Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Something. Keep Recreating Itself After Being Deleted. Help!


  • This topic is locked This topic is locked
13 replies to this topic

#1 chungdim

chungdim

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 16 November 2006 - 07:28 PM

I have scanned my computer with Adware, Spybot & destroy. However I am unable to scan online thru nay of the suggested online scan; trendmicro, Bitdefender or Panda. Almost forgot to mention, my home page on IE keep on wanting to changed itself to www.sha123.com ?? Also get error message twice a day. In the morning it says
csrss
X 'AM' is not a valid integer value.

In the afternoon it says
csrss
X 'PM' is not a valid integer value.


Here is my HJL:

Logfile of HijackThis v1.99.1
Scan saved at 4:13:52 PM, on 11/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WDBtnMgr.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
H:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Snoopy\LOCALS~1\Temp\RarSFX0\csrss.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
H:\software\aNTI-VIRUS\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CardGate] "h:\Program Files\Softick\CardExport\CardGate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [smss] C:\Program Files\Common Files\smss.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [muBlinder] H:\C destop\ms sp\muBlinder\muBlinder.exe -startup
O4 - HKLM\..\Run: [Ad-watch] H:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "H:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://64.60.109.140/cab/Live.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: Network.ConnectionTray - {87CDD3DC-70A2-12C2-51E5-DFBC58821EC3} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe


Help, Help.
Thanks in advance!

Edited by chungdim, 16 November 2006 - 07:57 PM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 PM

Posted 17 November 2006 - 09:47 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 chungdim

chungdim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 17 November 2006 - 11:19 AM

Good Morning Sam,

Thank you for your help, here is the log form combofix:

Linus - 06-11-17 8:09:02.03 Service Pack 1
ComboFix 06.11.9 - Running from: "H:\software\aNTI-VIRUS"

((((((((((((((((((((((((((((((( Files Created from 2006-10-17 to 2006-11-17 ))))))))))))))))))))))))))))))))))


2006-11-07 01:08 134,144 --a------ C:\WINDOWS\reg123.exe
2006-11-05 14:05 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-11-05 13:57 26,752 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2006-11-05 12:12 89,728 --a------ C:\WINDOWS\system32\drivers\usbvsp.sys
2006-11-03 20:26 134,144 --a------ C:\WINDOWS\reg2.exe
2006-11-03 10:18 3,838,056 --a------ C:\msgrplus.exe
2006-11-03 08:06 134,144 --a------ C:\WINDOWS\reg1.exe
2006-10-21 02:03 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-10-21 02:03 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-21 02:03 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-10-21 02:03 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-21 02:03 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-10-21 02:03 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-10-21 02:02 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-10-21 01:58 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-10-21 01:58 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2006-10-21 01:58 68,096 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2006-10-21 01:58 63,768 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-10-21 01:58 57,856 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-10-21 01:58 53,248 --a------ C:\WINDOWS\system32\devenum.dll
2006-10-21 01:58 524,800 --a------ C:\WINDOWS\system32\qedit.dll
2006-10-21 01:58 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2006-10-21 01:58 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2006-10-21 01:58 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2006-10-21 01:58 394,240 --a------ C:\WINDOWS\system32\diactfrm.dll
2006-10-21 01:58 382,976 --a------ C:\WINDOWS\system32\qdvd.dll
2006-10-21 01:58 377,856 --a------ C:\WINDOWS\system32\dpnet.dll
2006-10-21 01:58 363,520 --a------ C:\WINDOWS\system32\dsound.dll
2006-10-21 01:58 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2006-10-21 01:58 276,480 --a------ C:\WINDOWS\system32\qdv.dll
2006-10-21 01:58 265,728 --a------ C:\WINDOWS\system32\ddraw.dll
2006-10-21 01:58 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2006-10-21 01:58 22,016 --a------ C:\WINDOWS\system32\dpmodemx.dll
2006-10-21 01:58 203,264 --a------ C:\WINDOWS\system32\dpvoice.dll
2006-10-21 01:58 194,560 --a------ C:\WINDOWS\system32\mswebdvd.dll
2006-10-21 01:58 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2006-10-21 01:58 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2006-10-21 01:58 177,152 --a------ C:\WINDOWS\system32\qcap.dll
2006-10-21 01:58 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2006-10-21 01:58 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2006-10-21 01:58 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2006-10-21 01:58 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2006-10-21 01:58 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2006-10-21 01:58 104,448 --a------ C:\WINDOWS\system32\dmusic.dll
2006-10-21 01:58 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2006-10-21 01:58 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2006-10-21 01:58 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2006-10-21 01:58 1,689,600 --a------ C:\WINDOWS\system32\d3d9.dll
2006-10-21 01:58 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2006-10-21 01:58 1,179,648 --a------ C:\WINDOWS\system32\d3d8.dll
2006-10-20 20:19 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-10-20 20:19 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2006-10-20 20:19 77,824 --------- C:\WINDOWS\system32\wmpstub.exe
2006-10-20 20:19 56,832 --------- C:\WINDOWS\system32\wzcdlg.dll
2006-10-20 20:19 446,464 --------- C:\WINDOWS\system32\wmvdmoe.dll
2006-10-20 20:19 38,912 --------- C:\WINDOWS\system32\wsnmp32.dll
2006-10-20 20:19 311,327 --------- C:\WINDOWS\system32\wmv8dmod.dll
2006-10-20 20:19 296,448 --------- C:\WINDOWS\system32\wmstream.dll
2006-10-20 20:19 264,704 --a------ C:\WINDOWS\system32\wzcsvc.dll
2006-10-20 20:19 247,808 --a------ C:\WINDOWS\system32\wow32.dll
2006-10-20 20:19 23,552 --------- C:\WINDOWS\system32\wzcsapi.dll
2006-10-20 20:19 17,408 --a------ C:\WINDOWS\system32\wtsapi32.dll
2006-10-20 20:19 13,312 --------- C:\WINDOWS\system32\wship6.dll
2006-10-20 20:19 118,784 --------- C:\WINDOWS\system32\wmsdmoe.dll
2006-10-20 20:18 9,856 --------- C:\WINDOWS\system32\drivers\tunmp.sys
2006-10-20 20:18 88,064 --------- C:\WINDOWS\system32\tscfgwmi.dll
2006-10-20 20:18 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2006-10-20 20:18 82,944 --------- C:\WINDOWS\system32\smlogsvc.exe
2006-10-20 20:18 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2006-10-20 20:18 71,168 --------- C:\WINDOWS\system32\telnet.exe
2006-10-20 20:18 71,168 --------- C:\WINDOWS\system32\storprop.dll
2006-10-20 20:18 667,648 --------- C:\WINDOWS\system32\ss3dfo.scr
2006-10-20 20:18 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2006-10-20 20:18 66,048 --------- C:\WINDOWS\system32\sigverif.exe
2006-10-20 20:18 638,976 --------- C:\WINDOWS\system32\sstext3d.scr
2006-10-20 20:18 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2006-10-20 20:18 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2006-10-20 20:18 61,952 --a------ C:\WINDOWS\system32\webclnt.dll
2006-10-20 20:18 61,952 --a------ C:\WINDOWS\system32\sti.dll
2006-10-20 20:18 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2006-10-20 20:18 60,416 --------- C:\WINDOWS\system32\wextract.exe
2006-10-20 20:18 569,344 --------- C:\WINDOWS\system32\sspipes.scr
2006-10-20 20:18 534,016 --------- C:\WINDOWS\system32\spider.exe
2006-10-20 20:18 51,200 --------- C:\WINDOWS\system32\wmerrenu.dll
2006-10-20 20:18 5,504 --------- C:\WINDOWS\system32\drivers\smbali.sys
2006-10-20 20:18 49,664 --------- C:\WINDOWS\system32\vfwwdm32.dll
2006-10-20 20:18 48,640 --------- C:\WINDOWS\system32\vdmredir.dll
2006-10-20 20:18 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2006-10-20 20:18 47,616 --------- C:\WINDOWS\system32\utilman.exe
2006-10-20 20:18 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2006-10-20 20:18 420,864 --------- C:\WINDOWS\system32\shimgvw.dll
2006-10-20 20:18 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2006-10-20 20:18 40,960 --------- C:\WINDOWS\system32\tscupgrd.exe
2006-10-20 20:18 385,024 --------- C:\WINDOWS\system32\sqlsrv32.dll
2006-10-20 20:18 384,000 --a------ C:\WINDOWS\system32\themeui.dll
2006-10-20 20:18 364,544 --------- C:\WINDOWS\system32\ssflwbox.scr
2006-10-20 20:18 339,456 --a------ C:\WINDOWS\system32\usp10.dll
2006-10-20 20:18 334,848 --------- C:\WINDOWS\system32\smlogcfg.dll
2006-10-20 20:18 33,280 --------- C:\WINDOWS\system32\shmgrate.exe
2006-10-20 20:18 32,256 --------- C:\WINDOWS\system32\umandlg.dll
2006-10-20 20:18 316,416 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-10-20 20:18 29,696 --a------ C:\WINDOWS\system32\snmp.exe
2006-10-20 20:18 27,136 --a------ C:\WINDOWS\system32\ssdpapi.dll
2006-10-20 20:18 266,752 --a------ C:\WINDOWS\winhlp32.exe
2006-10-20 20:18 258,048 --------- C:\WINDOWS\system32\webcheck.dll
2006-10-20 20:18 251,904 --------- C:\WINDOWS\system32\strmdll.dll
2006-10-20 20:18 24,064 --------- C:\WINDOWS\system32\skeys.exe
2006-10-20 20:18 233,984 --a------ C:\WINDOWS\system32\tapisrv.dll
2006-10-20 20:18 231,424 --a------ C:\WINDOWS\system32\upnpui.dll
2006-10-20 20:18 22,528 --a------ C:\WINDOWS\system32\shfolder.dll
2006-10-20 20:18 22,528 --------- C:\WINDOWS\system32\slayerxp.dll
2006-10-20 20:18 22,016 --------- C:\WINDOWS\system32\udhisapi.dll
2006-10-20 20:18 203,264 --a------ C:\WINDOWS\system32\uxtheme.dll
2006-10-20 20:18 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2006-10-20 20:18 19,456 --------- C:\WINDOWS\system32\ssmarque.scr
2006-10-20 20:18 18,944 --------- C:\WINDOWS\system32\ssbezier.scr
2006-10-20 20:18 171,520 --a------ C:\WINDOWS\system32\winmm.dll
2006-10-20 20:18 17,408 --------- C:\WINDOWS\system32\ssmyst.scr
2006-10-20 20:18 168,448 --a------ C:\WINDOWS\system32\wldap32.dll
2006-10-20 20:18 165,376 --a------ C:\WINDOWS\system32\w32time.dll
2006-10-20 20:18 165,376 --a------ C:\WINDOWS\system32\tapi32.dll
2006-10-20 20:18 164,864 --------- C:\WINDOWS\system32\upnphost.dll
2006-10-20 20:18 16,896 --a------ C:\WINDOWS\system32\snmpapi.dll
2006-10-20 20:18 16,384 --------- C:\WINDOWS\system32\watchdog.sys
2006-10-20 20:18 16,384 --------- C:\WINDOWS\system32\ups.exe
2006-10-20 20:18 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2006-10-20 20:18 130,560 --------- C:\WINDOWS\system32\sti_ci.dll
2006-10-20 20:18 13,312 --------- C:\WINDOWS\system32\ssstars.scr
2006-10-20 20:18 128,512 --------- C:\WINDOWS\system32\taskmgr.exe
2006-10-20 20:18 124,928 --------- C:\WINDOWS\system32\webvw.dll
2006-10-20 20:18 120,320 --a------ C:\WINDOWS\system32\upnp.dll
2006-10-20 20:18 119,808 --------- C:\WINDOWS\system32\wiadss.dll
2006-10-20 20:18 117,760 --a------ C:\WINDOWS\system32\stobject.dll
2006-10-20 20:18 116,224 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-10-20 20:18 11,776 --------- C:\WINDOWS\system32\sigtab.dll
2006-10-20 20:18 107,008 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2006-10-20 20:18 106,496 --a------ C:\WINDOWS\system32\url.dll
2006-10-20 20:18 10,752 --------- C:\WINDOWS\system32\tracert.exe
2006-10-20 20:17 98,304 --------- C:\WINDOWS\system32\oleprn.dll
2006-10-20 20:17 95,744 --------- C:\WINDOWS\system32\nlhtml.dll
2006-10-20 20:17 94,208 --------- C:\WINDOWS\system32\odbccp32.dll
2006-10-20 20:17 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2006-10-20 20:17 87,304 --------- C:\WINDOWS\system32\rdpdd.dll
2006-10-20 20:17 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2006-10-20 20:17 8,192 --------- C:\WINDOWS\system32\scrnsave.scr
2006-10-20 20:17 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-10-20 20:17 74,240 --------- C:\WINDOWS\system32\rtcshare.exe
2006-10-20 20:17 71,168 --------- C:\WINDOWS\system32\sdbinst.exe
2006-10-20 20:17 686,080 --------- C:\WINDOWS\system32\opengl32.dll
2006-10-20 20:17 61,440 --------- C:\WINDOWS\system32\odbccu32.dll
2006-10-20 20:17 61,440 --------- C:\WINDOWS\system32\odbccr32.dll
2006-10-20 20:17 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2006-10-20 20:17 58,880 --------- C:\WINDOWS\system32\pautoenr.dll
2006-10-20 20:17 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2006-10-20 20:17 56,320 --------- C:\WINDOWS\system32\remotepg.dll
2006-10-20 20:17 53,248 --------- C:\WINDOWS\system32\packager.exe
2006-10-20 20:17 53,248 --------- C:\WINDOWS\system32\odbcconf.exe
2006-10-20 20:17 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2006-10-20 20:17 49,152 --------- C:\WINDOWS\system32\npptools.dll
2006-10-20 20:17 48,128 --------- C:\WINDOWS\system32\reg.exe
2006-10-20 20:17 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2006-10-20 20:17 44,032 --------- C:\WINDOWS\system32\rdpclip.exe
2006-10-20 20:17 423,424 --a------ C:\WINDOWS\system32\riched20.dll
2006-10-20 20:17 392,704 --------- C:\WINDOWS\system32\ntmssvc.dll
2006-10-20 20:17 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2006-10-20 20:17 38,400 --------- C:\WINDOWS\system32\ntmsapi.dll
2006-10-20 20:17 36,352 --a------ C:\WINDOWS\system32\sens.dll
2006-10-20 20:17 34,304 --------- C:\WINDOWS\system32\rcimlby.exe
2006-10-20 20:17 33,808 --------- C:\WINDOWS\system32\ntio.sys
2006-10-20 20:17 328,704 --a------ C:\WINDOWS\system32\oakley.dll
2006-10-20 20:17 32,768 --------- C:\WINDOWS\system32\odbcad32.exe
2006-10-20 20:17 3,338 --------- C:\WINDOWS\system32\redir.exe
2006-10-20 20:17 297,984 --a------ C:\WINDOWS\system32\scesrv.dll
2006-10-20 20:17 254,976 --------- C:\WINDOWS\system32\pdh.dll
2006-10-20 20:17 24,576 --------- C:\WINDOWS\system32\odbcbcp.dll
2006-10-20 20:17 24,576 --------- C:\WINDOWS\system32\nmmkcert.dll
2006-10-20 20:17 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2006-10-20 20:17 212,480 --------- C:\WINDOWS\system32\osk.exe
2006-10-20 20:17 200,704 --a------ C:\WINDOWS\system32\odbc32.dll
2006-10-20 20:17 20,992 --------- C:\WINDOWS\system32\setup.exe
2006-10-20 20:17 193,536 --a------ C:\WINDOWS\system32\rasppp.dll
2006-10-20 20:17 187,904 --------- C:\WINDOWS\system32\xpsp1res.dll
2006-10-20 20:17 174,592 --a------ C:\WINDOWS\system32\scecli.dll
2006-10-20 20:17 171,008 --------- C:\WINDOWS\system32\sccsccp.dll
2006-10-20 20:17 17,408 --a------ C:\WINDOWS\system32\psapi.dll
2006-10-20 20:17 169,984 --------- C:\WINDOWS\system32\sccbase.dll
2006-10-20 20:17 165,888 --------- C:\WINDOWS\system32\ntmsdba.dll
2006-10-20 20:17 16,384 --------- C:\WINDOWS\system32\ping.exe
2006-10-20 20:17 16,384 --------- C:\WINDOWS\system32\odbc32gt.dll
2006-10-20 20:17 147,456 --------- C:\WINDOWS\system32\odbctrac.dll
2006-10-20 20:17 14,848 --------- C:\WINDOWS\system32\rdpsnd.dll
2006-10-20 20:17 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll
2006-10-20 20:17 135,680 --------- C:\WINDOWS\system32\rdchost.dll
2006-10-20 20:17 134,144 --a------ C:\WINDOWS\regedit.exe
2006-10-20 20:17 133,632 --a------ C:\WINDOWS\system32\rsaenh.dll
2006-10-20 20:17 133,120 --a------ C:\WINDOWS\system32\sfc_os.dll
2006-10-20 20:17 13,824 --------- C:\WINDOWS\system32\rassapi.dll
2006-10-20 20:17 122,880 --------- C:\WINDOWS\system32\odbcconf.dll
2006-10-20 20:17 12,800 --------- C:\WINDOWS\system32\runonce.exe
2006-10-20 20:17 12,288 --------- C:\WINDOWS\system32\rdsaddin.exe
2006-10-20 20:17 12,288 --------- C:\WINDOWS\system32\odbcp32r.dll
2006-10-20 20:17 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2006-10-20 20:17 109,568 --------- C:\WINDOWS\system32\offfilt.dll
2006-10-20 20:17 1,677,312 --------- C:\WINDOWS\system32\wmvcore2.dll
2006-10-20 20:17 1,349,120 --------- C:\WINDOWS\system32\query.dll
2006-10-20 20:17 1,157,632 --------- C:\WINDOWS\system32\sfcfiles.dll
2006-10-20 20:16 921,475 --------- C:\WINDOWS\system32\ati3d2ag.dll
2006-10-20 20:16 857,600 --------- C:\WINDOWS\system32\netplwiz.dll
2006-10-20 20:16 844,675 --------- C:\WINDOWS\system32\ati3d1ag.dll
2006-10-20 20:16 699,392 --------- C:\WINDOWS\system32\msxml2.dll
2006-10-20 20:16 63,663 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys
2006-10-20 20:16 6,912 --------- C:\WINDOWS\system32\drivers\hidir.sys
2006-10-20 20:16 598,016 --------- C:\WINDOWS\system32\mstscax.dll
2006-10-20 20:16 584,192 --a------ C:\WINDOWS\system32\netcfgx.dll
2006-10-20 20:16 56,591 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2006-10-20 20:16 504,832 --------- C:\WINDOWS\system32\msftedit.dll
2006-10-20 20:16 5,120 --------- C:\WINDOWS\system32\hccoin.dll
2006-10-20 20:16 450,176 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-10-20 20:16 42,496 --a------ C:\WINDOWS\system32\ncobjapi.dll
2006-10-20 20:16 403,456 --------- C:\WINDOWS\system32\winbrand.dll
2006-10-20 20:16 401,462 --a------ C:\WINDOWS\system32\msvcp60.dll
2006-10-20 20:16 399,360 --a------ C:\WINDOWS\system32\netlogon.dll
2006-10-20 20:16 39,424 --------- C:\WINDOWS\system32\net.exe
2006-10-20 20:16 388,608 --------- C:\WINDOWS\system32\mstsc.exe
2006-10-20 20:16 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2006-10-20 20:16 36,463 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2006-10-20 20:16 34,735 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2006-10-20 20:16 339,968 --------- C:\WINDOWS\system32\mspaint.exe
2006-10-20 20:16 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2006-10-20 20:16 326,656 --------- C:\WINDOWS\system32\netsetup.exe
2006-10-20 20:16 323,072 --a------ C:\WINDOWS\system32\msvcrt.dll
2006-10-20 20:16 319,760 --------- C:\WINDOWS\system32\msnsspc.dll
2006-10-20 20:16 30,671 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2006-10-20 20:16 3,584 --------- C:\WINDOWS\system32\dsprpres.dll
2006-10-20 20:16 29,455 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2006-10-20 20:16 26,367 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2006-10-20 20:16 241,725 --------- C:\WINDOWS\system32\msuni11.dll
2006-10-20 20:16 22,528 --------- C:\WINDOWS\system32\mslbui.dll
2006-10-20 20:16 218,112 --------- C:\WINDOWS\system32\sbe.dll
2006-10-20 20:16 21,343 --------- C:\WINDOWS\system32\drivers\atinttxx.sys
2006-10-20 20:16 202,496 --------- C:\WINDOWS\system32\ati2dvag.dll
2006-10-20 20:16 19,328 --------- C:\WINDOWS\system32\drivers\usbehci.sys
2006-10-20 20:16 182,784 --a------ C:\WINDOWS\system32\msutb.dll
2006-10-20 20:16 18,944 --------- C:\WINDOWS\system32\faxpatch.exe
2006-10-20 20:16 172,032 --------- C:\WINDOWS\system32\mssap.dll
2006-10-20 20:16 16,384 --------- C:\WINDOWS\system32\nddenb32.dll
2006-10-20 20:16 155,648 --------- C:\WINDOWS\system32\encdec.dll
2006-10-20 20:16 154,112 --a------ C:\WINDOWS\system32\netman.dll
2006-10-20 20:16 131,072 --------- C:\WINDOWS\system32\msorcl32.dll
2006-10-20 20:16 13,056 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2006-10-20 20:16 12,047 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2006-10-20 20:16 115,200 --------- C:\WINDOWS\system32\net1.exe
2006-10-20 20:16 113,664 --a------ C:\WINDOWS\system32\msvfw32.dll
2006-10-20 20:16 110,080 --------- C:\WINDOWS\system32\sbeio.dll
2006-10-20 20:16 11,904 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2006-10-20 20:16 11,615 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2006-10-20 20:16 105,984 --------- C:\WINDOWS\system32\netdde.exe
2006-10-20 20:16 10,240 --------- C:\WINDOWS\system32\msrle32.dll
2006-10-20 20:16 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll
2006-10-20 20:15 72,192 --------- C:\WINDOWS\system32\uniime.dll
2006-10-20 20:15 68,096 --a------ C:\WINDOWS\system32\mscms.dll
2006-10-20 20:15 67,584 --------- C:\WINDOWS\system32\msctfp.dll
2006-10-20 20:15 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2006-10-20 20:15 57,856 --------- C:\WINDOWS\system32\licwmi.dll
2006-10-20 20:15 56,320 --------- C:\WINDOWS\system32\mshtmler.dll
2006-10-20 20:15 504,320 --------- C:\WINDOWS\system32\logonui.exe
2006-10-20 20:15 4,608 --a------ C:\WINDOWS\system32\msimg32.dll
2006-10-20 20:15 4,126 --------- C:\WINDOWS\system32\msdxmlc.dll
2006-10-20 20:15 381,440 --------- C:\WINDOWS\system32\lmrt.dll
2006-10-20 20:15 368,710 --------- C:\WINDOWS\system32\msisam11.dll
2006-10-20 20:15 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-10-20 20:15 266,752 --a------ C:\WINDOWS\system32\msctf.dll
2006-10-20 20:15 229,888 --------- C:\WINDOWS\system32\msieftp.dll
2006-10-20 20:15 219,648 --------- C:\WINDOWS\system32\logon.scr
2006-10-20 20:15 210,944 --------- C:\WINDOWS\system32\moricons.dll
2006-10-20 20:15 196,096 --------- C:\WINDOWS\system32\mobsync.dll
2006-10-20 20:15 19,456 --------- C:\WINDOWS\system32\licmgr10.dll
2006-10-20 20:15 163,840 --------- C:\WINDOWS\system32\mindex.dll
2006-10-20 20:15 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2006-10-20 20:15 126,976 --------- C:\WINDOWS\system32\msdart.dll
2006-10-20 20:15 12,288 --------- C:\WINDOWS\system32\mscpx32r.dll
2006-10-20 20:15 116,736 --------- C:\WINDOWS\system32\mplay32.exe
2006-10-20 20:15 10,240 --------- C:\WINDOWS\system32\localui.dll
2006-10-20 20:15 1,128,960 --------- C:\WINDOWS\system32\mmcndmgr.dll
2006-10-20 20:14 827,438 --------- C:\WINDOWS\system32\imjp81k.dll
2006-10-20 20:14 73,728 --------- C:\WINDOWS\system32\tlntsess.exe
2006-10-20 20:14 7,168 --------- C:\WINDOWS\system32\tlntsvrp.dll
2006-10-20 20:14 7,040 --------- C:\WINDOWS\system32\kd1394.dll
2006-10-20 20:14 67,584 --------- C:\WINDOWS\system32\tlntsvr.exe
2006-10-20 20:14 60,928 --------- C:\WINDOWS\system32\ipv6.exe
2006-10-20 20:14 57,856 --------- C:\WINDOWS\system32\tlntadmn.exe
2006-10-20 20:14 545,792 --------- C:\WINDOWS\system32\wsecedit.dll
2006-10-20 20:14 51,712 --------- C:\WINDOWS\system32\ipconfig.exe
2006-10-20 20:14 49,664 --------- C:\WINDOWS\system32\ixsso.dll
2006-10-20 20:14 42,537 --------- C:\WINDOWS\system32\keyboard.sys
2006-10-20 20:14 318,464 --------- C:\WINDOWS\system32\ippromon.dll
2006-10-20 20:14 272,896 --a------ C:\WINDOWS\system32\kerberos.dll
2006-10-20 20:14 27,648 --------- C:\WINDOWS\system32\pidgen.dll
2006-10-20 20:14 231,936 --------- C:\WINDOWS\system32\tracerpt.exe
2006-10-20 20:14 155,648 --a------ C:\WINDOWS\system32\ipsecsvc.dll
2006-10-20 20:14 134,144 --------- C:\WINDOWS\system32\ipv6mon.dll
2006-10-20 20:14 115,200 --------- C:\WINDOWS\system32\dpcdll.dll
2006-10-20 20:13 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2006-10-20 20:13 9,216 --------- C:\WINDOWS\system32\dumprep.exe
2006-10-20 20:13 89,088 --------- C:\WINDOWS\system32\mqsec.dll
2006-10-20 20:13 802,304 --------- C:\WINDOWS\system32\dxmrtp.dll
2006-10-20 20:13 8,832 --------- C:\WINDOWS\system32\framebuf.dll
2006-10-20 20:13 76,288 --------- C:\WINDOWS\system32\dfrgfat.exe
2006-10-20 20:13 73,728 --------- C:\WINDOWS\system32\ils.dll
2006-10-20 20:13 70,656 --------- C:\WINDOWS\system32\defrag.exe
2006-10-20 20:13 70,144 --------- C:\WINDOWS\system32\cryptdlg.dll
2006-10-20 20:13 67,584 --------- C:\WINDOWS\system32\fdeploy.dll
2006-10-20 20:13 67,200 --------- C:\WINDOWS\system32\drivers\mqac.sys
2006-10-20 20:13 66,560 --------- C:\WINDOWS\system32\faultrep.dll
2006-10-20 20:13 613,888 --------- C:\WINDOWS\system32\mqqm.dll
2006-10-20 20:13 61,440 --------- C:\WINDOWS\system32\dbnetlib.dll
2006-10-20 20:13 59,392 --------- C:\WINDOWS\system32\iesetup.dll
2006-10-20 20:13 57,344 --------- C:\WINDOWS\system32\nwwks.dll
2006-10-20 20:13 55,296 --------- C:\WINDOWS\system32\digest.dll
2006-10-20 20:13 53,248 --a------ C:\WINDOWS\system32\cryptsvc.dll
2006-10-20 20:13 498,205 --------- C:\WINDOWS\system32\dxmasf.dll
2006-10-20 20:13 49,152 --a------ C:\WINDOWS\system32\eventlog.dll
2006-10-20 20:13 489,984 --a------ C:\WINDOWS\system32\dbghelp.dll
2006-10-20 20:13 478,720 --------- C:\WINDOWS\system32\mqsnap.dll
2006-10-20 20:13 469,504 --------- C:\WINDOWS\system32\mqutil.dll
2006-10-20 20:13 45,568 --------- C:\WINDOWS\system32\docprop2.dll
2006-10-20 20:13 36,922 --------- C:\WINDOWS\system32\imeshare.dll
2006-10-20 20:13 35,328 --------- C:\WINDOWS\system32\dfrgsnap.dll
2006-10-20 20:13 307,712 --a------ C:\WINDOWS\system32\cscui.dll
2006-10-20 20:13 30,208 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-20 20:13 294,912 --------- C:\WINDOWS\system32\iedkcs32.dll
2006-10-20 20:13 29,696 --------- C:\WINDOWS\system32\asr_pfu.exe
2006-10-20 20:13 28,672 --------- C:\WINDOWS\system32\ie4uinit.exe
2006-10-20 20:13 28,672 --------- C:\WINDOWS\system32\dbnmpntw.dll
2006-10-20 20:13 277,504 --------- C:\WINDOWS\system32\appmgr.dll
2006-10-20 20:13 263,680 --a------ C:\WINDOWS\system32\duser.dll
2006-10-20 20:13 263,168 --------- C:\WINDOWS\system32\devmgr.dll
2006-10-20 20:13 25,600 --------- C:\WINDOWS\system32\dfsshlex.dll
2006-10-20 20:13 249,856 --------- C:\WINDOWS\system32\adsiis.dll
2006-10-20 20:13 240,640 --a------ C:\WINDOWS\system32\hnetcfg.dll
2006-10-20 20:13 24,576 --------- C:\WINDOWS\system32\dbmsvinn.dll
2006-10-20 20:13 24,576 --------- C:\WINDOWS\system32\dbmsrpcn.dll
2006-10-20 20:13 236,032 --------- C:\WINDOWS\system32\icm32.dll
2006-10-20 20:13 227,840 --------- C:\WINDOWS\system32\dsquery.dll
2006-10-20 20:13 204,288 --------- C:\WINDOWS\system32\ieaksie.dll
2006-10-20 20:13 20,480 --------- C:\WINDOWS\system32\dbmsadsn.dll
2006-10-20 20:13 19,456 --a------ C:\WINDOWS\system32\ersvc.dll
2006-10-20 20:13 19,456 --------- C:\WINDOWS\system32\fontview.exe
2006-10-20 20:13 183,296 --------- C:\WINDOWS\system32\gptext.dll
2006-10-20 20:13 180,224 --------- C:\WINDOWS\system32\dwwin.exe
2006-10-20 20:13 178,688 --------- C:\WINDOWS\system32\eudcedit.exe
2006-10-20 20:13 17,792 --------- C:\WINDOWS\system32\drivers\irbus.sys
2006-10-20 20:13 168,960 --------- C:\WINDOWS\system32\dinput8.dll
2006-10-20 20:13 165,376 --------- C:\WINDOWS\system32\els.dll
2006-10-20 20:13 164,864 --------- C:\WINDOWS\system32\mqrt.dll
2006-10-20 20:13 164,352 --------- C:\WINDOWS\system32\mqtrig.dll
2006-10-20 20:13 16,384 --------- C:\WINDOWS\system32\ds32gt.dll
2006-10-20 20:13 156,672 --------- C:\WINDOWS\system32\appmgmts.dll
2006-10-20 20:13 156,544 --------- C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-20 20:13 151,552 --------- C:\WINDOWS\system32\dinput.dll
2006-10-20 20:13 14,848 --------- C:\WINDOWS\system32\mqise.dll
2006-10-20 20:13 135,680 --------- C:\WINDOWS\system32\dsprop.dll
2006-10-20 20:13 130,048 --------- C:\WINDOWS\system32\mqad.dll
2006-10-20 20:13 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
2006-10-20 20:13 126,976 --------- C:\WINDOWS\system32\ieakeng.dll
2006-10-20 20:13 124,928 --a------ C:\WINDOWS\system32\dssenh.dll
2006-10-20 20:13 123,904 --------- C:\WINDOWS\system32\imapi.exe
2006-10-20 20:13 114,176 --------- C:\WINDOWS\system32\input.dll
2006-10-20 20:13 113,664 --------- C:\WINDOWS\system32\schtasks.exe
2006-10-20 20:13 113,152 --------- C:\WINDOWS\system32\idq.dll
2006-10-20 20:13 113,152 --------- C:\WINDOWS\system32\gpresult.exe
2006-10-20 20:13 113,152 --------- C:\WINDOWS\system32\dfrgui.dll
2006-10-20 20:13 103,936 --a------ C:\WINDOWS\system32\imm32.dll
2006-10-20 20:13 103,936 --------- C:\WINDOWS\system32\rsnotify.exe
2006-10-20 20:13 103,424 --------- C:\WINDOWS\system32\dgnet.dll
2006-10-20 20:13 1,004,032 --a------ C:\WINDOWS\explorer.exe
2006-10-20 20:12 98,816 --------- C:\WINDOWS\system32\clipbrd.exe
2006-10-20 20:12 91,648 --------- C:\WINDOWS\system32\ahui.exe
2006-10-20 20:12 91,136 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-20 20:12 8,192 --------- C:\WINDOWS\system32\autolfn.exe
2006-10-20 20:12 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2006-10-20 20:12 74,810 --a------ C:\WINDOWS\system32\atl.dll
2006-10-20 20:12 71,680 --------- C:\WINDOWS\system32\browsewm.dll
2006-10-20 20:12 64,512 --------- C:\WINDOWS\system32\ciodm.dll
2006-10-20 20:12 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2006-10-20 20:12 62,464 --------- C:\WINDOWS\system32\adsmsext.dll
2006-10-20 20:12 6,656 --------- C:\WINDOWS\system32\batt.dll
2006-10-20 20:12 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2006-10-20 20:12 59,392 --------- C:\WINDOWS\system32\6to4svc.dll
2006-10-20 20:12 54,272 --a------ C:\WINDOWS\system32\clusapi.dll
2006-10-20 20:12 49,152 --a------ C:\WINDOWS\system32\browser.dll
2006-10-20 20:12 41,984 --a------ C:\WINDOWS\system32\alg.exe
2006-10-20 20:12 41,472 --------- C:\WINDOWS\system32\cmdl32.exe
2006-10-20 20:12 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2006-10-20 20:12 324,608 --------- C:\WINDOWS\system32\cmdial32.dll
2006-10-20 20:12 32,768 --------- C:\WINDOWS\system32\cfgbkend.dll
2006-10-20 20:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2006-10-20 20:12 24,576 --a------ C:\WINDOWS\system32\conime.exe
2006-10-20 20:12 239,616 --------- C:\WINDOWS\system32\adsnt.dll
2006-10-20 20:12 238,592 --------- C:\WINDOWS\system32\compatui.dll
2006-10-20 20:12 22,528 --------- C:\WINDOWS\system32\at.exe
2006-10-20 20:12 186,880 --a------ C:\WINDOWS\system32\certcli.dll
2006-10-20 20:12 162,816 --------- C:\WINDOWS\system32\adsldp.dll
2006-10-20 20:12 158,720 --a------ C:\WINDOWS\system32\credui.dll
2006-10-20 20:12 14,366 --------- C:\WINDOWS\system32\asfsipc.dll
2006-10-20 20:12 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2006-10-20 20:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2006-10-19 20:03 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-19 17:27 884,736 --------- C:\WINDOWS\system32\msimsg.dll
2006-10-19 17:27 78,848 --------- C:\WINDOWS\system32\msiexec.exe
2006-10-19 17:27 271,360 --------- C:\WINDOWS\system32\msihnd.dll
2006-10-19 17:27 2,890,240 --a------ C:\WINDOWS\system32\msi.dll
2006-10-19 17:27 15,360 --------- C:\WINDOWS\system32\msisip.dll
2006-10-19 09:34 23,040 --a------ C:\WINDOWS\system32\cdnns.dll
2006-10-19 08:52 4,633,912 --a------ C:\WindowsXP-KB918899-x86-CHS.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-17 08:08 230925 --a------ C:\Program Files\2.exe
2006-11-16 21:55 -------- d-------- C:\Program Files\Network Associates
2006-11-16 21:26 -------- d-------- C:\Program Files\Adobe
2006-11-16 11:09 -------- d-------- C:\Documents and Settings\Linus\Application Data\Lavasoft
2006-11-16 10:30 -------- d-------- C:\Program Files\Common Files
2006-11-16 09:20 -------- d-------- C:\Program Files\Outlook Express
2006-11-16 09:20 -------- d-------- C:\Program Files\Common Files\System
2006-11-16 09:18 -------- d-------- C:\Program Files\Internet Explorer
2006-11-16 09:18 -------- d-------- C:\Program Files\Common Files\Services
2006-11-15 15:23 -------- d-------- C:\Documents and Settings\Linus\Application Data\Adobe
2006-11-13 22:45 -------- d-------- C:\Program Files\eFax Messenger Plus 3.3
2006-11-07 10:00 -------- d-------- C:\Documents and Settings\Linus\Application Data\AdobeUM
2006-11-06 20:56 -------- d-------- C:\Documents and Settings\Linus\Application Data\Research In Motion
2006-11-05 14:11 -------- d-------- C:\Documents and Settings\Linus\Application Data\Blackberry Desktop
2006-11-05 13:56 -------- d-------- C:\Program Files\Common Files\Research In Motion
2006-11-05 12:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-30 10:11 322784 --a--c--- C:\Documents and Settings\Linus\Application Data\GDIPFONTCACHEV1.DAT
2006-10-29 20:53 -------- d-------- C:\Program Files\Java
2006-10-24 04:20 -------- d---s---- C:\Documents and Settings\Linus\Application Data\Microsoft
2006-10-21 10:24 -------- d-------- C:\Program Files\Brownie
2006-10-21 10:22 -------- d-------- C:\Program Files\Support Tools
2006-10-21 01:56 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-21 01:33 -------- d-------- C:\Program Files\MSN Messenger
2006-10-21 01:28 -------- d-------- C:\Program Files\NetMeeting
2006-10-21 01:28 -------- d-------- C:\Program Files\Messenger
2006-10-20 20:22 -------- d-------- C:\Program Files\Movie Maker
2006-10-20 20:21 -------- d-------- C:\Program Files\Windows Media Player
2006-10-19 16:40 167564 --a------ C:\Program Files\Common Files\smss.exe
2006-10-11 11:28 7477 --a------ C:\Documents and Settings\Linus\Application Data\unins000.dat
2006-10-11 11:27 673546 --a------ C:\Documents and Settings\Linus\Application Data\unins000.exe
2006-10-09 17:57 -------- d-------- C:\Program Files\xerox
2006-10-09 17:57 -------- d-------- C:\Program Files\Common Files\mssoap
2006-10-09 16:37 15872 --a------ C:\WINDOWS\system32\winygq32(2).dll
2006-10-08 09:27 -------- dr------- C:\Documents and Settings\Linus\Application Data\Brother
2006-10-08 09:03 -------- d-------- C:\Program Files\Brother
2006-10-08 08:52 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-30 07:44 -------- d-------- C:\Program Files\QuickTime
2006-09-30 07:42 -------- d-------- C:\Program Files\iPod
2006-09-28 06:00 1019 --a------ C:\Documents and Settings\Linus\Application Data\AdobeDLM.log
2006-09-28 06:00 0 --a--c--- C:\Documents and Settings\Linus\Application Data\dm.ini
2006-09-05 10:25 167936 --a------ C:\WINDOWS\system32\infgdbcb.dll
2006-08-31 16:38 299008 --a------ C:\WINDOWS\system32\GMAccMan.dll
2006-08-31 16:35 90112 --a------ C:\WINDOWS\system32\GMSigMan.dll
2006-08-31 16:27 65536 --a------ C:\WINDOWS\system32\GMMesCom.dll
2006-08-31 16:17 258048 --a------ C:\WINDOWS\system32\GMMailer.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RealPlayer"="\"H:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"RIMDeviceManager"="\"C:\\Program Files\\Common Files\\Research In Motion\\RIMDeviceManager\\RIMDeviceManager.exe\" -RunServer"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMan"="SOUNDMAN.EXE"
"CardGate"="\"h:\\Program Files\\Softick\\CardExport\\CardGate.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\""
"WD Button Manager"="WDBtnMgr.exe"
"iTunesHelper"="\"H:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Acrobat Assistant 7.0"="\"H:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"smss"="C:\\Program Files\\Common Files\\smss.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"muBlinder"="H:\\C destop\\ms sp\\muBlinder\\muBlinder.exe -startup"
"Ad-watch"="H:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"Network.ConnectionTray"="{87CDD3DC-70A2-12C2-51E5-DFBC58821EC3}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\DataViz Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\DataViz Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\DVZCOM~1\\DvzMsgr.exe "
"item"="DataViz Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBay Toolbar.LNK]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eBay Toolbar.LNK"
"backup"="C:\\WINDOWS\\pss\\eBay Toolbar.LNKCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\DOWNLO~1\\eBayTBar.exe "
"item"="eBay Toolbar"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^WINDOWS^Profiles^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
"path"="C:\\WINDOWS\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^WINDOWS^Profiles^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\WINDOWS\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^WINDOWS^Profiles^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\WINDOWS\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="H:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^WINDOWS^Profiles^All Users^Start Menu^Programs^Startup^eFax Live Menu 3.3.lnk]
"path"="C:\\WINDOWS\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\eFax Live Menu 3.3.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Live Menu 3.3.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.3\\J2GDLL~1.EXE /R /K \"C:\\Program Files\\eFax Messenger Plus 3.3\\J2GPfcW.dll\",JSPFCWSetHooking,1,0,0,0"
"item"="eFax Live Menu 3.3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^WINDOWS^Profiles^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.3.lnk]
"path"="C:\\WINDOWS\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\eFax Tray Menu 3.3.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Tray Menu 3.3.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.3\\J2GTray.exe "
"item"="eFax Tray Menu 3.3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^WINDOWS^Profiles^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\WINDOWS\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADVCHK"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CallControl 4.5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FTCtrl32"
"hkey"="HKLM"
"command"="\"h:\\systemfiles\\program files\\FAX TALK COMMUNICATOR\\FTCtrl32.exe\" /autoload"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DataLayer"
"hkey"="HKLM"
"command"="C:\\Program Files\\Nokia\\Nokia PC Suite 5\\DataLayer\\Application\\DataLayer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Tray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="1500 nokia ringtones"
"hkey"="HKLM"
"command"="H:\\Linus_nokia6100\\New Folder\\wav\\1500 nokia ringtones.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NclTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKCU"
"command"="\"H:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"h:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ServiceLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ServiceLayer"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Nokia\\Services\\ServiceLayer.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeperUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Stopzilla"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\STOPzilla!\\Stopzilla.exe\" /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="H:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ybrwicon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-17 8:09:51.54
C:\ComboFix.txt ... 06-11-17 08:09

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 PM

Posted 18 November 2006 - 08:53 AM

Ok, let's get rid of this for you.


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"smss"=-
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


===============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\winygq32(2).dll
    C:\Program Files\Common Files\smss.exe
    C:\Program Files\2.exe
    C:\WINDOWS\reg1.exe
    C:\WINDOWS\reg2.exe
    C:\WINDOWS\reg123.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 chungdim

chungdim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 18 November 2006 - 12:07 PM

[*] Please double-click Killbox.exe to run it.
[*] Select:

  • Delete on Reboot
  • then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\winygq32(2).dll
C:\Program Files\Common Files\smss.exe
C:\Program Files\2.exe
C:\WINDOWS\reg1.exe
C:\WINDOWS\reg2.exe
C:\WINDOWS\reg123.exe

[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


Yes, I got that prompt.


[*]After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
[*]Post this log in your next reply.
[/list]


Pocket Killbox version 2.0.0.881
Running on Windows XP as (Administrator)
was started @ Saturday, November 18, 2006, 8:21 AM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\winygq32(2).dll

# 2 [Delete on Reboot]
Path = C:\Program Files\Common Files\smss.exe

# 3 [Delete on Reboot]
Path = C:\Program Files\2.exe

# 4 [Delete on Reboot]
Path = C:\WINDOWS\reg1.exe

# 5 [Delete on Reboot]
Path = C:\WINDOWS\reg2.exe

# 6 [Delete on Reboot]
Path = C:\WINDOWS\reg123.exe

I Rebooted @ 8:23:03 AM
Killbox Closed(Exit) @ 8:23:06 AM
__________________________________________________
Pocket Killbox version 2.0.0.881
Running on Windows XP as (Administrator)
was started @ Saturday, November 18, 2006, 8:33 AM


Please run the F-Secure Online Scanner


No Luck! Somehow it claims that I am NOT using the correct browser.


Your browser is not supported. F-Secure Online Scanner requires Microsoft® Internet Explorer 5™ or later with ActiveX enabled.

Also post a new hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 8:59:43 AM, on 11/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Softick\CardExport\CardGate.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\software\aNTI-VIRUS\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://losangeles.craigslist.org/zip/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CardGate] "h:\Program Files\Softick\CardExport\CardGate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [muBlinder] H:\C destop\ms sp\muBlinder\muBlinder.exe -startup
O4 - HKLM\..\Run: [Ad-watch] H:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [RealPlayer] "H:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Desktop Manager.lnk = H:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O8 - Extra context menu item: Clip To ComicGURU - C:\Program Files\ComicGURU\ComicGURU_IEClip.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://64.60.109.140/cab/Live.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe


Thank you very much, you are great!

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 PM

Posted 18 November 2006 - 12:15 PM

Ok, we'll try another one.

But first, can you tell me anything about this program?

O4 - HKLM\..\Run: [muBlinder] H:\C destop\ms sp\muBlinder\muBlinder.exe -startup



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 chungdim

chungdim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 18 November 2006 - 12:52 PM

Hello Sam,

I would like to uninstall:
O4 - HKLM\..\Run: [muBlinder] H:\C desktop\ms sp\muBlinder\muBlinder.exe -startup

I installed it 'cuz I was having trouble updating MS sp2, it didn't help.

I try scanning with Kaspersky with no luck. It says: Kaspersky Online Sacnner service based on Microsoft's ActiveX technology. This Service works only with MS Internet Explorer 5.0 or higher. [detected: unknown OS with Netscapt Natvigator browse].

Thinking about it, it could have something to do with Mublinder, 'cuz it is suppose to blink MS from my OS info. I have been trying to uninstall that Mublinder, don't know how to. since it is not listed in the Add or Remove program list and no uninstall option available, infect I don't even know where it resides.

Thank you for your relentless help.

#8 chungdim

chungdim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 18 November 2006 - 01:01 PM

Sam,

I just went ahead and disable the Mublinder from kicking in at startup by going to msconfig and unchecked the thingie, restarted the computer.
Tried the online scan again, still san't get it to work.

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 PM

Posted 18 November 2006 - 01:12 PM

Just delete this folder.

H:\C destop\ms sp\muBlinder


Now let's bypass the online scans for now and run this on demand virus scanner.

Please download Bit Defender 8 Free Edition
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 chungdim

chungdim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 19 November 2006 - 10:54 AM

Hi Sam,

Here is a log from Bit fender:


// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 18/11/2006 22:36:45
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
G:\
H:\
J:\
Folders : 8361
Files : 982786
Archives : 34886
Packed files : 114413
Identified viruses : 8
Infected files : 12
Warnings : 0
Suspect files : 4
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 10
Renamed files : 0
I/O errors : 86
Scan time : 03:07:59
Scan speed (files/sec) : 87

Virus definitions : 316776
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 6
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\!KillBox\smss.exe Infected GenPack:Trojan.Downloader.Banload.BOI
C:\!KillBox\smss.exe Disinfection failed
C:\!KillBox\smss.exe Moved
C:\!KillBox\winygq32(2).dll Infected Trojan.Klone.H
C:\!KillBox\winygq32(2).dll Disinfection failed
C:\!KillBox\winygq32(2).dll Moved
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp1933.exe.bac_a03804=>(Quarantine-4) Infected Trojan.Downloader.Agent.AQK
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp1933.exe.bac_a03804=>(Quarantine-4) Disinfection failed
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp1933.exe.bac_a03804 Moved
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp2962.exe.bac_a03804=>(Quarantine-4) Infected Trojan.Downloader.Agent.AQK
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp2962.exe.bac_a03804=>(Quarantine-4) Disinfection failed
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp2962.exe.bac_a03804 Moved
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp6839.exe.bac_a03804=>(Quarantine-4) Infected Trojan.Downloader.Agent.AQK
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp6839.exe.bac_a03804=>(Quarantine-4) Disinfection failed
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp6839.exe.bac_a03804 Moved
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp9609.exe.bac_a03804=>(Quarantine-4) Infected Trojan.Downloader.Agent.AQK
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp9609.exe.bac_a03804=>(Quarantine-4) Disinfection failed
C:\Documents and Settings\Linus\.housecall6.6\Quarantine\~tmp9609.exe.bac_a03804 Moved
C:\Documents and Settings\Linus\Desktop\kf151.zip=>keyfinder.exe Infected Trojan.PWS.Ras.A
C:\Documents and Settings\Linus\Desktop\kf151.zip=>keyfinder.exe Disinfection failed
C:\Documents and Settings\Linus\Desktop\kf151.zip Moved
C:\Documents and Settings\Linus\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Arial, sans][From: janet8888]=>(body)=>(Compressed Rtf) Suspect Exploit.Iframe.Vulnerability
C:\Documents and Settings\Linus\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Arial, sans][From: janet8888]=>(body)=>(Compressed Rtf) Disinfection failed
C:\Documents and Settings\Linus\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Arial, sans][From: janet8888]=>(body)=>(Compressed Rtf)=>(IFRAME) Suspect Exploit.Iframe.Vulnerability
C:\Documents and Settings\Linus\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Arial, sans][From: janet8888]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Suspect Exploit.Iframe.Vulnerability
C:\Documents and Settings\Linus\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Arial, sans][From: janet8888]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Disinfection failed
C:\Documents and Settings\Linus\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Arial, sans][From: janet8888]=>(body)=>(Compressed Rtf)=>(Rtf2Html)=>(IFRAME) Suspect Exploit.Iframe.Vulnerability
C:\Documents and Settings\Snoopy\Local Settings\Application Data\Identities\{F6A11CA8-2C97-4758-8943-B68932550D8A}\Microsoft\Outlook Express\Inbox.dbx=>(message 93)=>[Subject: Livan War real pictures.][Date: Tue, 31 Oct 2006 15:00:25 -0800]=>(MIME part)=>picture265.zip=>picture265.gif .exe Infected Dropped:Win32.Warezov.DW@mm
C:\Documents and Settings\Snoopy\Local Settings\Application Data\Identities\{F6A11CA8-2C97-4758-8943-B68932550D8A}\Microsoft\Outlook Express\Inbox.dbx=>(message 93)=>[Subject: Livan War real pictures.][Date: Tue, 31 Oct 2006 15:00:25 -0800]=>(MIME part)=>picture265.zip=>picture265.gif .exe Disinfection failed
C:\Documents and Settings\Snoopy\Local Settings\Application Data\Identities\{F6A11CA8-2C97-4758-8943-B68932550D8A}\Microsoft\Outlook Express\Inbox.dbx=>(message 131)=>[Subject: Livan War real pictures.][Date: Tue, 31 Oct 2006 15:00:25 -0800]=>(MIME part)=>picture265.zip=>picture265.gif .exe Infected Dropped:Win32.Warezov.DW@mm
C:\Documents and Settings\Snoopy\Local Settings\Application Data\Identities\{F6A11CA8-2C97-4758-8943-B68932550D8A}\Microsoft\Outlook Express\Inbox.dbx=>(message 131)=>[Subject: Livan War real pictures.][Date: Tue, 31 Oct 2006 15:00:25 -0800]=>(MIME part)=>picture265.zip=>picture265.gif .exe Disinfection failed
C:\WINDOWS\csrss.exe Infected Trojan.Killwin.B
C:\WINDOWS\csrss.exe Disinfection failed
C:\WINDOWS\csrss.exe Moved
C:\WINDOWS\Help\gpedit.hlp Infected Trojan.Spy.Agent.OE
C:\WINDOWS\Help\gpedit.hlp Disinfection failed
C:\WINDOWS\Help\gpedit.hlp Moved
H:\C destop\ms sp\KB8921~1.EXE Infected Trojan.Dropper.Delf.XU
H:\C destop\ms sp\KB8921~1.EXE Disinfection failed
H:\C destop\ms sp\KB8921~1.EXE Moved

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 PM

Posted 19 November 2006 - 12:16 PM

That's a good sign. Now that you removed muBlinder are you able to run one of those online scans?

How is your computer running now? What issues are you still having?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 chungdim

chungdim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 19 November 2006 - 12:53 PM

Sam,

Thank you so much for all you help, up and running great.
I am currently out of work, made a tiny donation as appreciation.
Again , Thank you very much.

Best regards,
L

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 PM

Posted 19 November 2006 - 06:32 PM

I'm glad to hear it's working well again for you.
I'm extremely appreciative of your donation. Thank you!



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :flowers:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 PM

Posted 08 December 2006 - 07:06 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users