-11 21:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-08-11 21:43 196608 --a------ C:\WINDOWS\system32\nvapi.dll
2006-08-11 21:43 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-08-11 21:43 1519616 --a------ C:\WINDOWS\system32\nwiz.exe
2006-08-11 21:43 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-08-11 21:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-08-11 21:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-08-11 21:43 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-08-11 21:42 5636096 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-08-11 21:42 4496128 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-08-11 21:42 155715 --a------ C:\WINDOWS\system32\nvsvc32.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"D:\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"BDMCon"="\"D:\\BitDefender10\\bdmcon.exe\" /reg"
"FinePrint Dispatcher v5"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fpdisp5a.exe\" /source=HKLM"
"nwiz"="nwiz.exe /install"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"BDAgent"="\"D:\\BitDefender10\\bdagent.exe\""
"Zone Labs Client"="\"D:\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"BDNewsAgent"="\"D:\\BitDefender8\\bdnagent.exe\""
"NeroFilterCheck"="C:\\Programme\\Gemeinsame Dateien\\Ahead\\Lib\\NeroCheck.exe"
"Windows Update"="C:\\WINDOWS\\system32\\scvhost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\AutorunsDisabled]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\AutorunsDisabled\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveAutoRun"=hex:ff,ff,ff,03

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Adobe Reader - Schnellstart.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader - Schnellstart.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader - Schnellstart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"D:\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FileZilla Server Interface"
"hkey"="HKLM"
"command"="\"D:\\FileZilla Server\\FileZilla Server Interface.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="isuspm"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\GEMEIN~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"C:\\Programme\\Gemeinsame Dateien\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="\"C:\\Programme\\Gemeinsame Dateien\\Logitech\\khalshared\\KHALMNPR.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"D:\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shdef]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="shdef"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\shdef.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="server"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\server.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"D:\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-22 18:57:04.34
C:\ComboFix.txt ... 06-10-22 18:57

#11 guschti

guschti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 22 October 2006 - 02:20 PM

ActiveScan log:


Incident Status Location

Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Com.com Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.com.com/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.adtech.de/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.as1.falkag.de/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.centrport.net/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/HotLog Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.microsoftwga.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Toplist Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Weborama Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/Xiti Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Adserver Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Bilbo.counted Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[bilbo.counted.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[fe.lea.lycos.de/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/onestat.com Not disinfected C:\Dokumente und Einstellungen\ert\Anwendungsdaten\Mozilla\Firefox\Profiles\axfcqqmx.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\ert\Cookies\ert@microsoftwga.112.2o7[2].txt
Virus:Bck/Nucleroot.B Disinfected C:\WINDOWS\nkit.dll
Adware:Adware/AdvertMem Not disinfected D:\eMule0.47a\Incoming\01 - Oblivion Mobile Game 11.zip[setup.exe]

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 23 October 2006 - 04:36 AM

Hey guschti, sorry for the delay in getting back to you.
Print these instructions out for whilst in Safe Mode

======

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

======

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
======

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
======

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

======

Download Silent Runners.zip and extract it to a new folder on your Desktop.
  • Run the Silent Runners.vbs file.
  • You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
  • If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
  • This script is not malicious so please allow it.
  • A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
  • Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.
======

Please post back with the following:
-SilentRunners log
-Ewido log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 30 October 2006 - 11:44 AM

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users