Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumond Virus : Help Pls


  • Please log in to reply
4 replies to this topic

#1 roxas

roxas

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 AM

Posted 03 May 2007 - 02:18 AM

Hello , all conventional methods of curing it wasnot successful, (eg: crueit dr web, spybot,avgantispy...)
This is my hijack log, pls help me pls:
Logfile of HijackThis v1.99.1
Scan saved at 3:08:39 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
D:\antiv\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\fbinjsaw.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175473333887
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175384031369
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)

ty all.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 03 May 2007 - 05:22 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum roxas :thumbsup:

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


*****************

Now go to:
D:\antiv\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please,along with the C:\ComboFix.txt.
Posted Image
Posted Image

#3 roxas

roxas
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 AM

Posted 03 May 2007 - 10:59 AM

Thank you soo much! ^^ problem is gone now i tink?hehe
these r the logs u wanted me 2 post:
"Michelle Le" - 2007-05-03 23:41:20 Service Pack 2
ComboFix 07-05.03.5.V - Running from: "C:\Documents and Settings\Michelle Le\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\svyay.bak1
C:\WINDOWS\system32\svyay.bak2
C:\WINDOWS\system32\svyay.ini
C:\WINDOWS\system32\yayvs.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-04-03 to 2007-05-03 ))))))))))))))))))))))))))))))))))


2007-05-03 14:55 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-05-03 14:48 2,686 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-23 08:56 <DIR> d-------- C:\Program Files\AuditionSEA
2007-04-23 03:26 <DIR> d-------- C:\Program Files\Microsoft Works
2007-04-23 03:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-04-23 03:14 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-04-23 03:10 <DIR> dr-h----- C:\MSOCache
2007-04-21 23:37 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-04-21 23:37 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-04-21 23:37 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-21 00:51 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-04-21 00:51 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2007-04-21 00:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-04-15 05:00 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-15 04:58 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-15 04:58 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-09 01:51 <DIR> d-------- C:\DOCUME~1\MICHEL~1\APPLIC~1\WinRAR
2007-04-09 01:14 <DIR> d-------- C:\Program Files\uTorrent
2007-04-09 01:14 <DIR> d-------- C:\DOCUME~1\MICHEL~1\APPLIC~1\uTorrent
2007-04-07 23:58 545 --a------ C:\WINDOWS\UC.PIF
2007-04-07 23:58 545 --a------ C:\WINDOWS\RAR.PIF
2007-04-07 23:58 545 --a------ C:\WINDOWS\PKZIP.PIF
2007-04-07 23:58 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2007-04-07 23:58 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2007-04-07 23:58 545 --a------ C:\WINDOWS\LHA.PIF
2007-04-07 23:58 545 --a------ C:\WINDOWS\ARJ.PIF
2007-04-07 23:58 <DIR> d-------- C:\totalcmd
2007-04-07 09:12 1,168 --a------ C:\WINDOWS\mozver.dat
2007-04-05 13:57 <DIR> d-------- C:\DOCUME~1\MICHEL~1\DoctorWeb
2007-04-05 10:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-04 01:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-04 01:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-04 01:22 <DIR> d-------- C:\DOCUME~1\MICHEL~1\APPLIC~1\Lavasoft
2007-04-04 01:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-04 00:26 <DIR> d-------- C:\DOCUME~1\MICHEL~1\.jpi_cache
2007-04-04 00:20 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-04-03 10:03 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-04-03 07:47 494,311 --ahs---- C:\WINDOWS\system32\yxabc.bak2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-02 03:58:32 -------- d-----w C:\Program Files\FlashGet
2007-04-28 20:36:18 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\uTorrent
2007-04-23 00:56:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-23 00:51:47 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-08 17:51:09 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\WinRAR
2007-04-07 02:01:09 -------- d-----w C:\Program Files\Google
2007-04-03 18:02:03 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-04-03 17:22:38 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\Lavasoft
2007-04-03 16:51:16 -------- d-----w C:\Program Files\Messenger
2007-04-03 02:54:21 -------- d-----w C:\Program Files\Windows NT
2007-04-01 23:45:09 0 ---ha-w C:\IO.SYS
2007-04-01 23:45:08 0 ---ha-w C:\CONFIG.SYS
2007-04-01 23:45:08 0 ---ha-w C:\AUTOEXEC.BAT
2007-04-01 23:44:50 -------- d-----w C:\Program Files\InterVideo
2007-04-01 23:29:56 -------- d-----w C:\Program Files\PC-Doctor for Windows
2007-04-01 23:25:52 -------- d-----w C:\Program Files\IBM DLA
2007-04-01 23:25:50 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\Sonic
2007-04-01 23:25:42 -------- d-----w C:\Program Files\IBM RecordNow!
2007-04-01 23:24:04 -------- d-----w C:\Program Files\IBM
2007-04-01 23:23:04 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\Symantec
2007-04-01 23:22:20 -------- d-----w C:\Program Files\SBApps
2007-04-01 23:17:44 -------- d-----w C:\Program Files\ATI Technologies
2007-04-01 23:17:20 14,037 ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-04-01 23:17:16 -------- d-----w C:\Program Files\Intel
2007-04-01 23:16:56 -------- d-----w C:\Program Files\ltmoh
2007-04-01 23:13:52 -------- d-----w C:\Program Files\ThinkPad
2007-04-01 22:51:41 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\Media Player Classic
2007-04-01 22:42:52 -------- d-----w C:\Program Files\Synaptics
2007-04-01 15:50:22 -------- d-----w C:\Program Files\Yahoo!
2007-04-01 05:20:35 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\MSN6
2007-04-01 05:12:25 0 --sha-r C:\MSDOS.SYS
2007-04-01 04:50:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-01 04:50:47 -------- d-----w C:\Program Files\Norton AntiVirus
2007-04-01 04:49:22 -------- d-----w C:\Program Files\Symantec
2007-04-01 04:45:54 33,280 ----a-w C:\WINDOWS\system32\rundll32.exe
2007-04-01 04:20:14 26,112 ----a-w C:\WINDOWS\system32\xpsp1hfm.exe
2007-04-01 04:20:13 77,824 ----a-w C:\WINDOWS\system32\wmpstub.exe
2007-04-01 04:20:12 433,664 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
2007-04-01 04:20:10 289,792 ----a-w C:\WINDOWS\system32\vssvc.exe
2007-04-01 04:20:09 98,304 ----a-w C:\WINDOWS\system32\verifier.exe
2007-04-01 04:20:09 33,792 ----a-w C:\WINDOWS\system32\vssadmin.exe
2007-04-01 04:20:08 28,672 ----a-w C:\WINDOWS\system32\verclsid.exe
2007-04-01 04:20:07 69,632 ----a-w C:\WINDOWS\system32\usrshuta.exe
2007-04-01 04:20:06 77,824 ----a-w C:\WINDOWS\system32\usrmlnka.exe
2007-04-01 04:20:06 61,440 ----a-w C:\WINDOWS\system32\usrprbda.exe
2007-04-01 04:20:05 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2007-04-01 04:20:05 16,896 ----a-w C:\WINDOWS\system32\upnpcont.exe
2007-04-01 04:20:04 4,096 ----a-w C:\WINDOWS\system32\unlodctr.exe
2007-04-01 04:20:03 36,352 ----a-w C:\WINDOWS\system32\typeperf.exe
2007-04-01 04:20:03 16,896 ----a-w C:\WINDOWS\system32\tsshutdn.exe
2007-04-01 04:20:02 16,384 ----a-w C:\WINDOWS\system32\tskill.exe
2007-04-01 04:20:02 14,848 ----a-w C:\WINDOWS\system32\tsdiscon.exe
2007-04-01 04:20:01 44,544 ----a-w C:\WINDOWS\system32\tscupgrd.exe
2007-04-01 04:20:01 14,848 ----a-w C:\WINDOWS\system32\tscon.exe
2007-04-01 04:20:00 31,744 ----a-w C:\WINDOWS\system32\tracert6.exe
2007-04-01 04:20:00 12,288 ----a-w C:\WINDOWS\system32\tracert.exe
2007-04-01 04:19:59 259,584 ----a-w C:\WINDOWS\system32\tracerpt.exe
2007-04-01 04:19:58 49,152 ----a-w C:\WINDOWS\system32\tp4cross.exe
2007-04-01 04:19:57 78,336 ----a-w C:\WINDOWS\system32\tlntsess.exe
2007-04-01 04:19:56 819,200 ----a-w C:\WINDOWS\system32\ThinkPad_Features.exe
2007-04-01 04:19:53 75,776 ----a-w C:\WINDOWS\system32\telnet.exe
2007-04-01 04:19:52 19,456 ----a-w C:\WINDOWS\system32\tcpsvcs.exe
2007-04-01 04:19:51 12,288 ----a-w C:\WINDOWS\system32\tcmsetup.exe
2007-04-01 04:19:50 135,680 ----a-w C:\WINDOWS\system32\taskmgr.exe
2007-04-01 04:19:49 72,192 ----a-w C:\WINDOWS\system32\tasklist.exe
2007-04-01 04:19:49 15,360 ----a-w C:\WINDOWS\system32\taskman.exe
2007-04-01 04:19:48 72,192 ----a-w C:\WINDOWS\system32\taskkill.exe
2007-04-01 04:19:47 3,072 ----a-w C:\WINDOWS\system32\systray.exe
2007-04-01 04:19:46 68,096 ----a-w C:\WINDOWS\system32\systeminfo.exe
2007-04-01 04:19:46 105,984 ----a-w C:\WINDOWS\system32\sysocmgr.exe
2007-04-01 04:19:45 36,864 ----a-w C:\WINDOWS\system32\syskey.exe
2007-04-01 04:19:44 51,200 ----a-w C:\WINDOWS\system32\syncapp.exe
2007-04-01 04:19:43 9,216 ----a-w C:\WINDOWS\system32\subst.exe
2007-04-01 04:19:43 14,848 ----a-w C:\WINDOWS\system32\stimon.exe
2007-04-01 04:19:42 11,776 ----a-w C:\WINDOWS\system32\spnpinst.exe
2007-04-01 04:19:40 95,744 ----a-w C:\WINDOWS\system32\scardsvr.exe
2007-04-01 04:19:40 77,312 ----a-w C:\WINDOWS\system32\sdbinst.exe
2007-04-01 04:19:39 13,312 ----a-w C:\WINDOWS\system32\savedump.exe
2007-04-01 04:19:38 14,336 ----a-w C:\WINDOWS\system32\runonce.exe
2007-04-01 04:19:36 126,976 ----a-w C:\WINDOWS\system32\Prounstl.exe
2007-04-01 04:19:35 84,480 ----a-w C:\WINDOWS\system32\pintool.exe
2007-04-01 04:19:35 33,280 ----a-w C:\WINDOWS\system32\ping6.exe
2007-04-01 04:19:34 15,872 ----a-w C:\WINDOWS\system32\perfmon.exe
2007-04-01 04:19:33 21,504 ----a-w C:\WINDOWS\system32\pathping.exe
2007-04-01 04:19:33 15,360 ----a-w C:\WINDOWS\system32\pentnt.exe
2007-04-01 04:19:32 58,368 ----a-w C:\WINDOWS\system32\packager.exe
2007-04-01 04:19:32 40,448 ----a-w C:\WINDOWS\system32\osuninst.exe
2007-04-01 04:19:31 126,464 ----a-w C:\WINDOWS\system32\nwscript.exe
2007-04-01 04:19:29 6,656 ----a-w C:\WINDOWS\system32\msswchx.exe
2007-04-01 04:19:28 22,016 ----a-w C:\WINDOWS\system32\mpnotify.exe
2007-04-01 04:19:28 12,800 ----a-w C:\WINDOWS\system32\mrinfo.exe
2007-04-01 04:19:27 59,392 ----a-w C:\WINDOWS\system32\logman.exe
2007-04-01 04:19:26 75,264 ----a-w C:\WINDOWS\system32\locator.exe
2007-04-01 04:19:25 55,808 ----a-w C:\WINDOWS\system32\ipconfig.exe
2007-04-01 04:19:24 55,296 ----a-w C:\WINDOWS\system32\getmac.exe
2007-04-01 04:19:23 3,072 ----a-w C:\WINDOWS\system32\fixmapi.exe
2007-04-01 04:19:22 77,824 ----a-w C:\WINDOWS\system32\eventtriggers.exe
2007-04-01 04:19:21 45,568 ----a-w C:\WINDOWS\system32\drwtsn32.exe
2007-04-01 04:18:09 184,320 ----a-w C:\WINDOWS\system32\ThinkPad_Features.scr
2007-04-01 04:18:08 679,936 ----a-w C:\WINDOWS\system32\sstext3d.scr
2007-04-01 04:18:06 14,336 ----a-w C:\WINDOWS\system32\ssstars.scr
2007-04-01 04:18:05 610,304 ----a-w C:\WINDOWS\system32\sspipes.scr
2007-04-01 04:18:04 18,944 ----a-w C:\WINDOWS\system32\ssmyst.scr
2007-04-01 04:18:03 47,104 ----a-w C:\WINDOWS\system32\ssmypics.scr
2007-04-01 04:18:03 20,992 ----a-w C:\WINDOWS\system32\ssmarque.scr
2007-04-01 04:18:02 393,216 ----a-w C:\WINDOWS\system32\ssflwbox.scr
2007-04-01 04:18:00 704,512 ----a-w C:\WINDOWS\system32\ss3dfo.scr
2007-04-01 04:18:00 19,968 ----a-w C:\WINDOWS\system32\ssbezier.scr
2007-04-01 04:17:58 9,216 ----a-w C:\WINDOWS\system32\scrnsave.scr
2007-04-01 04:17:57 361,984 ----a-w C:\WINDOWS\system32\Rebus IBM.Scr
2007-04-01 04:17:50 220,672 ----a-w C:\WINDOWS\system32\logon.scr
2007-04-01 04:15:44 32,256 ----a-w C:\WINDOWS\system32\wupdmgr.exe
2007-04-01 04:15:44 30,720 ----a-w C:\WINDOWS\system32\xcopy.exe
2007-04-01 04:15:42 5,632 ----a-w C:\WINDOWS\system32\write.exe
2007-04-01 04:15:42 114,688 ----a-w C:\WINDOWS\system32\wscript.exe
2007-04-01 04:15:41 32,256 ----a-w C:\WINDOWS\system32\wpnpinst.exe
2007-04-01 04:15:40 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
2007-04-01 04:15:39 5,632 ----a-w C:\WINDOWS\system32\winver.exe
2007-04-01 04:15:39 11,776 ----a-w C:\WINDOWS\system32\winmsd.exe
2007-04-01 04:15:38 119,808 ----a-w C:\WINDOWS\system32\winmine.exe
2007-04-01 04:15:37 8,192 ----a-w C:\WINDOWS\system32\winhlp32.exe
2007-04-01 04:15:35 65,536 ----a-w C:\WINDOWS\system32\wextract.exe
2007-04-01 04:15:34 49,664 ----a-w C:\WINDOWS\system32\w32tm.exe
2007-04-01 04:15:33 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
2007-04-01 04:15:29 82,432 ----a-w C:\WINDOWS\system32\tp4mon.exe
2007-04-01 04:15:28 53,248 ----a-w C:\WINDOWS\system32\TP4EX.exe
2007-04-01 04:15:27 347,136 ----a-w C:\WINDOWS\system32\tourstart.exe
2007-04-01 04:15:26 61,440 ----a-w C:\WINDOWS\system32\tlntadmn.exe
2007-04-01 04:15:23 21,504 ----a-w C:\WINDOWS\system32\spupdwxp.exe
2007-04-01 04:15:22 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2007-04-01 04:15:21 538,624 ----a-w C:\WINDOWS\system32\spider.exe
2007-04-01 04:15:19 8,192 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2007-04-01 04:15:18 138,752 ----a-w C:\WINDOWS\system32\sndvol32.exe
2007-04-01 04:15:17 131,584 ----a-w C:\WINDOWS\system32\sndrec32.exe
2007-04-01 04:15:16 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2007-04-01 04:15:15 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
2007-04-01 04:15:15 73,728 ----a-w C:\WINDOWS\system32\slserv.exe
2007-04-01 04:15:14 32,768 ----a-w C:\WINDOWS\system32\slrundll.exe
2007-04-01 04:15:13 26,112 ----a-w C:\WINDOWS\system32\skeys.exe
2007-04-01 04:15:12 70,144 ----a-w C:\WINDOWS\system32\sigverif.exe
2007-04-01 04:15:11 77,824 ----a-w C:\WINDOWS\system32\shrpubw.exe
2007-04-01 04:15:11 19,456 ----a-w C:\WINDOWS\system32\shutdown.exe
2007-04-01 04:15:10 42,496 ----a-w C:\WINDOWS\system32\shmgrate.exe
2007-04-01 04:15:09 14,848 ----a-w C:\WINDOWS\system32\shadow.exe
2007-04-01 04:15:08 23,040 ----a-w C:\WINDOWS\system32\setup.exe
2007-04-01 04:15:07 31,232 ----a-w C:\WINDOWS\system32\sethc.exe
2007-04-01 04:15:06 18,432 ----a-w C:\WINDOWS\system32\secedit.exe
2007-04-01 04:15:05 121,856 ----a-w C:\WINDOWS\system32\schtasks.exe
2007-04-01 04:15:04 61,440 ----a-w C:\WINDOWS\system32\S3uninst.exe
2007-04-01 04:15:03 69,632 ----a-w C:\WINDOWS\system32\S3Tray2.exe
2007-04-01 04:15:02 15,872 ----a-w C:\WINDOWS\system32\rwinsta.exe
2007-04-01 04:15:01 16,384 ----a-w C:\WINDOWS\system32\runas.exe
2007-04-01 04:15:00 77,312 ----a-w C:\WINDOWS\system32\rtcshare.exe
2007-04-01 04:14:59 62,976 ----a-w C:\WINDOWS\system32\rsopprov.exe
2007-04-01 04:14:58 107,520 ----a-w C:\WINDOWS\system32\rsnotify.exe
2007-04-01 04:14:57 49,152 ----a-w C:\WINDOWS\system32\rsmui.exe
2007-04-01 04:14:56 24,576 ----a-w C:\WINDOWS\system32\rsmsink.exe
2007-04-01 04:14:55 25,600 ----a-w C:\WINDOWS\system32\routemon.exe
2007-04-01 04:14:55 19,968 ----a-w C:\WINDOWS\system32\route.exe
2007-04-01 04:14:54 13,824 ----a-w C:\WINDOWS\system32\rexec.exe
2007-04-01 04:14:53 9,728 ----a-w C:\WINDOWS\system32\reset.exe
2007-04-01 04:14:52 32,768 ----a-w C:\WINDOWS\system32\relog.exe
2007-04-01 04:14:52 12,800 ----a-w C:\WINDOWS\system32\replace.exe
2007-04-01 04:14:51 4,608 ----a-w C:\WINDOWS\system32\regwiz.exe
2007-04-01 04:14:50 33,792 ----a-w C:\WINDOWS\system32\regini.exe
2007-04-01 04:14:49 7,168 ----a-w C:\WINDOWS\system32\recover.exe
2007-04-01 04:14:49 3,584 ----a-w C:\WINDOWS\system32\regedt32.exe
2007-04-01 04:14:48 67,072 ----a-w C:\WINDOWS\system32\rdshost.exe
2007-04-01 04:14:47 62,464 ----a-w C:\WINDOWS\system32\rdpclip.exe
2007-04-01 04:14:47 13,824 ----a-w C:\WINDOWS\system32\rdsaddin.exe
2007-04-01 04:14:46 35,840 ----a-w C:\WINDOWS\system32\rcimlby.exe
2007-04-01 04:14:45 56,832 ----a-w C:\WINDOWS\system32\rasphone.exe
2007-04-01 04:14:44 11,264 ----a-w C:\WINDOWS\system32\rasdial.exe
2007-04-01 04:14:43 22,016 ----a-w C:\WINDOWS\system32\qwinsta.exe
2007-04-01 04:14:43 11,776 ----a-w C:\WINDOWS\system32\rasautou.exe
2007-04-01 04:14:42 20,480 ----a-w C:\WINDOWS\system32\qprocess.exe
2007-04-01 04:14:41 16,896 ----a-w C:\WINDOWS\system32\qappsrv.exe
2007-04-01 04:14:40 9,216 ----a-w C:\WINDOWS\system32\proxycfg.exe
2007-04-01 04:14:39 50,176 ----a-w C:\WINDOWS\system32\proquota.exe
2007-04-01 04:14:38 109,568 ----a-w C:\WINDOWS\system32\progman.exe
2007-04-01 04:14:37 9,216 ----a-w C:\WINDOWS\system32\print.exe
2007-04-01 04:14:37 49,152 ----a-w C:\WINDOWS\system32\powercfg.exe
2007-04-01 04:14:35 67,584 ----a-w C:\WINDOWS\system32\openfiles.exe
2007-04-01 04:14:34 69,632 ----a-w C:\WINDOWS\system32\odbcconf.exe
2007-04-01 04:14:33 32,768 ----a-w C:\WINDOWS\system32\odbcad32.exe
2007-04-01 04:14:32 419,840 ----a-w C:\WINDOWS\system32\ntvdm.exe
2007-04-01 04:14:28 1,200,128 ----a-w C:\WINDOWS\system32\ntbackup.exe
2007-04-01 04:14:27 76,800 ----a-w C:\WINDOWS\system32\nslookup.exe
2007-04-01 04:14:26 69,120 ----a-w C:\WINDOWS\system32\notepad.exe
2007-04-01 04:14:25 86,016 ----a-w C:\WINDOWS\system32\netsh.exe
2007-04-01 04:14:25 36,864 ----a-w C:\WINDOWS\system32\netstat.exe
2007-04-01 04:14:24 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2007-04-01 04:14:23 4,096 ----a-w C:\WINDOWS\system32\nddeapir.exe
2007-04-01 04:14:23 111,104 ----a-w C:\WINDOWS\system32\netdde.exe
2007-04-01 04:14:22 20,480 ----a-w C:\WINDOWS\system32\nbtstat.exe
2007-04-01 04:14:21 53,760 ----a-w C:\WINDOWS\system32\narrator.exe
2007-04-01 04:14:21 407,552 ----a-w C:\WINDOWS\system32\mstsc.exe
2007-04-01 04:14:20 12,288 ----a-w C:\WINDOWS\system32\mstinit.exe
2007-04-01 04:14:19 343,040 ----a-w C:\WINDOWS\system32\mspaint.exe
2007-04-01 04:14:18 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
2007-04-01 04:14:17 126,976 ----a-w C:\WINDOWS\system32\mshearts.exe
2007-04-01 04:14:16 117,248 ----a-w C:\WINDOWS\system32\mqtgsvc.exe
2007-04-01 04:14:15 4,608 ----a-w C:\WINDOWS\system32\mqsvc.exe
2007-04-01 04:14:15 19,968 ----a-w C:\WINDOWS\system32\mqbkup.exe
2007-04-01 04:14:14 8,192 ----a-w C:\WINDOWS\system32\mountvol.exe
2007-04-01 04:14:14 123,392 ----a-w C:\WINDOWS\system32\mplay32.exe
2007-04-01 04:14:13 143,360 ----a-w C:\WINDOWS\system32\mobsync.exe
2007-04-01 04:14:12 51,712 ----a-w C:\WINDOWS\system32\migpwd.exe
2007-04-01 04:14:11 85,504 ----a-w C:\WINDOWS\system32\makecab.exe
2007-04-01 04:14:10 72,704 ----a-w C:\WINDOWS\system32\magnify.exe
2007-04-01 04:14:10 514,560 ----a-w C:\WINDOWS\system32\logonui.exe
2007-04-01 04:14:09 15,360 ----a-w C:\WINDOWS\system32\logoff.exe
2007-04-01 04:14:07 5,120 ----a-w C:\WINDOWS\system32\lodctr.exe
2007-04-01 04:14:07 25,088 ----a-w C:\WINDOWS\system32\lnkstub.exe
2007-04-01 04:14:06 29,696 ----a-w C:\WINDOWS\system32\lights.exe
2007-04-01 04:14:05 9,728 ----a-w C:\WINDOWS\system32\label.exe
2007-04-01 04:14:05 152,576 ----a-w C:\WINDOWS\system32\irftp.exe
2007-04-01 04:14:04 23,552 ----a-w C:\WINDOWS\system32\ipxroute.exe
2007-04-01 04:14:03 44,032 ----a-w C:\WINDOWS\system32\ipsec6.exe
2007-04-01 04:14:03 114,688 ----a-w C:\WINDOWS\system32\iexpress.exe
2007-04-01 04:14:02 7,680 ----a-w C:\WINDOWS\system32\hostname.exe
2007-04-01 04:14:01 39,424 ----a-w C:\WINDOWS\system32\grpconv.exe
2007-04-01 04:14:00 57,344 ----a-w C:\WINDOWS\system32\gpupdate.exe
2007-04-01 04:14:00 119,808 ----a-w C:\WINDOWS\system32\gpresult.exe
2007-04-01 04:13:59 56,320 ----a-w C:\WINDOWS\system32\fsutil.exe
2007-04-01 04:13:58 193,024 ----a-w C:\WINDOWS\system32\fsquirt.exe
2007-04-01 04:13:57 55,296 ----a-w C:\WINDOWS\system32\freecell.exe
2007-04-01 04:13:56 7,168 ----a-w C:\WINDOWS\system32\forcedos.exe
2007-04-01 04:13:56 20,992 ----a-w C:\WINDOWS\system32\fontview.exe
2007-04-01 04:13:55 9,216 ----a-w C:\WINDOWS\system32\finger.exe
2007-04-01 04:13:54 27,136 ----a-w C:\WINDOWS\system32\findstr.exe
2007-04-01 04:13:53 45,568 ----a-w C:\WINDOWS\system32\extrac32.exe
2007-04-01 04:13:53 20,992 ----a-w C:\WINDOWS\system32\faxpatch.exe
2007-04-01 04:13:52 8,704 ----a-w C:\WINDOWS\system32\eventvwr.exe
2007-04-01 04:13:52 15,872 ----a-w C:\WINDOWS\system32\expand.exe
2007-04-01 04:13:51 50,176 ----a-w C:\WINDOWS\system32\eventcreate.exe
2007-04-01 04:13:50 193,024 ----a-w C:\WINDOWS\system32\eudcedit.exe
2007-04-01 04:13:49 39,424 ----a-w C:\WINDOWS\system32\esentutl.exe
2007-04-01 04:13:48 44,544 ----a-w C:\WINDOWS\system32\dxdllreg.exe
2007-04-01 04:13:47 1,298,432 ----a-w C:\WINDOWS\system32\dxdiag.exe
2007-04-01 04:13:45 180,224 ----a-w C:\WINDOWS\system32\dwwin.exe
2007-04-01 04:13:44 55,296 ----a-w C:\WINDOWS\system32\dvdplay.exe
2007-04-01 04:13:44 17,920 ----a-w C:\WINDOWS\system32\dvdupgrd.exe
2007-04-01 04:13:43 10,752 ----a-w C:\WINDOWS\system32\dumprep.exe
2007-04-01 04:13:41 83,456 ----a-w C:\WINDOWS\system32\dpvsetup.exe
2007-04-01 04:13:41 58,368 ----a-w C:\WINDOWS\system32\driverquery.exe
2007-04-01 04:13:40 30,208 ----a-w C:\WINDOWS\system32\dplaysvr.exe
2007-04-01 04:13:40 18,432 ----a-w C:\WINDOWS\system32\dpnsvr.exe
2007-04-01 04:13:39 15,872 ----a-w C:\WINDOWS\system32\dmremote.exe
2007-04-01 04:13:39 10,752 ----a-w C:\WINDOWS\system32\doskey.exe
2007-04-01 04:13:38 224,768 ----a-w C:\WINDOWS\system32\dmadmin.exe
2007-04-01 04:13:37 4,608 ----a-w C:\WINDOWS\system32\dllhst3g.exe
2007-04-01 04:13:36 17,920 ----a-w C:\WINDOWS\system32\diskperf.exe
2007-04-01 04:13:36 163,840 ----a-w C:\WINDOWS\system32\diskpart.exe
2007-04-01 04:13:35 85,504 ----a-w C:\WINDOWS\system32\diantz.exe
2007-04-01 04:13:34 82,432 ----a-w C:\WINDOWS\system32\dfrgfat.exe
2007-04-01 04:13:33 25,088 ----a-w C:\WINDOWS\system32\defrag.exe
2007-04-01 04:13:32 5,120 ----a-w C:\WINDOWS\system32\dcomcnfg.exe
2007-04-01 04:13:32 30,208 ----a-w C:\WINDOWS\system32\ddeshare.exe
2007-04-01 04:13:31 98,304 ----a-w C:\WINDOWS\system32\cscript.exe
2007-04-01 04:13:31 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-04-01 04:13:30 13,824 ----a-w C:\WINDOWS\system32\convert.exe
2007-04-01 04:13:29 8,192 ----a-w C:\WINDOWS\system32\control.exe
2007-04-01 04:13:29 27,648 ----a-w C:\WINDOWS\system32\conime.exe
2007-04-01 04:13:28 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2007-04-01 04:13:28 17,408 ----a-w C:\WINDOWS\system32\compact.exe
2007-04-01 04:13:27 63,488 ----a-w C:\WINDOWS\system32\cmstp.exe
2007-04-01 04:13:26 47,104 ----a-w C:\WINDOWS\system32\cmdl32.exe
2007-04-01 04:13:26 39,936 ----a-w C:\WINDOWS\system32\cmmon32.exe
2007-04-01 04:13:25 33,280 ----a-w C:\WINDOWS\system32\clipsrv.exe
2007-04-01 04:13:24 20,480 ----a-w C:\WINDOWS\system32\cliconfg.exe
2007-04-01 04:13:24 102,912 ----a-w C:\WINDOWS\system32\clipbrd.exe
2007-04-01 04:13:23 7,680 ----a-w C:\WINDOWS\system32\ckcnv.exe
2007-04-01 04:13:23 64,000 ----a-w C:\WINDOWS\system32\cleanmgr.exe
2007-04-01 04:13:22 56,320 ----a-w C:\WINDOWS\system32\cipher.exe
2007-04-01 04:13:22 5,632 ----a-w C:\WINDOWS\system32\cisvc.exe
2007-04-01 04:13:21 8,192 ----a-w C:\WINDOWS\system32\cidaemon.exe
2007-04-01 04:13:20 11,776 ----a-w C:\WINDOWS\system32\chkdsk.exe
2007-04-01 04:13:20 11,264 ----a-w C:\WINDOWS\system32\chkntfs.exe
2007-04-01 04:13:19 80,384 ----a-w C:\WINDOWS\system32\charmap.exe
2007-04-01 04:13:19 18,432 ----a-w C:\WINDOWS\system32\cacls.exe
2007-04-01 04:13:18 5,120 ----a-w C:\WINDOWS\system32\bootvrfy.exe
2007-04-01 04:13:18 4,608 ----a-w C:\WINDOWS\system32\bootok.exe
2007-04-01 04:13:17 136,704 ----a-w C:\WINDOWS\system32\bootcfg.exe
2007-04-01 04:13:16 71,680 ----a-w C:\WINDOWS\system32\blastcln.exe
2007-04-01 04:13:15 14,336 ----a-w C:\WINDOWS\system32\auditusr.exe
2007-04-01 04:13:14 11,264 ----a-w C:\WINDOWS\system32\attrib.exe
2007-04-01 04:13:14 11,264 ----a-w C:\WINDOWS\system32\atmadm.exe
2007-04-01 04:13:13 32,768 ----a-w C:\WINDOWS\system32\asr_pfu.exe
2007-04-01 04:13:13 25,088 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-04-01 04:13:12 32,256 ----a-w C:\WINDOWS\system32\asr_ldm.exe
2007-04-01 04:13:11 30,208 ----a-w C:\WINDOWS\system32\asr_fmt.exe
2007-04-01 04:13:10 892,928 ----a-w C:\WINDOWS\system32\AIBMRUN.exe
2007-04-01 04:13:09 4,096 ----a-w C:\WINDOWS\system32\actmovie.exe
2007-04-01 04:13:08 184,320 ----a-w C:\WINDOWS\system32\1XConfig.exe
2007-04-01 04:13:08 183,808 ----a-w C:\WINDOWS\system32\accwiz.exe
2007-04-01 04:12:57 18,432 ----a-w C:\WINDOWS\system32\ups.exe
2007-04-01 04:12:56 23,552 ----a-w C:\WINDOWS\system32\sort.exe
2007-04-01 04:12:56 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
2007-04-01 04:12:55 9,728 ----a-w C:\WINDOWS\system32\sfc.exe
2007-04-01 04:12:55 56,832 ----a-w C:\WINDOWS\system32\sol.exe
2007-04-01 04:12:54 31,232 ----a-w C:\WINDOWS\system32\sc.exe
2007-04-01 04:12:53 49,152 ----a-w C:\WINDOWS\system32\rsm.exe
2007-04-01 04:12:53 132,608 ----a-w C:\WINDOWS\system32\rsvp.exe
2007-04-01 04:12:52 14,848 ----a-w C:\WINDOWS\system32\rsh.exe
2007-04-01 04:12:51 50,176 ----a-w C:\WINDOWS\system32\reg.exe
2007-04-01 04:12:51 21,504 ----a-w C:\WINDOWS\system32\rcp.exe
2007-04-01 04:12:50 215,552 ----a-w C:\WINDOWS\system32\osk.exe
2007-04-01 04:12:50 17,920 ----a-w C:\WINDOWS\system32\ping.exe
2007-04-01 04:12:49 31,744 ----a-w C:\WINDOWS\system32\ntsd.exe
2007-04-01 04:12:49 124,928 ----a-w C:\WINDOWS\system32\net1.exe
2007-04-01 04:12:48 42,496 ----a-w C:\WINDOWS\system32\net.exe
2007-04-01 04:12:47 20,992 ----a-w C:\WINDOWS\system32\msg.exe
2007-04-01 04:12:45 815,104 ----a-w C:\WINDOWS\system32\mmc.exe
2007-04-01 04:12:44 8,192 ----a-w C:\WINDOWS\system32\lpr.exe
2007-04-01 04:12:43 6,144 ----a-w C:\WINDOWS\system32\lpq.exe
2007-04-01 04:12:43 53,248 ----a-w C:\WINDOWS\system32\ipv6.exe
2007-04-01 04:12:42 14,848 ----a-w C:\WINDOWS\system32\help.exe
2007-04-01 04:12:41 9,216 ----a-w C:\WINDOWS\system32\find.exe
2007-04-01 04:12:41 42,496 ----a-w C:\WINDOWS\system32\ftp.exe
2007-04-01 04:12:40 15,872 ----a-w C:\WINDOWS\system32\comp.exe
2007-04-01 04:12:40 14,848 ----a-w C:\WINDOWS\system32\fc.exe
2007-04-01 04:12:39 114,688 ----a-w C:\WINDOWS\system32\calc.exe
2007-04-01 04:12:37 25,088 ----a-w C:\WINDOWS\system32\at.exe
2007-04-01 04:12:37 19,456 ----a-w C:\WINDOWS\system32\arp.exe
2007-04-01 04:12:36 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
2007-04-01 04:12:32 102,400 ----a-w C:\WINDOWS\_tpiu000.exe
2007-04-01 04:12:31 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2007-04-01 04:12:30 25,600 ----a-w C:\WINDOWS\twunk_32.exe
2007-04-01 04:12:28 184,320 ----a-w C:\WINDOWS\TPBATHLP.EXE
2007-04-01 04:12:27 15,360 ----a-w C:\WINDOWS\TASKMAN.EXE
2007-04-01 04:12:26 32,768 ------w C:\WINDOWS\slrundll.exe
2007-04-01 04:12:26 146,432 ----a-w C:\WINDOWS\regedit.exe
2007-04-01 04:12:24 69,120 ----a-w C:\WINDOWS\notepad.exe
2007-04-01 04:12:23 306,688 ----a-w C:\WINDOWS\IsUninst.exe
2007-04-01 04:12:22 33,792 ----a-w C:\WINDOWS\ieuninst.exe
2007-04-01 04:12:22 10,752 ----a-w C:\WINDOWS\hh.exe
2007-04-01 04:12:21 98,304 ----a-w C:\WINDOWS\dla.exe
2007-04-01 04:12:20 106,496 ----a-w C:\WINDOWS\desktopset.exe
2007-04-01 04:12:19 892,928 ----a-w C:\WINDOWS\aibmrun.exe
2007-04-01 04:12:17 65,024 ----a-w C:\WINDOWS\agrsmdel.exe
2007-04-01 04:12:15 73,216 ----a-w C:\WINDOWS\system32\tlntsvr.exe
2007-04-01 04:12:14 140,800 ----a-w C:\WINDOWS\system32\sessmgr.exe
2007-04-01 04:12:13 6,144 ----a-w C:\WINDOWS\system32\msdtc.exe
2007-04-01 04:12:13 32,768 ----a-w C:\WINDOWS\system32\mnmsrvc.exe
2007-04-01 04:12:12 150,016 ----a-w C:\WINDOWS\system32\imapi.exe
2007-04-01 04:01:13 388,608 ----a-w C:\WINDOWS\system32\cmd.exe
2007-04-01 04:00:51 11,776 ----a-w C:\WINDOWS\system32\regsvr32.exe
2007-04-01 03:48:40 0 ----a-w C:\WINDOWS\nsreg.dat
2007-04-01 03:44:25 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-04-01 03:01:13 -------- d-----w C:\Program Files\Movie Maker
2007-04-01 00:17:08 -------- d-----w C:\Program Files\K-Lite Codec Pack
2007-04-01 00:11:27 -------- d-----w C:\DOCUME~1\MICHEL~1\APPLIC~1.\Google
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-21 13:00:28 10,752 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}"="C:\Program Files\FlashGet\jccatch.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\system32\dla\tfswshx.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar2.dll"
"{D651AFF4-9590-424d-BD1E-8E33E090DFB3}"="C:\WINDOWS\system32\igfsjnfa.dll" [x]
"{F156768E-81EF-470C-9057-481BA8380DBA}"="C:\Program Files\FlashGet\getflash.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TpShocks"="TpShocks.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UC_Start"="C:\\IBMTools\\Updater\\ucstartup.exe"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IBM RecordNow!"=""
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqoopq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\Recycled\ctfmon.exe
Shell\Open(O)\command Recycled\Recycled\ctfmon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ca03b70-f406-11db-9af6-000cf13450da}]
shell\verb1\command F:\desktop.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23748ee0-e0a3-11db-9ac7-000cf13450da}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Shell\Open(0)\command Recycled\ctfmon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c017b920-e0ad-11db-9ac8-000cf13450da}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Shell\Open(0)\command Recycled\ctfmon.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_HTTPFILTER


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{02BCE0AE-9E71-451E-8954-25326F292608}.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-03 23:46:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-03 23:47:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-03 23:47
C:\ComboFix2.txt ... 2007-04-08 08:46
C:\ComboFix3.txt ... 2007-04-05 12:02


and also the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 11:53:24 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\antiv\abc.bat.exe

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\igfsjnfa.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175473333887
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175384031369
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: ssqoopq - ssqoopq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)

hehe tx agian my friend :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 03 May 2007 - 11:11 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\yxabc.bak2

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

***************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\igfsjnfa.dll (file missing)
O20 - Winlogon Notify: ssqoopq - ssqoopq.dll (file missing)


Exit Hijackthis,restart your pc and post the Avenger output.txt,and a new Hijackthis log in your next reply.
Let me know how its running now please.
Posted Image
Posted Image

#5 roxas

roxas
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 AM

Posted 04 May 2007 - 10:19 PM

ty again 4 helping hehe:
the logs tat u wan:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kyjlklla

*******************

Script file located at: \??\C:\WINDOWS\fjxpfsks.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\yxabc.bak2 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:14:38 AM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\antiv\abc.bat.exe

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175473333887
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175384031369
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users