help much appreciated, virus on work computer

Unknown · September 2006

i've run ad aware and spybot a few times to no effect

hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:10 PM, on 9/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Marie\Desktop\ATF-Cleaner.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nc.rr.com/default.cfm
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139178629022
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\k080lalm1dqa.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

thank you!

Trogan · September 2006

Hi Ryan06, welcome to Short-Media!

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Ryan06 · September 2006

service pack 1 would only work if i could put in my windows cd to complete the installation and I lost it, for the time being is it possible for me to receive help without it?

Trogan · September 2006

Ryan06, I believe you don't need the Windows CD to install Service Pack 1a.

Is this a legit copy of Windows?

Ryan06 · September 2006

okay i think i got the service pack installed

Logfile of HijackThis v1.99.1
Scan saved at 3:32:29 PM, on 9/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\nwnmff_16.exe
C:\WINDOWS\TWFyaWU\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\dfndrff_16.exe
C:\kybrdff_16.exe
C:\WINDOWS\xload.exe
C:\Program Files\SystemDoctor 2006 Free\sd2006.exe
C:\Program Files\Common Files\{A00D6271-0256-1033-0303-040714200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\crunner\cproc.exe
C:\PROGRA~1\COMMON~1\CROSOF~1\scanregw.exe
C:\Program Files\Common Files\??stem\m?config.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {A6C7F347-3CF4-3708-A4AD-611345D938C7} - C:\WINDOWS\System32\ynk.dll
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_16.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - HKCU\..\Run: [Etle] "C:\PROGRA~1\COMMON~1\CROSOF~1\scanregw.exe" -vt yazr
O4 - HKCU\..\Run: [Mruuynhp] C:\Program Files\Common Files\??stem\m?config.exe
O4 - HKCU\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139178629022
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\mv46l9hs1.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFyaWU\command.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

Trogan · September 2006

Looks like you picked up more malware along the way.

Please do the following...

I don't see any indication of a Firewall in your HijackThis log. This may be because:

(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.

In the case you don't have a Firewall, please download one from the list below - They are Free!

Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall

Also, I do not see an Anti-Virus program. Again, choose one from the list below - They are Free!

AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition

Once you have choosen your Anti-Virus, update it and run a Full System Scan. Make a note of any file that could not be cleaned and post them here.

=====

I would like to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button. It will open a Notepad file.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

=====

Please post the following:

1) Info from files that could not be cleaned by your Anti-Virus program
2) Uninstall list
3) New HijackThis log

Ryan06 · September 2006

i installed Zone Alarm, declined internet access to a few unknown programs, pop ups stopped for now, but i know the viruses are probably still running.

i ran AVG Free and that got rid of some files, couldnt save any logs from it though...

uninstall list:

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Shockwave Player
AOL Instant Messenger
AVG Free Edition
Complete Spanish
Creative Jukebox Driver
Disney's Active Play, A Bug's Life
Eudora
Hijackthis 1.99.1
HijackThis 1.99.1
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Real Estate Document Assistant
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
InterActual Player
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.6)
NOMAD Explorer
RealFA$T® Forms for North Carolina
Spybot - Search & Destroy 1.4
Update for Windows XP (KB898461)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Nexus Network
Windows Installer 3.1 (KB893803)
Windows Overlay Components
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817606
Windows XP Service Pack 1a
WinRAR archiver
ZoneAlarm

new hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 9:25:36 PM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ms0635567-16097.exe
C:\WINDOWS\ljwceirA.exe
C:\windows\system32\omdsregl.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\{A00D6271-0256-1033-0303-040714200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\crunner\cproc.exe
C:\PROGRA~1\COMMON~1\CROSOF~1\scanregw.exe
C:\Program Files\Common Files\??stem\m?config.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_16.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_15.exe
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [ms0635567-16097] C:\WINDOWS\ms0635567-16097.exe
O4 - HKLM\..\Run: [ljwceirA] C:\WINDOWS\ljwceirA.exe
O4 - HKLM\..\Run: [{D6-62-27-71-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - HKCU\..\Run: [Etle] "C:\PROGRA~1\COMMON~1\CROSOF~1\scanregw.exe" -vt yazr
O4 - HKCU\..\Run: [Mruuynhp] C:\Program Files\Common Files\??stem\m?config.exe
O4 - HKCU\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [wmri] C:\PROGRA~1\COMMON~1\wmri\wmrim.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139178629022
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\lvp4097qe.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ljwceir.exe (file missing)

Trogan · September 2006

Ryan06, please do the following...

Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

Viewpoint Manager (Remove Only)
Viewpoint Media Player
SystemDoctor 2006 Free
Windows Overlay Components

=====

Download and run the Purtiyscan Uninstaller

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan

=====

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=====

Please post the following:

1) ComboFix log
2) New HijackThis log

Ryan06 · September 2006

Combo Fix:

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{60D76AB6-5B7D-4818-ADB3-860DC30253ED}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{60D76AB6-5B7D-4818-ADB3-860DC30253ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60D76AB6-5B7D-4818-ADB3-860DC30253ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60D76AB6-5B7D-4818-ADB3-860DC30253ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\mnglibnt.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{8189E6CD-0769-4ED6-B9B2-995685005409}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{8189E6CD-0769-4ED6-B9B2-995685005409}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8189E6CD-0769-4ED6-B9B2-995685005409}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8189E6CD-0769-4ED6-B9B2-995685005409}\InprocServer32]
@="C:\\WINDOWS\\system32\\mmmtapi.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{62B0A7FA-0DB4-4F09-B262-A6810AC693FB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62B0A7FA-0DB4-4F09-B262-A6810AC693FB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62B0A7FA-0DB4-4F09-B262-A6810AC693FB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{62B0A7FA-0DB4-4F09-B262-A6810AC693FB}\InprocServer32]
@="C:\\WINDOWS\\system32\\uprdpa.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{F2B99A40-1A8E-4092-9649-9C536385FE54}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2B99A40-1A8E-4092-9649-9C536385FE54}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2B99A40-1A8E-4092-9649-9C536385FE54}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2B99A40-1A8E-4092-9649-9C536385FE54}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcg4dmod.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{2D772200-FE23-4E15-BC73-A16D33784ACC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D772200-FE23-4E15-BC73-A16D33784ACC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D772200-FE23-4E15-BC73-A16D33784ACC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D772200-FE23-4E15-BC73-A16D33784ACC}\InprocServer32]
@="C:\\WINDOWS\\system32\\wrauserv.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{79A4331C-1212-43B8-A2DC-789D90484036}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{79A4331C-1212-43B8-A2DC-789D90484036}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{79A4331C-1212-43B8-A2DC-789D90484036}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{79A4331C-1212-43B8-A2DC-789D90484036}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{803E3857-84FA-47FA-9DE7-8D411911172F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{803E3857-84FA-47FA-9DE7-8D411911172F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{803E3857-84FA-47FA-9DE7-8D411911172F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{803E3857-84FA-47FA-9DE7-8D411911172F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{65174CB7-E7B2-4F27-BCC8-09FCB41C81F9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65174CB7-E7B2-4F27-BCC8-09FCB41C81F9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65174CB7-E7B2-4F27-BCC8-09FCB41C81F9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65174CB7-E7B2-4F27-BCC8-09FCB41C81F9}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{1959C790-F0B5-4E42-841F-330EC9CBC170}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1959C790-F0B5-4E42-841F-330EC9CBC170}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1959C790-F0B5-4E42-841F-330EC9CBC170}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1959C790-F0B5-4E42-841F-330EC9CBC170}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{12185E93-902A-48EE-8163-5FDC1871BBB3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12185E93-902A-48EE-8163-5FDC1871BBB3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12185E93-902A-48EE-8163-5FDC1871BBB3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12185E93-902A-48EE-8163-5FDC1871BBB3}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CAFA2871-7550-42C6-95EC-E2C1A6315995}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFA2871-7550-42C6-95EC-E2C1A6315995}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFA2871-7550-42C6-95EC-E2C1A6315995}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFA2871-7550-42C6-95EC-E2C1A6315995}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{6D9AA09C-95BA-4A77-B58D-85ACF044C74C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D9AA09C-95BA-4A77-B58D-85ACF044C74C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D9AA09C-95BA-4A77-B58D-85ACF044C74C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D9AA09C-95BA-4A77-B58D-85ACF044C74C}\InprocServer32]
@="C:\\WINDOWS\\system32\\xWctsrv.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{4F6AAC1C-24FA-4C1C-AF8D-577A75C1EA59}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F6AAC1C-24FA-4C1C-AF8D-577A75C1EA59}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F6AAC1C-24FA-4C1C-AF8D-577A75C1EA59}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4F6AAC1C-24FA-4C1C-AF8D-577A75C1EA59}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Marie\Application Data\Sskcwrd.dll
C:\Documents and Settings\Marie\Application Data\Sskknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\Duce6.exe
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Program Files\cmfibula
C:\Program Files\Deskbar
C:\Program Files\PSLister
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{A00D6271-0256-1033-0303-040714200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Marie\Application Data\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1\scanregw.exe

((((((((((((((((((((((((((((((( Files Created from 2006-08-07 to 2006-09-07 ))))))))))))))))))))))))))))))))))

2006-09-06 07:07 45,090 --a

C:\WINDOWS\system32\omdsregl.exe
2006-09-06 06:28 991,232 --a

C:\WINDOWS\system32\esent.dll
2006-09-06 06:13 45,056 --a

C:\TIGEN001.exe
2006-09-06 06:12 186,223 --a

C:\WINDOWS\srvfedyvfp.exe
2006-09-06 06:12 163,840 --a

C:\WINDOWS\ms0635567-16097.exe
2006-09-06 06:12 1,164,816 -r-hs---- C:\WINDOWS\ljwceirA.exe
2006-09-06 06:11 215,308 --a

C:\WINDOWS\srvynsxduq.exe
2006-09-06 03:00 22,752 --a

C:\WINDOWS\system32\spupdsvc.exe
2006-09-05 06:32 9,216 --a

C:\WINDOWS\system32\wuauserv.dll
2006-09-05 06:32 88,064 --a

C:\WINDOWS\system32\tscfgwmi.dll
2006-09-05 06:32 86,528 --a

C:\WINDOWS\system32\wlnotify.dll
2006-09-05 06:32 86,016 --a

C:\WINDOWS\system32\xactsrv.dll
2006-09-05 06:32 81,920 --a

C:\WINDOWS\system32\trkwks.dll
2006-09-05 06:32 77,824 --a

C:\WINDOWS\system32\wmpstub.exe
2006-09-05 06:32 77,824 --a

C:\WINDOWS\system32\wmpshell.dll
2006-09-05 06:32 72,192 --a

C:\WINDOWS\system32\telnet.exe
2006-09-05 06:32 71,168 --a

C:\WINDOWS\system32\storprop.dll
2006-09-05 06:32 667,648 --a

C:\WINDOWS\system32\ss3dfo.scr
2006-09-05 06:32 66,560 --a

C:\WINDOWS\system32\spoolss.dll
2006-09-05 06:32 638,976 --a

C:\WINDOWS\system32\sstext3d.scr
2006-09-05 06:32 63,488 --a

C:\WINDOWS\system32\srclient.dll
2006-09-05 06:32 61,952 --a

C:\WINDOWS\system32\sti.dll
2006-09-05 06:32 60,416 --a

C:\WINDOWS\system32\wextract.exe
2006-09-05 06:32 569,344 --a

C:\WINDOWS\system32\sspipes.scr
2006-09-05 06:32 56,832 --a

C:\WINDOWS\system32\wzcdlg.dll
2006-09-05 06:32 534,016 --a

C:\WINDOWS\system32\spider.exe
2006-09-05 06:32 51,200 --a

C:\WINDOWS\system32\wmerrenu.dll
2006-09-05 06:32 48,640 --a

C:\WINDOWS\system32\vdmredir.dll
2006-09-05 06:32 48,128 --a

C:\WINDOWS\system32\winsta.dll
2006-09-05 06:32 479,261 --a

C:\WINDOWS\system32\vbscript.dll
2006-09-05 06:32 47,616 --a

C:\WINDOWS\system32\utilman.exe
2006-09-05 06:32 446,464 --a

C:\WINDOWS\system32\wmvdmoe.dll
2006-09-05 06:32 43,008 --a

C:\WINDOWS\system32\ssdpsrv.dll
2006-09-05 06:32 409,088 --a

C:\WINDOWS\system32\vssapi.dll
2006-09-05 06:32 40,960 --a

C:\WINDOWS\system32\tscupgrd.exe
2006-09-05 06:32 385,024 --a

C:\WINDOWS\system32\sqlsrv32.dll
2006-09-05 06:32 384,000 --a

C:\WINDOWS\system32\themeui.dll
2006-09-05 06:32 38,912 --a

C:\WINDOWS\system32\wsnmp32.dll
2006-09-05 06:32 364,544 --a

C:\WINDOWS\system32\ssflwbox.scr
2006-09-05 06:32 339,456 --a

C:\WINDOWS\system32\usp10.dll
2006-09-05 06:32 32,256 --a

C:\WINDOWS\system32\umandlg.dll
2006-09-05 06:32 316,416 --a

C:\WINDOWS\system32\wiaservc.dll
2006-09-05 06:32 311,327 --a

C:\WINDOWS\system32\wmv8dmod.dll
2006-09-05 06:32 296,448 --a

C:\WINDOWS\system32\wmstream.dll
2006-09-05 06:32 27,136 --a

C:\WINDOWS\system32\ssdpapi.dll
2006-09-05 06:32 266,752 --a

C:\WINDOWS\winhlp32.exe
2006-09-05 06:32 264,704 --a

C:\WINDOWS\system32\wzcsvc.dll
2006-09-05 06:32 258,048 --a

C:\WINDOWS\system32\webcheck.dll
2006-09-05 06:32 253,952 --a

C:\WINDOWS\system32\wmpcd.dll
2006-09-05 06:32 251,904 --a

C:\WINDOWS\system32\strmdll.dll
2006-09-05 06:32 247,808 --a

C:\WINDOWS\system32\wow32.dll
2006-09-05 06:32 238,592 --a

C:\WINDOWS\system32\tapisrv.dll
2006-09-05 06:32 231,424 --a

C:\WINDOWS\system32\upnpui.dll
2006-09-05 06:32 23,552 --a

C:\WINDOWS\system32\wzcsapi.dll
2006-09-05 06:32 22,016 --a

C:\WINDOWS\system32\udhisapi.dll
2006-09-05 06:32 203,264 --a

C:\WINDOWS\system32\uxtheme.dll
2006-09-05 06:32 200,192 --a

C:\WINDOWS\system32\termsrv.dll
2006-09-05 06:32 19,456 --a

C:\WINDOWS\system32\ssmarque.scr
2006-09-05 06:32 18,944 --a

C:\WINDOWS\system32\ssbezier.scr
2006-09-05 06:32 172,664 --a

C:\WINDOWS\system32\xenroll.dll
2006-09-05 06:32 171,520 --a

C:\WINDOWS\system32\winmm.dll
2006-09-05 06:32 17,408 --a

C:\WINDOWS\system32\wtsapi32.dll
2006-09-05 06:32 17,408 --a

C:\WINDOWS\system32\ssmyst.scr
2006-09-05 06:32 168,448 --a

C:\WINDOWS\system32\wldap32.dll
2006-09-05 06:32 165,376 --a

C:\WINDOWS\system32\w32time.dll
2006-09-05 06:32 165,376 --a

C:\WINDOWS\system32\tapi32.dll
2006-09-05 06:32 164,864 --a

C:\WINDOWS\system32\upnphost.dll
2006-09-05 06:32 16,384 --a

C:\WINDOWS\system32\watchdog.sys
2006-09-05 06:32 16,384 --a

C:\WINDOWS\system32\ups.exe
2006-09-05 06:32 158,720 --a

C:\WINDOWS\system32\srsvc.dll
2006-09-05 06:32 130,560 --a

C:\WINDOWS\system32\sti_ci.dll
2006-09-05 06:32 13,312 --a

C:\WINDOWS\system32\ssstars.scr
2006-09-05 06:32 128,512 --a

C:\WINDOWS\system32\taskmgr.exe
2006-09-05 06:32 124,928 --a

C:\WINDOWS\system32\webvw.dll
2006-09-05 06:32 120,320 --a

C:\WINDOWS\system32\upnp.dll
2006-09-05 06:32 119,808 --a

C:\WINDOWS\system32\wiadss.dll
2006-09-05 06:32 118,784 --a

C:\WINDOWS\system32\wmsdmoe.dll
2006-09-05 06:32 117,760 --a

C:\WINDOWS\system32\stobject.dll
2006-09-05 06:32 106,496 --a

C:\WINDOWS\system32\url.dll
2006-09-05 06:32 10,752 --a

C:\WINDOWS\system32\tracert.exe
2006-09-05 06:32 1,998,848 --a

C:\WINDOWS\system32\wmploc.dll
2006-09-05 06:32 1,425,680 --a

C:\WINDOWS\system32\wmpui.dll
2006-09-05 06:32 1,298,432 --a

C:\WINDOWS\system32\wmpcore.dll
2006-09-05 06:31 98,304 --a

C:\WINDOWS\system32\oleprn.dll
2006-09-05 06:31 95,744 --a

C:\WINDOWS\system32\nlhtml.dll
2006-09-05 06:31 94,208 --a

C:\WINDOWS\system32\odbccp32.dll
2006-09-05 06:31 921,475

C:\WINDOWS\system32\ati3d2ag.dll
2006-09-05 06:31 91,136 --a

C:\WINDOWS\system32\rastls.dll
2006-09-05 06:31 87,304 --a

C:\WINDOWS\system32\rdpdd.dll
2006-09-05 06:31 857,600 --a

C:\WINDOWS\system32\netplwiz.dll
2006-09-05 06:31 844,675

C:\WINDOWS\system32\ati3d1ag.dll
2006-09-05 06:31 82,944 --a

C:\WINDOWS\system32\smlogsvc.exe
2006-09-05 06:31 82,944 --a

C:\WINDOWS\system32\psbase.dll
2006-09-05 06:31 8,192 --a

C:\WINDOWS\system32\scrnsave.scr
2006-09-05 06:31 75,912 --a

C:\WINDOWS\system32\rdpwsx.dll
2006-09-05 06:31 74,240 --a

C:\WINDOWS\system32\rtcshare.exe
2006-09-05 06:31 71,168 --a

C:\WINDOWS\system32\sdbinst.exe
2006-09-05 06:31 686,080 --a

C:\WINDOWS\system32\opengl32.dll
2006-09-05 06:31 66,048 --a

C:\WINDOWS\system32\sigverif.exe
2006-09-05 06:31 62,976 --a

C:\WINDOWS\system32\shgina.dll
2006-09-05 06:31 61,440 --a

C:\WINDOWS\system32\odbccu32.dll
2006-09-05 06:31 61,440 --a

C:\WINDOWS\system32\odbccr32.dll
2006-09-05 06:31 60,416 --a

C:\WINDOWS\system32\shimeng.dll
2006-09-05 06:31 6,144 --a

C:\WINDOWS\system32\sensapi.dll
2006-09-05 06:31 584,192 --a

C:\WINDOWS\system32\netcfgx.dll
2006-09-05 06:31 58,880 --a

C:\WINDOWS\system32\pautoenr.dll
2006-09-05 06:31 57,856 --a

C:\WINDOWS\system32\raschap.dll
2006-09-05 06:31 56,320 --a

C:\WINDOWS\system32\remotepg.dll
2006-09-05 06:31 53,248 --a

C:\WINDOWS\system32\packager.exe
2006-09-05 06:31 53,248 --a

C:\WINDOWS\system32\odbcconf.exe
2006-09-05 06:31 52,224 --a

C:\WINDOWS\system32\secur32.dll
2006-09-05 06:31 511,488 --a

C:\WINDOWS\system32\qedit.dll
2006-09-05 06:31 504,832

C:\WINDOWS\system32\msftedit.dll
2006-09-05 06:31 5,120

C:\WINDOWS\system32\hccoin.dll
2006-09-05 06:31 49,152 --a

C:\WINDOWS\system32\npptools.dll
2006-09-05 06:31 48,128 --a

C:\WINDOWS\system32\reg.exe
2006-09-05 06:31 44,032 --a

C:\WINDOWS\system32\regapi.dll
2006-09-05 06:31 44,032 --a

C:\WINDOWS\system32\rdpclip.exe
2006-09-05 06:31 423,424 --a

C:\WINDOWS\system32\riched20.dll
2006-09-05 06:31 420,864 --a

C:\WINDOWS\system32\shimgvw.dll
2006-09-05 06:31 42,496 --a

C:\WINDOWS\system32\ncobjapi.dll
2006-09-05 06:31 403,456

C:\WINDOWS\system32\winbrand.dll
2006-09-05 06:31 399,360 --a

C:\WINDOWS\system32\netlogon.dll
2006-09-05 06:31 392,704 --a

C:\WINDOWS\system32\ntmssvc.dll
2006-09-05 06:31 39,424 --a

C:\WINDOWS\system32\net.exe
2006-09-05 06:31 38,400 --a

C:\WINDOWS\system32\ntmsapi.dll
2006-09-05 06:31 38,400 --a

C:\WINDOWS\system32\ntlanman.dll
2006-09-05 06:31 377,984

C:\WINDOWS\system32\ati2dvaa.dll
2006-09-05 06:31 36,352 --a

C:\WINDOWS\system32\sens.dll
2006-09-05 06:31 357,376 --a

C:\WINDOWS\system32\qdvd.dll
2006-09-05 06:31 34,304 --a

C:\WINDOWS\system32\rcimlby.exe
2006-09-05 06:31 334,848 --a

C:\WINDOWS\system32\smlogcfg.dll
2006-09-05 06:31 33,808 --a

C:\WINDOWS\system32\ntio.sys
2006-09-05 06:31 33,280 --a

C:\WINDOWS\system32\shmgrate.exe
2006-09-05 06:31 326,656 --a

C:\WINDOWS\system32\netsetup.exe
2006-09-05 06:31 32,768 --a

C:\WINDOWS\system32\odbcad32.exe
2006-09-05 06:31 31,744 --a

C:\WINDOWS\system32\pid.dll
2006-09-05 06:31 3,584

C:\WINDOWS\system32\dsprpres.dll
2006-09-05 06:31 3,494,303

C:\WINDOWS\system32\nv4_disp.dll
2006-09-05 06:31 3,338 --a

C:\WINDOWS\system32\redir.exe
2006-09-05 06:31 297,984 --a

C:\WINDOWS\system32\scesrv.dll
2006-09-05 06:31 254,976 --a

C:\WINDOWS\system32\pdh.dll
2006-09-05 06:31 24,576 --a

C:\WINDOWS\system32\odbcbcp.dll
2006-09-05 06:31 24,576 --a

C:\WINDOWS\system32\nmmkcert.dll
2006-09-05 06:31 24,064 --a

C:\WINDOWS\system32\skeys.exe
2006-09-05 06:31 238,080 --a

C:\WINDOWS\system32\newdev.dll
2006-09-05 06:31 22,528 --a

C:\WINDOWS\system32\slayerxp.dll
2006-09-05 06:31 22,528 --a

C:\WINDOWS\system32\shfolder.dll
2006-09-05 06:31 218,112

C:\WINDOWS\system32\sbe.dll
2006-09-05 06:31 212,480 --a

C:\WINDOWS\system32\osk.exe
2006-09-05 06:31 202,496

C:\WINDOWS\system32\ati2dvag.dll
2006-09-05 06:31 200,704 --a

C:\WINDOWS\system32\odbc32.dll
2006-09-05 06:31 20,992 --a

C:\WINDOWS\system32\setup.exe
2006-09-05 06:31 193,536 --a

C:\WINDOWS\system32\rasppp.dll
2006-09-05 06:31 187,904

C:\WINDOWS\system32\xpsp1res.dll
2006-09-05 06:31 184,832 --a

C:\WINDOWS\system32\qcap.dll
2006-09-05 06:31 18,944

C:\WINDOWS\system32\faxpatch.exe
2006-09-05 06:31 174,592 --a

C:\WINDOWS\system32\scecli.dll
2006-09-05 06:31 172,032

C:\WINDOWS\system32\mssap.dll
2006-09-05 06:31 171,008 --a

C:\WINDOWS\system32\sccsccp.dll
2006-09-05 06:31 17,408 --a

C:\WINDOWS\system32\psapi.dll
2006-09-05 06:31 169,984 --a

C:\WINDOWS\system32\sccbase.dll
2006-09-05 06:31 165,888 --a

C:\WINDOWS\system32\ntmsdba.dll
2006-09-05 06:31 16,896 --a

C:\WINDOWS\system32\snmpapi.dll
2006-09-05 06:31 16,384 --a

C:\WINDOWS\system32\ping.exe
2006-09-05 06:31 16,384 --a

C:\WINDOWS\system32\odbc32gt.dll
2006-09-05 06:31 16,384 --a

C:\WINDOWS\system32\nddenb32.dll
2006-09-05 06:31 159,232 --a

C:\WINDOWS\system32\schedsvc.dll
2006-09-05 06:31 155,648

C:\WINDOWS\system32\encdec.dll
2006-09-05 06:31 147,456 --a

C:\WINDOWS\system32\odbctrac.dll
2006-09-05 06:31 14,848 --a

C:\WINDOWS\system32\rdpsnd.dll
2006-09-05 06:31 137,216 --a

C:\WINDOWS\system32\ntshrui.dll
2006-09-05 06:31 135,680 --a

C:\WINDOWS\system32\rdchost.dll
2006-09-05 06:31 134,144 --a

C:\WINDOWS\regedit.exe
2006-09-05 06:31 133,632 --a

C:\WINDOWS\system32\rsaenh.dll
2006-09-05 06:31 133,120 --a

C:\WINDOWS\system32\sfc_os.dll
2006-09-05 06:31 13,824 --a

C:\WINDOWS\system32\rassapi.dll
2006-09-05 06:31 122,880 --a

C:\WINDOWS\system32\odbcconf.dll
2006-09-05 06:31 12,800 --a

C:\WINDOWS\system32\runonce.exe
2006-09-05 06:31 12,288 --a

C:\WINDOWS\system32\rdsaddin.exe
2006-09-05 06:31 12,288 --a

C:\WINDOWS\system32\odbcp32r.dll
2006-09-05 06:31 12,288

C:\WINDOWS\system32\encapi.dll
2006-09-05 06:31 115,200 --a

C:\WINDOWS\system32\net1.exe
2006-09-05 06:31 112,128 --a

C:\WINDOWS\system32\ntmarta.dll
2006-09-05 06:31 110,080

C:\WINDOWS\system32\sbeio.dll
2006-09-05 06:31 11,776 --a

C:\WINDOWS\system32\sigtab.dll
2006-09-05 06:31 109,568 --a

C:\WINDOWS\system32\offfilt.dll
2006-09-05 06:31 105,984 --a

C:\WINDOWS\system32\netdde.exe
2006-09-05 06:31 1,677,312

C:\WINDOWS\system32\wmvcore2.dll
2006-09-05 06:31 1,622,528 --a

C:\WINDOWS\system32\netshell.dll
2006-09-05 06:31 1,349,120 --a

C:\WINDOWS\system32\query.dll
2006-09-05 06:31 1,157,632 --a

C:\WINDOWS\system32\sfcfiles.dll
2006-09-05 06:30 91,136 --a

C:\WINDOWS\system32\MSOERT2.DLL
2006-09-05 06:30 9,728 --a

C:\WINDOWS\system32\mstinit.exe
2006-09-05 06:30 78,848 --a

C:\WINDOWS\system32\msiexec.exe
2006-09-05 06:30 699,392 --a

C:\WINDOWS\system32\msxml2.dll
2006-09-05 06:30 67,584 --a

C:\WINDOWS\system32\msctfp.dll
2006-09-05 06:30 65,536 --a

C:\WINDOWS\system32\msconf.dll
2006-09-05 06:30 598,016 --a

C:\WINDOWS\system32\mstscax.dll
2006-09-05 06:30 57,856 --a

C:\WINDOWS\system32\licwmi.dll
2006-09-05 06:30 56,320 --a

C:\WINDOWS\system32\mshtmler.dll
2006-09-05 06:30 552,991 --a

C:\WINDOWS\system32\msrepl40.dll
2006-09-05 06:30 512,031 --a

C:\WINDOWS\system32\msexch40.dll
2006-09-05 06:30 504,320 --a

C:\WINDOWS\system32\logonui.exe
2006-09-05 06:30 421,919 --a

C:\WINDOWS\system32\msrd2x40.dll
2006-09-05 06:30 401,462 --a

C:\WINDOWS\system32\msvcp60.dll
2006-09-05 06:30 4,608 --a

C:\WINDOWS\system32\msimg32.dll
2006-09-05 06:30 4,126 --a

C:\WINDOWS\system32\msdxmlc.dll
2006-09-05 06:30 388,608 --a

C:\WINDOWS\system32\mstsc.exe
2006-09-05 06:30 381,440 --a

C:\WINDOWS\system32\lmrt.dll
2006-09-05 06:30 368,710 --a

C:\WINDOWS\system32\msisam11.dll
2006-09-05 06:30 348,195 --a

C:\WINDOWS\system32\msjetoledb40.dll
2006-09-05 06:30 348,191 --a

C:\WINDOWS\system32\mspbde40.dll
2006-09-05 06:30 344,095 --a

C:\WINDOWS\system32\msxbde40.dll
2006-09-05 06:30 339,968 --a

C:\WINDOWS\system32\mspaint.exe
2006-09-05 06:30 323,072 --a

C:\WINDOWS\system32\msvcrt.dll
2006-09-05 06:30 32,256 --a

C:\WINDOWS\system32\mnmdd.dll
2006-09-05 06:30 319,760 --a

C:\WINDOWS\system32\msnsspc.dll
2006-09-05 06:30 319,519 --a

C:\WINDOWS\system32\msexcl40.dll
2006-09-05 06:30 271,360 --a

C:\WINDOWS\system32\msihnd.dll
2006-09-05 06:30 266,752 --a

C:\WINDOWS\system32\msctf.dll
2006-09-05 06:30 253,983 --a

C:\WINDOWS\system32\mstext40.dll
2006-09-05 06:30 250,368 --a

C:\WINDOWS\system32\mstask.dll
2006-09-05 06:30 241,725 --a

C:\WINDOWS\system32\msuni11.dll
2006-09-05 06:30 241,695 --a

C:\WINDOWS\system32\msjtes40.dll
2006-09-05 06:30 230,400 --a

C:\WINDOWS\system32\msieftp.dll
2006-09-05 06:30 229,376 --a

C:\WINDOWS\system32\MSOEACCT.DLL
2006-09-05 06:30 22,528 --a

C:\WINDOWS\system32\mslbui.dll
2006-09-05 06:30 219,648 --a

C:\WINDOWS\system32\logon.scr
2006-09-05 06:30 213,023 --a

C:\WINDOWS\system32\msltus40.dll
2006-09-05 06:30 210,944 --a

C:\WINDOWS\system32\moricons.dll
2006-09-05 06:30 2,890,240 --a

C:\WINDOWS\system32\msi.dll
2006-09-05 06:30 196,096 --a

C:\WINDOWS\system32\mobsync.dll
2006-09-05 06:30 192,512 --a

C:\WINDOWS\system32\mswebdvd.dll
2006-09-05 06:30 19,456 --a

C:\WINDOWS\system32\licmgr10.dll
2006-09-05 06:30 182,784 --a

C:\WINDOWS\system32\msutb.dll
2006-09-05 06:30 163,840 --a

C:\WINDOWS\system32\mindex.dll
2006-09-05 06:30 143,872 --a

C:\WINDOWS\system32\msimtf.dll
2006-09-05 06:30 131,072 --a

C:\WINDOWS\system32\msorcl32.dll
2006-09-05 06:30 126,976 --a

C:\WINDOWS\system32\msdart.dll
2006-09-05 06:30 12,288 --a

C:\WINDOWS\system32\mscpx32r.dll
2006-09-05 06:30 116,736 --a

C:\WINDOWS\system32\mplay32.exe
2006-09-05 06:30 113,664 --a

C:\WINDOWS\system32\msvfw32.dll
2006-09-05 06:30 10,240 --a

C:\WINDOWS\system32\msrle32.dll
2006-09-05 06:30 10,240 --a

C:\WINDOWS\system32\localui.dll
2006-09-05 06:30 1,503,262 --a

C:\WINDOWS\system32\msjet40.dll
2006-09-05 06:30 1,220,608 --a

C:\WINDOWS\system32\msvidctl.dll
2006-09-05 06:30 1,128,960 --a

C:\WINDOWS\system32\mmcndmgr.dll
2006-09-05 06:30 1,122,304 --a

C:\WINDOWS\system32\msxml3.dll
2006-09-05 06:29 91,648 --a

C:\WINDOWS\system32\iuctl.dll
2006-09-05 06:29 9,216 --a

C:\WINDOWS\system32\icaapi.dll
2006-09-05 06:29 88,576 --a

C:\WINDOWS\system32\mqsec.dll
2006-09-05 06:29 8,832 --a

C:\WINDOWS\system32\framebuf.dll
2006-09-05 06:29 73,728 --a

C:\WINDOWS\system32\tlntsess.exe
2006-09-05 06:29 73,728 --a

C:\WINDOWS\system32\ils.dll
2006-09-05 06:29 7,168 --a

C:\WINDOWS\system32\tlntsvrp.dll
2006-09-05 06:29 7,040 --a

C:\WINDOWS\system32\kd1394.dll
2006-09-05 06:29 67,584 --a

C:\WINDOWS\system32\tlntsvr.exe
2006-09-05 06:29 67,584 --a

C:\WINDOWS\system32\fdeploy.dll
2006-09-05 06:29 608,768 --a

C:\WINDOWS\system32\mqqm.dll
2006-09-05 06:29 596,480 --a

C:\WINDOWS\system32\INETCOMM.DLL
2006-09-05 06:29 59,392 --a

C:\WINDOWS\system32\iesetup.dll
2006-09-05 06:29 57,856 --a

C:\WINDOWS\system32\tlntadmn.exe
2006-09-05 06:29 57,856 --a

C:\WINDOWS\system32\nwwks.dll
2006-09-05 06:29 545,792 --a

C:\WINDOWS\system32\wsecedit.dll
2006-09-05 06:29 51,712 --a

C:\WINDOWS\system32\ipconfig.exe
2006-09-05 06:29 49,664 --a

C:\WINDOWS\system32\ixsso.dll
2006-09-05 06:29 478,720 --a

C:\WINDOWS\system32\mqsnap.dll
2006-09-05 06:29 467,456 --a

C:\WINDOWS\system32\mqutil.dll
2006-09-05 06:29 42,537 --a

C:\WINDOWS\system32\keyboard.sys
2006-09-05 06:29 36,922 --a

C:\WINDOWS\system32\imeshare.dll
2006-09-05 06:29 318,464 --a

C:\WINDOWS\system32\ippromon.dll
2006-09-05 06:29 30,208 --a

C:\WINDOWS\system32\imgutil.dll
2006-09-05 06:29 294,912 --a

C:\WINDOWS\system32\iedkcs32.dll
2006-09-05 06:29 29,696

C:\WINDOWS\system32\asr_pfu.exe
2006-09-05 06:29 28,672 --a

C:\WINDOWS\system32\ie4uinit.exe
2006-09-05 06:29 277,504 --a

C:\WINDOWS\system32\appmgr.dll
2006-09-05 06:29 27,648 --a

C:\WINDOWS\system32\pidgen.dll
2006-09-05 06:29 240,640 --a

C:\WINDOWS\system32\hnetcfg.dll
2006-09-05 06:29 237,056 --a

C:\WINDOWS\system32\icm32.dll
2006-09-05 06:29 231,936 --a

C:\WINDOWS\system32\tracerpt.exe
2006-09-05 06:29 204,288 --a

C:\WINDOWS\system32\ieaksie.dll
2006-09-05 06:29 183,808 --a

C:\WINDOWS\system32\gptext.dll
2006-09-05 06:29 165,888 --a

C:\WINDOWS\system32\mqrt.dll
2006-09-05 06:29 164,352 --a

C:\WINDOWS\system32\mqtrig.dll
2006-09-05 06:29 156,672 --a

C:\WINDOWS\system32\appmgmts.dll
2006-09-05 06:29 14,848 --a

C:\WINDOWS\system32\mqise.dll
2006-09-05 06:29 130,048 --a

C:\WINDOWS\system32\mqad.dll
2006-09-05 06:29 126,976 --a

C:\WINDOWS\system32\ieakeng.dll
2006-09-05 06:29 123,904 --a

C:\WINDOWS\system32\imapi.exe
2006-09-05 06:29 115,200 --a

C:\WINDOWS\system32\dpcdll.dll
2006-09-05 06:29 114,176 --a

C:\WINDOWS\system32\input.dll
2006-09-05 06:29 113,664 --a

C:\WINDOWS\system32\schtasks.exe
2006-09-05 06:29 113,152 --a

C:\WINDOWS\system32\idq.dll
2006-09-05 06:29 113,152 --a

C:\WINDOWS\system32\gpresult.exe
2006-09-05 06:29 103,936 --a

C:\WINDOWS\system32\rsnotify.exe
2006-09-05 06:29 103,936 --a

C:\WINDOWS\system32\imm32.dll
2006-09-05 06:29 10,752

C:\WINDOWS\system32\spiisupd.exe
2006-09-05 06:28 98,816 --a

C:\WINDOWS\system32\clipbrd.exe
2006-09-05 06:28 94,720 --a

C:\WINDOWS\system32\dmusic.dll
2006-09-05 06:28 91,648 --a

C:\WINDOWS\system32\ahui.exe
2006-09-05 06:28 91,136 --a

C:\WINDOWS\system32\advpack.dll
2006-09-05 06:28 9,216 --a

C:\WINDOWS\system32\dumprep.exe
2006-09-05 06:28 802,304 --a

C:\WINDOWS\system32\dxmrtp.dll
2006-09-05 06:28 8,192 --a

C:\WINDOWS\system32\autolfn.exe
2006-09-05 06:28 786,432 --a

C:\WINDOWS\system32\dxdiag.exe
2006-09-05 06:28 77,312 --a

C:\WINDOWS\system32\dmscript.dll
2006-09-05 06:28 76,288 --a

C:\WINDOWS\system32\dfrgfat.exe
2006-09-05 06:28 76,288 --a

C:\WINDOWS\system32\avifil32.dll
2006-09-05 06:28 74,810 --a

C:\WINDOWS\system32\atl.dll
2006-09-05 06:28 71,680 --a

C:\WINDOWS\system32\browsewm.dll
2006-09-05 06:28 70,656 --a

C:\WINDOWS\system32\defrag.exe
2006-09-05 06:28 70,144 --a

C:\WINDOWS\system32\cryptdlg.dll
2006-09-05 06:28 66,560 --a

C:\WINDOWS\system32\faultrep.dll
2006-09-05 06:28 64,512 --a

C:\WINDOWS\system32\ciodm.dll
2006-09-05 06:28 62,976 --a

C:\WINDOWS\system32\browselc.dll
2006-09-05 06:28 62,464 --a

C:\WINDOWS\system32\adsmsext.dll
2006-09-05 06:28 61,440 --a

C:\WINDOWS\system32\dbnetlib.dll
2006-09-05 06:28 6,656 --a

C:\WINDOWS\system32\batt.dll
2006-09-05 06:28 59,904 --a

C:\WINDOWS\system32\cabinet.dll
2006-09-05 06:28 58,368 --a

C:\WINDOWS\system32\dpvsetup.exe
2006-09-05 06:28 57,344 --a

C:\WINDOWS\system32\dmcompos.dll
2006-09-05 06:28 56,320 --a

C:\WINDOWS\system32\dpnhupnp.dll
2006-09-05 06:28 55,296 --a

C:\WINDOWS\system32\digest.dll
2006-09-05 06:28 54,272 --a

C:\WINDOWS\system32\clusapi.dll
2006-09-05 06:28 53,248 --a

C:\WINDOWS\system32\cryptsvc.dll
2006-09-05 06:28 5,120 --a

C:\WINDOWS\system32\asferror.dll
2006-09-05 06:28 498,205 --a

C:\WINDOWS\system32\dxmasf.dll
2006-09-05 06:28 49,664 --a

C:\WINDOWS\system32\dpwsockx.dll
2006-09-05 06:28 49,152 --a

C:\WINDOWS\system32\eventlog.dll
2006-09-05 06:28 49,152 --a

C:\WINDOWS\system32\browser.dll
2006-09-05 06:28 489,984 --a

C:\WINDOWS\system32\dbghelp.dll
2006-09-05 06:28 471,040 --a

C:\WINDOWS\system32\cryptui.dll
2006-09-05 06:28 45,568 --a

C:\WINDOWS\system32\docprop2.dll
2006-09-05 06:28 41,984 --a

C:\WINDOWS\system32\alg.exe
2006-09-05 06:28 41,472 --a

C:\WINDOWS\system32\cmdl32.exe
2006-09-05 06:28 380,445 --a

C:\WINDOWS\system32\expsrv.dll
2006-09-05 06:28 38,912 --a

C:\WINDOWS\system32\audiosrv.dll
2006-09-05 06:28 35,328 --a

C:\WINDOWS\system32\dfrgsnap.dll
2006-09-05 06:28 324,608 --a

C:\WINDOWS\system32\cmdial32.dll
2006-09-05 06:28 32,768 --a

C:\WINDOWS\system32\cfgbkend.dll
2006-09-05 06:28 31,744 --a

C:\WINDOWS\system32\dmloader.dll
2006-09-05 06:28 307,712 --a

C:\WINDOWS\system32\cscui.dll
2006-09-05 06:28 29,696 --a

C:\WINDOWS\system32\dpnhpast.dll
2006-09-05 06:28 28,672 --a

C:\WINDOWS\system32\dbnmpntw.dll
2006-09-05 06:28 263,680 --a

C:\WINDOWS\system32\duser.dll
2006-09-05 06:28 263,168 --a

C:\WINDOWS\system32\devmgr.dll
2006-09-05 06:28 26,112 --a

C:\WINDOWS\system32\dmband.dll
2006-09-05 06:28 253,440 --a

C:\WINDOWS\system32\ddraw.dll
2006-09-05 06:28 25,600 --a

C:\WINDOWS\system32\dfsshlex.dll
2006-09-05 06:28 24,576 --a

C:\WINDOWS\system32\dbmsvinn.dll
2006-09-05 06:28 24,576 --a

C:\WINDOWS\system32\dbmsrpcn.dll
2006-09-05 06:28 24,576 --a

C:\WINDOWS\system32\conime.exe
2006-09-05 06:28 239,616 --a

C:\WINDOWS\system32\adsnt.dll
2006-09-05 06:28 238,592 --a

C:\WINDOWS\system32\compatui.dll
2006-09-05 06:28 227,840 --a

C:\WINDOWS\system32\dsquery.dll
2006-09-05 06:28 22,528 --a

C:\WINDOWS\system32\at.exe
2006-09-05 06:28 206,336 --a

C:\WINDOWS\system32\dpvoice.dll
2006-09-05 06:28 20,480 --a

C:\WINDOWS\system32\dbmsadsn.dll
2006-09-05 06:28 19,456 --a

C:\WINDOWS\system32\fontview.exe
2006-09-05 06:28 19,456 --a

C:\WINDOWS\system32\ersvc.dll
2006-09-05 06:28 186,880 --a

C:\WINDOWS\system32\certcli.dll
2006-09-05 06:28 180,224 --a

C:\WINDOWS\system32\dwwin.exe
2006-09-05 06:28 178,688 --a

C:\WINDOWS\system32\eudcedit.exe
2006-09-05 06:28 172,544 --a

C:\WINDOWS\system32\dmime.dll
2006-09-05 06:28 168,960 --a

C:\WINDOWS\system32\dinput8.dll
2006-09-05 06:28 165,376 --a

C:\WINDOWS\system32\els.dll
2006-09-05 06:28 162,816 --a

C:\WINDOWS\system32\adsldp.dll
2006-09-05 06:28 16,384 --a

C:\WINDOWS\system32\ds32gt.dll
2006-09-05 06:28 158,720 --a

C:\WINDOWS\system32\credui.dll
2006-09-05 06:28 156,672 --a

C:\WINDOWS\system32\dpnet.dll
2006-09-05 06:28 151,552 --a

C:\WINDOWS\system32\dinput.dll
2006-09-05 06:28 14,366 --a

C:\WINDOWS\system32\asfsipc.dll
2006-09-05 06:28 139,776 --a

C:\WINDOWS\system32\adsldpc.dll
2006-09-05 06:28 135,680 --a

C:\WINDOWS\system32\dsprop.dll
2006-09-05 06:28 13,312 --a

C:\WINDOWS\system32\ctfmon.exe
2006-09-05 06:28 124,928 --a

C:\WINDOWS\system32\dssenh.dll
2006-09-05 06:28 115,712 --a

C:\WINDOWS\system32\apphelp.dll
2006-09-05 06:28 113,152 --a

C:\WINDOWS\system32\dfrgui.dll
2006-09-05 06:28 110,080 --a

C:\WINDOWS\system32\dmstyle.dll
2006-09-05 06:28 103,424 --a

C:\WINDOWS\system32\dgnet.dll
2006-09-05 06:28 1,180,672 --a

C:\WINDOWS\system32\d3d8.dll
2006-09-05 06:28 1,004,032 --a

C:\WINDOWS\explorer.exe
2006-09-05 05:17 89,088 --a

C:\WINDOWS\system32\atl71.dll
2006-09-05 05:17 1,060,864 --a

C:\WINDOWS\system32\mfc71.dll
2006-09-04 20:48 24,296 --a

C:\WINDOWS\icont.exe
2006-09-04 18:44 78,488 --a

C:\WINDOWS\system32\XMD5.dll
2006-09-04 18:44 101,888 --a

C:\WINDOWS\system32\vb6stkit.dll
2006-09-04 18:20 499,712 --a

C:\WINDOWS\system32\msvcp71.dll
2006-09-04 17:47 108 --a

C:\check.bat
2006-08-21 16:48 53,248 --a

C:\WINDOWS\uni_ehhhh.exe
2006-08-14 20:52 78,848 --a

C:\WINDOWS\system32\nsnAB5.dll
2006-08-07 11:17 61,440 --a

C:\WINDOWS\system32\BattyRun2.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-07 22:21

d

C:\Program Files\Common Files
2006-09-07 16:25

d

C:\Program Files\Mozilla Firefox
2006-09-07 15:28

d

C:\Program Files\Viewpoint
2006-09-07 03:11

d

C:\Program Files\Windows Media Player
2006-09-07 03:04

d

C:\Program Files\Outlook Express
2006-09-07 03:04

d

C:\Program Files\Common Files\System
2006-09-06 21:25

d

C:\Program Files\Hijackthis
2006-09-06 21:17

d

C:\Documents and Settings\Marie\Application Data\Help
2006-09-06 16:29

d

C:\Documents and Settings\Marie\Application Data\AVG7
2006-09-06 16:20 777472 --a

C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-06 16:20 4288 --a

C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-06 16:20 27904 --a

C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-06 16:20 23424 --a

C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-06 09:55

d

C:\Program Files\Common Files\wmri
2006-09-06 07:17

d

C:\Program Files\Grisoft
2006-09-06 06:27 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-09-06 06:11

d--h

C:\Program Files\WindowsUpdate
2006-09-06 06:11

d

C:\Program Files\Windows NT
2006-09-06 06:11

d

C:\Program Files\Messenger
2006-09-05 10:30

d

C:\Program Files\Internet Explorer
2006-09-05 06:53

d

C:\Program Files\NetMeeting
2006-09-05 06:39

d

C:\Program Files\Movie Maker
2006-09-05 05:27

d

C:\Documents and Settings\Marie\Application Data\SystemDoctor 2006 Free
2006-09-04 16:40

d

C:\Program Files\Zone Labs
2006-09-04 12:22

d

C:\Program Files\ArtMoney
2006-09-04 11:57

d

C:\Program Files\Common Files\misc002
2006-08-31 11:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-30 10:47

d

C:\Program Files\HP Real Estate Document Assistant
2006-08-26 14:46

d

C:\Documents and Settings\Marie\Application Data\AdobeUM
2006-08-20 18:04

d

C:\Program Files\Virtools Web Player 3.0
2006-08-14 12:25

d

C:\Program Files\TLI
2006-07-21 12:14

d---s---- C:\Documents and Settings\Marie\Application Data\Microsoft
2006-07-21 12:03

d

C:\Program Files\Lavasoft
2006-07-21 12:03

d

C:\Documents and Settings\Marie\Application Data\Lavasoft
2006-07-21 12:00

d

C:\Program Files\Clicker
2006-07-21 11:58

d

C:\Program Files\WinRAR
2006-07-21 07:50

d

C:\Program Files\InterActual
2006-07-21 04:30 72704 --a

C:\WINDOWS\system32\hlink.dll
2006-07-16 08:39

d

C:\Documents and Settings\Marie\Application Data\Macromedia
2006-07-13 04:50 595968 --a

C:\WINDOWS\system32\xpsp2res.dll
2006-07-12 20:25

d

C:\Documents and Settings\Marie\Application Data\Talkback
2006-07-12 20:24

d

C:\Documents and Settings\Marie\Application Data\Mozilla
2006-06-14 15:59 8715352 --a

C:\Program Files\Install_AIM.exe
2006-06-14 15:53 9409224 --a

C:\Program Files\Install_MSN_Messenger.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SystemDoctor 2006 Free"="C:\\Program Files\\SystemDoctor 2006 Free\\sd2006.exe -scan"
"ms0635567-16097"="C:\\WINDOWS\\ms0635567-16097.exe"
"ljwceirA"="C:\\WINDOWS\\ljwceirA.exe"
"{D6-62-27-71-ZN}"="C:\\windows\\system32\\omdsregl.exe GEN001"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"cprocsvc"="C:\\WINDOWS\\System32\\crunner\\cproc.exe"
"Etle"="\"C:\\PROGRA~1\\COMMON~1\\CROSOF~1\\scanregw.exe\" -vt yazr"
"SystemDoctor 2006 Free"="C:\\Program Files\\SystemDoctor 2006 Free\\sd2006.exe -scan"
"wmri"="C:\\PROGRA~1\\COMMON~1\\wmri\\wmrim.exe"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\WindowsUpdate\\kyzev.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Messenger\\howysyh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"

Completion time: Thu 09/07/2006 22:22:48.86
ComboFix.txt

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:25:04 PM, on 9/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\ms0635567-16097.exe
C:\WINDOWS\ljwceirA.exe
C:\windows\system32\omdsregl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [ms0635567-16097] C:\WINDOWS\ms0635567-16097.exe
O4 - HKLM\..\Run: [ljwceirA] C:\WINDOWS\ljwceirA.exe
O4 - HKLM\..\Run: [{D6-62-27-71-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - HKCU\..\Run: [Etle] "C:\PROGRA~1\COMMON~1\CROSOF~1\scanregw.exe" -vt yazr
O4 - HKCU\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [wmri] C:\PROGRA~1\COMMON~1\wmri\wmrim.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139178629022
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ljwceir.exe (file missing)

Trogan · September 2006

Please do the following...

We need to download some tools to use later.

First
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Do not do anything with it yet!

Second
Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install Ewido by double clicking the installer.
Follow the prompts. Make sure that Launch Ewido is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
  Note: If the Update now option is grayed out, follow the steps below.
  - Click on Update on the toolbar.
  - Under Manual update, click on the Start Update button.
  - Wait until you see the Update succesfull message.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

=====

You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=====

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

=====Reboot back into Normal Mode=====

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop.
=====

Please re-scan with ComboFix so it produces a new log.

=====

Please post the following:

1) Ewido log
2) Kaspersky log
3) New ComboFix log
4) New HijackThis log

Ryan06 · September 2006

i ran ewido and did what i was supposed to do, but forgot to save the log.

Kapersky Log:

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55030
Number of viruses found: 35
Number of infected objects: 86 / 0
Number of suspicious objects: 4
Duration of the scan process: 01:11:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos11.zip/stdrun2.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos6.zip/stdrun8.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marie\Application Data\Qualcomm\Eudora\attach\Video_part.mim/New Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\Marie\Application Data\Qualcomm\Eudora\attach\Video_part.mim Mail: infected - 1 skipped
C:\Documents and Settings\Marie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marie\Desktop\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.MediaTickets.n skipped
C:\Documents and Settings\Marie\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Marie\Desktop\OiUninstaller.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Marie\Desktop\ryan pics\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Documents and Settings\Marie\Desktop\ryan pics\mirc617.exe mIRC: infected - 1 skipped
C:\Documents and Settings\Marie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026868.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026869.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026870.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026873.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026875.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026912.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026916.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026916.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026916.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026916.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026916.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026916.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026926.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026937.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026941.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026942.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026943.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026944.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0026966.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0027008.dll Infected: not-a-virus:AdWare.Win32.RK.e skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP200\A0027098.exe Infected: not-a-virus:AdWare.Win32.RK.f skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027138.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027139.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027141.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027141.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027141.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027142.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027144.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027148.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027149.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027154.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027175.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027181.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027182.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027183.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027193.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027199.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027202.dll Infected: not-a-virus:AdWare.Win32.CASClient.n skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP201\A0027203.exe Infected: not-a-virus:AdWare.Win32.CASClient.n skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027256.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027276.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027289.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027296.exe Infected: not-a-virus:AdWare.Win32.Agent.ag skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027297.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027302.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027302.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027302.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027302.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027305.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027308.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027308.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP203\A0027344.dll Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0032610.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0032611.exe Infected: not-a-virus:AdWare.Win32.PurityScan.eu skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0032613.exe Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0032736.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039723.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039723.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039723.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039802.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039804.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039808.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039808.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039808.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039808.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039808.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039808.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039827.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039845.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039855.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039857.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039857.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039857.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039857.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039857.exe WiseSFX Dropper: infected - 3 skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039858.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP218\A0039859.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP269\A0044613.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP269\A0044614.exe Infected: not-a-virus:AdWare.Win32.PurityScan.eu skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP269\A0044759.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP269\A0044763.exe Infected: not-a-virus:AdWare.Win32.CASClient.m skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP269\A0044840.exe Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP269\A0044842.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045045.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045046.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045844.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045845.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045846.exe Object is locked skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045847.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045848.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045849.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045850.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045851.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\A0045852.dll Infected: not-a-virus:AdWare.Win32.CASClient.n skipped
C:\System Volume Information\_restore{79F4BAB4-5033-4D8B-B8EA-CA1FA866E52C}\RP270\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SOPRANO.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\srvfedyvfp.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\WINDOWS\srvfedyvfp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT06dcd.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06dd0.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Ryan06 · September 2006

Combo Fix Log:

ComboFix 06.09.07 - Running from: C:\Documents and Settings\Marie\Desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Marie\Application Data\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1\CROSOF~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-09 to 2006-09-09 ))))))))))))))))))))))))))))))))))

2006-09-06 06:28 991,232 --a

C:\WINDOWS\system32\esent.dll
2006-09-06 06:12 186,223 --a

C:\WINDOWS\srvfedyvfp.exe
2006-09-06 06:12 163,840 --a

C:\WINDOWS\ms0635567-16097.exe
2006-09-06 03:00 22,752 --a

C:\WINDOWS\system32\spupdsvc.exe
2006-09-05 06:32 9,216 --a

C:\WINDOWS\system32\wuauserv.dll
2006-09-05 06:32 88,064 --a

C:\WINDOWS\system32\tscfgwmi.dll
2006-09-05 06:32 86,528 --a

C:\WINDOWS\system32\wlnotify.dll
2006-09-05 06:32 86,016 --a

C:\WINDOWS\system32\xactsrv.dll
2006-09-05 06:32 81,920 --a

C:\WINDOWS\system32\trkwks.dll
2006-09-05 06:32 77,824 --a

C:\WINDOWS\system32\wmpstub.exe
2006-09-05 06:32 77,824 --a

C:\WINDOWS\system32\wmpshell.dll
2006-09-05 06:32 72,192 --a

C:\WINDOWS\system32\telnet.exe
2006-09-05 06:32 71,168 --a

C:\WINDOWS\system32\storprop.dll
2006-09-05 06:32 667,648 --a

C:\WINDOWS\system32\ss3dfo.scr
2006-09-05 06:32 66,560 --a

C:\WINDOWS\system32\spoolss.dll
2006-09-05 06:32 638,976 --a

C:\WINDOWS\system32\sstext3d.scr
2006-09-05 06:32 63,488 --a

C:\WINDOWS\system32\srclient.dll
2006-09-05 06:32 61,952 --a

C:\WINDOWS\system32\sti.dll
2006-09-05 06:32 60,416 --a

C:\WINDOWS\system32\wextract.exe
2006-09-05 06:32 569,344 --a

C:\WINDOWS\system32\sspipes.scr
2006-09-05 06:32 56,832 --a

C:\WINDOWS\system32\wzcdlg.dll
2006-09-05 06:32 534,016 --a

C:\WINDOWS\system32\spider.exe
2006-09-05 06:32 51,200 --a

C:\WINDOWS\system32\wmerrenu.dll
2006-09-05 06:32 48,640 --a

C:\WINDOWS\system32\vdmredir.dll
2006-09-05 06:32 48,128 --a

C:\WINDOWS\system32\winsta.dll
2006-09-05 06:32 479,261 --a

C:\WINDOWS\system32\vbscript.dll
2006-09-05 06:32 47,616 --a

C:\WINDOWS\system32\utilman.exe
2006-09-05 06:32 446,464 --a

C:\WINDOWS\system32\wmvdmoe.dll
2006-09-05 06:32 43,008 --a

C:\WINDOWS\system32\ssdpsrv.dll
2006-09-05 06:32 409,088 --a

C:\WINDOWS\system32\vssapi.dll
2006-09-05 06:32 40,960 --a

C:\WINDOWS\system32\tscupgrd.exe
2006-09-05 06:32 385,024 --a

C:\WINDOWS\system32\sqlsrv32.dll
2006-09-05 06:32 384,000 --a

C:\WINDOWS\system32\themeui.dll
2006-09-05 06:32 38,912 --a

C:\WINDOWS\system32\wsnmp32.dll
2006-09-05 06:32 364,544 --a

C:\WINDOWS\system32\ssflwbox.scr
2006-09-05 06:32 339,456 --a

C:\WINDOWS\system32\usp10.dll
2006-09-05 06:32 32,256 --a

C:\WINDOWS\system32\umandlg.dll
2006-09-05 06:32 316,416 --a

C:\WINDOWS\system32\wiaservc.dll
2006-09-05 06:32 311,327 --a

C:\WINDOWS\system32\wmv8dmod.dll
2006-09-05 06:32 296,448 --a

C:\WINDOWS\system32\wmstream.dll
2006-09-05 06:32 27,136 --a

C:\WINDOWS\system32\ssdpapi.dll
2006-09-05 06:32 266,752 --a

C:\WINDOWS\winhlp32.exe
2006-09-05 06:32 264,704 --a

C:\WINDOWS\system32\wzcsvc.dll
2006-09-05 06:32 258,048 --a

C:\WINDOWS\system32\webcheck.dll
2006-09-05 06:32 253,952 --a

C:\WINDOWS\system32\wmpcd.dll
2006-09-05 06:32 251,904 --a

C:\WINDOWS\system32\strmdll.dll
2006-09-05 06:32 247,808 --a

C:\WINDOWS\system32\wow32.dll
2006-09-05 06:32 238,592 --a

C:\WINDOWS\system32\tapisrv.dll
2006-09-05 06:32 231,424 --a

C:\WINDOWS\system32\upnpui.dll
2006-09-05 06:32 23,552 --a

C:\WINDOWS\system32\wzcsapi.dll
2006-09-05 06:32 22,016 --a

C:\WINDOWS\system32\udhisapi.dll
2006-09-05 06:32 203,264 --a

C:\WINDOWS\system32\uxtheme.dll
2006-09-05 06:32 200,192 --a

C:\WINDOWS\system32\termsrv.dll
2006-09-05 06:32 19,456 --a

C:\WINDOWS\system32\ssmarque.scr
2006-09-05 06:32 18,944 --a

C:\WINDOWS\system32\ssbezier.scr
2006-09-05 06:32 172,664 --a

C:\WINDOWS\system32\xenroll.dll
2006-09-05 06:32 171,520 --a

C:\WINDOWS\system32\winmm.dll
2006-09-05 06:32 17,408 --a

C:\WINDOWS\system32\wtsapi32.dll
2006-09-05 06:32 17,408 --a

C:\WINDOWS\system32\ssmyst.scr
2006-09-05 06:32 168,448 --a

C:\WINDOWS\system32\wldap32.dll
2006-09-05 06:32 165,376 --a

C:\WINDOWS\system32\w32time.dll
2006-09-05 06:32 165,376 --a

C:\WINDOWS\system32\tapi32.dll
2006-09-05 06:32 164,864 --a

C:\WINDOWS\system32\upnphost.dll
2006-09-05 06:32 16,384 --a

C:\WINDOWS\system32\watchdog.sys
2006-09-05 06:32 16,384 --a

C:\WINDOWS\system32\ups.exe
2006-09-05 06:32 158,720 --a

C:\WINDOWS\system32\srsvc.dll
2006-09-05 06:32 130,560 --a

C:\WINDOWS\system32\sti_ci.dll
2006-09-05 06:32 13,312 --a

C:\WINDOWS\system32\ssstars.scr
2006-09-05 06:32 128,512 --a

C:\WINDOWS\system32\taskmgr.exe
2006-09-05 06:32 124,928 --a

C:\WINDOWS\system32\webvw.dll
2006-09-05 06:32 120,320 --a

C:\WINDOWS\system32\upnp.dll
2006-09-05 06:32 119,808 --a

C:\WINDOWS\system32\wiadss.dll
2006-09-05 06:32 118,784 --a

C:\WINDOWS\system32\wmsdmoe.dll
2006-09-05 06:32 117,760 --a

C:\WINDOWS\system32\stobject.dll
2006-09-05 06:32 106,496 --a

C:\WINDOWS\system32\url.dll
2006-09-05 06:32 10,752 --a

C:\WINDOWS\system32\tracert.exe
2006-09-05 06:32 1,998,848 --a

C:\WINDOWS\system32\wmploc.dll
2006-09-05 06:32 1,425,680 --a

C:\WINDOWS\system32\wmpui.dll
2006-09-05 06:32 1,298,432 --a

C:\WINDOWS\system32\wmpcore.dll
2006-09-05 06:31 98,304 --a

C:\WINDOWS\system32\oleprn.dll
2006-09-05 06:31 95,744 --a

C:\WINDOWS\system32\nlhtml.dll
2006-09-05 06:31 94,208 --a

C:\WINDOWS\system32\odbccp32.dll
2006-09-05 06:31 921,475

C:\WINDOWS\system32\ati3d2ag.dll
2006-09-05 06:31 91,136 --a

C:\WINDOWS\system32\rastls.dll
2006-09-05 06:31 87,304 --a

C:\WINDOWS\system32\rdpdd.dll
2006-09-05 06:31 857,600 --a

C:\WINDOWS\system32\netplwiz.dll
2006-09-05 06:31 844,675

C:\WINDOWS\system32\ati3d1ag.dll
2006-09-05 06:31 82,944 --a

C:\WINDOWS\system32\smlogsvc.exe
2006-09-05 06:31 82,944 --a

C:\WINDOWS\system32\psbase.dll
2006-09-05 06:31 8,192 --a

C:\WINDOWS\system32\scrnsave.scr
2006-09-05 06:31 75,912 --a

C:\WINDOWS\system32\rdpwsx.dll
2006-09-05 06:31 74,240 --a

C:\WINDOWS\system32\rtcshare.exe
2006-09-05 06:31 71,168 --a

C:\WINDOWS\system32\sdbinst.exe
2006-09-05 06:31 686,080 --a

C:\WINDOWS\system32\opengl32.dll
2006-09-05 06:31 66,048 --a

C:\WINDOWS\system32\sigverif.exe
2006-09-05 06:31 62,976 --a

C:\WINDOWS\system32\shgina.dll
2006-09-05 06:31 61,440 --a

C:\WINDOWS\system32\odbccu32.dll
2006-09-05 06:31 61,440 --a

C:\WINDOWS\system32\odbccr32.dll
2006-09-05 06:31 60,416 --a

C:\WINDOWS\system32\shimeng.dll
2006-09-05 06:31 6,144 --a

C:\WINDOWS\system32\sensapi.dll
2006-09-05 06:31 584,192 --a

C:\WINDOWS\system32\netcfgx.dll
2006-09-05 06:31 58,880 --a

C:\WINDOWS\system32\pautoenr.dll
2006-09-05 06:31 57,856 --a

C:\WINDOWS\system32\raschap.dll
2006-09-05 06:31 56,320 --a

C:\WINDOWS\system32\remotepg.dll
2006-09-05 06:31 53,248 --a

C:\WINDOWS\system32\packager.exe
2006-09-05 06:31 53,248 --a

C:\WINDOWS\system32\odbcconf.exe
2006-09-05 06:31 52,224 --a

C:\WINDOWS\system32\secur32.dll
2006-09-05 06:31 511,488 --a

C:\WINDOWS\system32\qedit.dll
2006-09-05 06:31 504,832

C:\WINDOWS\system32\msftedit.dll
2006-09-05 06:31 5,120

C:\WINDOWS\system32\hccoin.dll
2006-09-05 06:31 49,152 --a

C:\WINDOWS\system32\npptools.dll
2006-09-05 06:31 48,128 --a

C:\WINDOWS\system32\reg.exe
2006-09-05 06:31 44,032 --a

C:\WINDOWS\system32\regapi.dll
2006-09-05 06:31 44,032 --a

C:\WINDOWS\system32\rdpclip.exe
2006-09-05 06:31 423,424 --a

C:\WINDOWS\system32\riched20.dll
2006-09-05 06:31 420,864 --a

C:\WINDOWS\system32\shimgvw.dll
2006-09-05 06:31 42,496 --a

C:\WINDOWS\system32\ncobjapi.dll
2006-09-05 06:31 403,456

C:\WINDOWS\system32\winbrand.dll
2006-09-05 06:31 399,360 --a

C:\WINDOWS\system32\netlogon.dll
2006-09-05 06:31 392,704 --a

C:\WINDOWS\system32\ntmssvc.dll
2006-09-05 06:31 39,424 --a

C:\WINDOWS\system32\net.exe
2006-09-05 06:31 38,400 --a

C:\WINDOWS\system32\ntmsapi.dll
2006-09-05 06:31 38,400 --a

C:\WINDOWS\system32\ntlanman.dll
2006-09-05 06:31 377,984

C:\WINDOWS\system32\ati2dvaa.dll
2006-09-05 06:31 36,352 --a

C:\WINDOWS\system32\sens.dll
2006-09-05 06:31 357,376 --a

C:\WINDOWS\system32\qdvd.dll
2006-09-05 06:31 34,304 --a

C:\WINDOWS\system32\rcimlby.exe
2006-09-05 06:31 334,848 --a

C:\WINDOWS\system32\smlogcfg.dll
2006-09-05 06:31 33,808 --a

C:\WINDOWS\system32\ntio.sys
2006-09-05 06:31 33,280 --a

C:\WINDOWS\system32\shmgrate.exe
2006-09-05 06:31 326,656 --a

C:\WINDOWS\system32\netsetup.exe
2006-09-05 06:31 32,768 --a

C:\WINDOWS\system32\odbcad32.exe
2006-09-05 06:31 31,744 --a

C:\WINDOWS\system32\pid.dll
2006-09-05 06:31 3,584

C:\WINDOWS\system32\dsprpres.dll
2006-09-05 06:31 3,494,303

C:\WINDOWS\system32\nv4_disp.dll
2006-09-05 06:31 3,338 --a

C:\WINDOWS\system32\redir.exe
2006-09-05 06:31 297,984 --a

C:\WINDOWS\system32\scesrv.dll
2006-09-05 06:31 254,976 --a

C:\WINDOWS\system32\pdh.dll
2006-09-05 06:31 24,576 --a

C:\WINDOWS\system32\odbcbcp.dll
2006-09-05 06:31 24,576 --a

C:\WINDOWS\system32\nmmkcert.dll
2006-09-05 06:31 24,064 --a

C:\WINDOWS\system32\skeys.exe
2006-09-05 06:31 238,080 --a

C:\WINDOWS\system32\newdev.dll
2006-09-05 06:31 22,528 --a

C:\WINDOWS\system32\slayerxp.dll
2006-09-05 06:31 22,528 --a

C:\WINDOWS\system32\shfolder.dll
2006-09-05 06:31 218,112

C:\WINDOWS\system32\sbe.dll
2006-09-05 06:31 212,480 --a

C:\WINDOWS\system32\osk.exe
2006-09-05 06:31 202,496

C:\WINDOWS\system32\ati2dvag.dll
2006-09-05 06:31 200,704 --a

C:\WINDOWS\system32\odbc32.dll
2006-09-05 06:31 20,992 --a

C:\WINDOWS\system32\setup.exe
2006-09-05 06:31 193,536 --a

C:\WINDOWS\system32\rasppp.dll
2006-09-05 06:31 187,904

C:\WINDOWS\system32\xpsp1res.dll
2006-09-05 06:31 184,832 --a

C:\WINDOWS\system32\qcap.dll
2006-09-05 06:31 18,944

C:\WINDOWS\system32\faxpatch.exe
2006-09-05 06:31 174,592 --a

C:\WINDOWS\system32\scecli.dll
2006-09-05 06:31 172,032

C:\WINDOWS\system32\mssap.dll
2006-09-05 06:31 171,008 --a

C:\WINDOWS\system32\sccsccp.dll
2006-09-05 06:31 17,408 --a

C:\WINDOWS\system32\psapi.dll
2006-09-05 06:31 169,984 --a

C:\WINDOWS\system32\sccbase.dll
2006-09-05 06:31 165,888 --a

C:\WINDOWS\system32\ntmsdba.dll
2006-09-05 06:31 16,896 --a

C:\WINDOWS\system32\snmpapi.dll
2006-09-05 06:31 16,384 --a

C:\WINDOWS\system32\ping.exe
2006-09-05 06:31 16,384 --a

C:\WINDOWS\system32\odbc32gt.dll
2006-09-05 06:31 16,384 --a

C:\WINDOWS\system32\nddenb32.dll
2006-09-05 06:31 159,232 --a

C:\WINDOWS\system32\schedsvc.dll
2006-09-05 06:31 155,648

C:\WINDOWS\system32\encdec.dll
2006-09-05 06:31 147,456 --a

C:\WINDOWS\system32\odbctrac.dll
2006-09-05 06:31 14,848 --a

C:\WINDOWS\system32\rdpsnd.dll
2006-09-05 06:31 137,216 --a

C:\WINDOWS\system32\ntshrui.dll
2006-09-05 06:31 135,680 --a

C:\WINDOWS\system32\rdchost.dll
2006-09-05 06:31 134,144 --a

C:\WINDOWS\regedit.exe
2006-09-05 06:31 133,632 --a

C:\WINDOWS\system32\rsaenh.dll
2006-09-05 06:31 133,120 --a

C:\WINDOWS\system32\sfc_os.dll
2006-09-05 06:31 13,824 --a

C:\WINDOWS\system32\rassapi.dll
2006-09-05 06:31 122,880 --a

C:\WINDOWS\system32\odbcconf.dll
2006-09-05 06:31 12,800 --a

C:\WINDOWS\system32\runonce.exe
2006-09-05 06:31 12,288 --a

C:\WINDOWS\system32\rdsaddin.exe
2006-09-05 06:31 12,288 --a

C:\WINDOWS\system32\odbcp32r.dll
2006-09-05 06:31 12,288

C:\WINDOWS\system32\encapi.dll
2006-09-05 06:31 115,200 --a

C:\WINDOWS\system32\net1.exe
2006-09-05 06:31 112,128 --a

C:\WINDOWS\system32\ntmarta.dll
2006-09-05 06:31 110,080

C:\WINDOWS\system32\sbeio.dll
2006-09-05 06:31 11,776 --a

C:\WINDOWS\system32\sigtab.dll
2006-09-05 06:31 109,568 --a

C:\WINDOWS\system32\offfilt.dll
2006-09-05 06:31 105,984 --a

C:\WINDOWS\system32\netdde.exe
2006-09-05 06:31 1,677,312

C:\WINDOWS\system32\wmvcore2.dll
2006-09-05 06:31 1,622,528 --a

C:\WINDOWS\system32\netshell.dll
2006-09-05 06:31 1,349,120 --a

C:\WINDOWS\system32\query.dll
2006-09-05 06:31 1,157,632 --a

C:\WINDOWS\system32\sfcfiles.dll
2006-09-05 06:30 91,136 --a

C:\WINDOWS\system32\MSOERT2.DLL
2006-09-05 06:30 9,728 --a

C:\WINDOWS\system32\mstinit.exe
2006-09-05 06:30 78,848 --a

C:\WINDOWS\system32\msiexec.exe
2006-09-05 06:30 699,392 --a

C:\WINDOWS\system32\msxml2.dll
2006-09-05 06:30 67,584 --a

C:\WINDOWS\system32\msctfp.dll
2006-09-05 06:30 65,536 --a

C:\WINDOWS\system32\msconf.dll
2006-09-05 06:30 598,016 --a

C:\WINDOWS\system32\mstscax.dll
2006-09-05 06:30 57,856 --a

C:\WINDOWS\system32\licwmi.dll
2006-09-05 06:30 56,320 --a

C:\WINDOWS\system32\mshtmler.dll
2006-09-05 06:30 552,991 --a

C:\WINDOWS\system32\msrepl40.dll
2006-09-05 06:30 512,031 --a

C:\WINDOWS\system32\msexch40.dll
2006-09-05 06:30 504,320 --a

C:\WINDOWS\system32\logonui.exe
2006-09-05 06:30 421,919 --a

C:\WINDOWS\system32\msrd2x40.dll
2006-09-05 06:30 401,462 --a

C:\WINDOWS\system32\msvcp60.dll
2006-09-05 06:30 4,608 --a

C:\WINDOWS\system32\msimg32.dll
2006-09-05 06:30 4,126 --a

C:\WINDOWS\system32\msdxmlc.dll
2006-09-05 06:30 388,608 --a

C:\WINDOWS\system32\mstsc.exe
2006-09-05 06:30 381,440 --a

C:\WINDOWS\system32\lmrt.dll
2006-09-05 06:30 368,710 --a

C:\WINDOWS\system32\msisam11.dll
2006-09-05 06:30 348,195 --a

C:\WINDOWS\system32\msjetoledb40.dll
2006-09-05 06:30 348,191 --a

C:\WINDOWS\system32\mspbde40.dll
2006-09-05 06:30 344,095 --a

C:\WINDOWS\system32\msxbde40.dll
2006-09-05 06:30 339,968 --a

C:\WINDOWS\system32\mspaint.exe
2006-09-05 06:30 323,072 --a

C:\WINDOWS\system32\msvcrt.dll
2006-09-05 06:30 32,256 --a

C:\WINDOWS\system32\mnmdd.dll
2006-09-05 06:30 319,760 --a

C:\WINDOWS\system32\msnsspc.dll
2006-09-05 06:30 319,519 --a

C:\WINDOWS\system32\msexcl40.dll
2006-09-05 06:30 271,360 --a

C:\WINDOWS\system32\msihnd.dll
2006-09-05 06:30 266,752 --a

C:\WINDOWS\system32\msctf.dll
2006-09-05 06:30 253,983 --a

C:\WINDOWS\system32\mstext40.dll
2006-09-05 06:30 250,368 --a

C:\WINDOWS\system32\mstask.dll
2006-09-05 06:30 241,725 --a

C:\WINDOWS\system32\msuni11.dll
2006-09-05 06:30 241,695 --a

C:\WINDOWS\system32\msjtes40.dll
2006-09-05 06:30 230,400 --a

C:\WINDOWS\system32\msieftp.dll
2006-09-05 06:30 229,376 --a

C:\WINDOWS\system32\MSOEACCT.DLL
2006-09-05 06:30 22,528 --a

C:\WINDOWS\system32\mslbui.dll
2006-09-05 06:30 219,648 --a

C:\WINDOWS\system32\logon.scr
2006-09-05 06:30 213,023 --a

C:\WINDOWS\system32\msltus40.dll
2006-09-05 06:30 210,944 --a

C:\WINDOWS\system32\moricons.dll
2006-09-05 06:30 2,890,240 --a

C:\WINDOWS\system32\msi.dll
2006-09-05 06:30 196,096 --a

C:\WINDOWS\system32\mobsync.dll
2006-09-05 06:30 192,512 --a

C:\WINDOWS\system32\mswebdvd.dll
2006-09-05 06:30 19,456 --a

C:\WINDOWS\system32\licmgr10.dll
2006-09-05 06:30 182,784 --a

C:\WINDOWS\system32\msutb.dll
2006-09-05 06:30 163,840 --a

C:\WINDOWS\system32\mindex.dll
2006-09-05 06:30 143,872 --a

C:\WINDOWS\system32\msimtf.dll
2006-09-05 06:30 131,072 --a

C:\WINDOWS\system32\msorcl32.dll
2006-09-05 06:30 126,976 --a

C:\WINDOWS\system32\msdart.dll
2006-09-05 06:30 12,288 --a

C:\WINDOWS\system32\mscpx32r.dll
2006-09-05 06:30 116,736 --a

C:\WINDOWS\system32\mplay32.exe
2006-09-05 06:30 113,664 --a

C:\WINDOWS\system32\msvfw32.dll
2006-09-05 06:30 10,240 --a

C:\WINDOWS\system32\msrle32.dll
2006-09-05 06:30 10,240 --a

C:\WINDOWS\system32\localui.dll
2006-09-05 06:30 1,503,262 --a

C:\WINDOWS\system32\msjet40.dll
2006-09-05 06:30 1,220,608 --a

C:\WINDOWS\system32\msvidctl.dll
2006-09-05 06:30 1,128,960 --a

C:\WINDOWS\system32\mmcndmgr.dll
2006-09-05 06:30 1,122,304 --a

C:\WINDOWS\system32\msxml3.dll
2006-09-05 06:29 91,648 --a

C:\WINDOWS\system32\iuctl.dll
2006-09-05 06:29 9,216 --a

C:\WINDOWS\system32\icaapi.dll
2006-09-05 06:29 88,576 --a

C:\WINDOWS\system32\mqsec.dll
2006-09-05 06:29 8,832 --a

C:\WINDOWS\system32\framebuf.dll
2006-09-05 06:29 73,728 --a

C:\WINDOWS\system32\tlntsess.exe
2006-09-05 06:29 73,728 --a

C:\WINDOWS\system32\ils.dll
2006-09-05 06:29 7,168 --a

C:\WINDOWS\system32\tlntsvrp.dll
2006-09-05 06:29 7,040 --a

C:\WINDOWS\system32\kd1394.dll
2006-09-05 06:29 67,584 --a

C:\WINDOWS\system32\tlntsvr.exe
2006-09-05 06:29 67,584 --a

C:\WINDOWS\system32\fdeploy.dll
2006-09-05 06:29 608,768 --a

C:\WINDOWS\system32\mqqm.dll
2006-09-05 06:29 596,480 --a

C:\WINDOWS\system32\INETCOMM.DLL
2006-09-05 06:29 59,392 --a

C:\WINDOWS\system32\iesetup.dll
2006-09-05 06:29 57,856 --a

C:\WINDOWS\system32\tlntadmn.exe
2006-09-05 06:29 57,856 --a

C:\WINDOWS\system32\nwwks.dll
2006-09-05 06:29 545,792 --a

C:\WINDOWS\system32\wsecedit.dll
2006-09-05 06:29 51,712 --a

C:\WINDOWS\system32\ipconfig.exe
2006-09-05 06:29 49,664 --a

C:\WINDOWS\system32\ixsso.dll
2006-09-05 06:29 478,720 --a

C:\WINDOWS\system32\mqsnap.dll
2006-09-05 06:29 467,456 --a

C:\WINDOWS\system32\mqutil.dll
2006-09-05 06:29 42,537 --a

C:\WINDOWS\system32\keyboard.sys
2006-09-05 06:29 36,922 --a

C:\WINDOWS\system32\imeshare.dll
2006-09-05 06:29 318,464 --a

C:\WINDOWS\system32\ippromon.dll
2006-09-05 06:29 30,208 --a

C:\WINDOWS\system32\imgutil.dll
2006-09-05 06:29 294,912 --a

C:\WINDOWS\system32\iedkcs32.dll
2006-09-05 06:29 29,696

C:\WINDOWS\system32\asr_pfu.exe
2006-09-05 06:29 28,672 --a

C:\WINDOWS\system32\ie4uinit.exe
2006-09-05 06:29 277,504 --a

C:\WINDOWS\system32\appmgr.dll
2006-09-05 06:29 27,648 --a

C:\WINDOWS\system32\pidgen.dll
2006-09-05 06:29 240,640 --a

C:\WINDOWS\system32\hnetcfg.dll
2006-09-05 06:29 237,056 --a

C:\WINDOWS\system32\icm32.dll
2006-09-05 06:29 231,936 --a

C:\WINDOWS\system32\tracerpt.exe
2006-09-05 06:29 204,288 --a

C:\WINDOWS\system32\ieaksie.dll
2006-09-05 06:29 183,808 --a

C:\WINDOWS\system32\gptext.dll
2006-09-05 06:29 165,888 --a

C:\WINDOWS\system32\mqrt.dll
2006-09-05 06:29 164,352 --a

C:\WINDOWS\system32\mqtrig.dll
2006-09-05 06:29 156,672 --a

C:\WINDOWS\system32\appmgmts.dll
2006-09-05 06:29 14,848 --a

C:\WINDOWS\system32\mqise.dll
2006-09-05 06:29 130,048 --a

C:\WINDOWS\system32\mqad.dll
2006-09-05 06:29 126,976 --a

C:\WINDOWS\system32\ieakeng.dll
2006-09-05 06:29 123,904 --a

C:\WINDOWS\system32\imapi.exe
2006-09-05 06:29 115,200 --a

C:\WINDOWS\system32\dpcdll.dll
2006-09-05 06:29 114,176 --a

C:\WINDOWS\system32\input.dll
2006-09-05 06:29 113,664 --a

C:\WINDOWS\system32\schtasks.exe
2006-09-05 06:29 113,152 --a

C:\WINDOWS\system32\idq.dll
2006-09-05 06:29 113,152 --a

C:\WINDOWS\system32\gpresult.exe
2006-09-05 06:29 103,936 --a

C:\WINDOWS\system32\rsnotify.exe
2006-09-05 06:29 103,936 --a

C:\WINDOWS\system32\imm32.dll
2006-09-05 06:29 10,752

C:\WINDOWS\system32\spiisupd.exe
2006-09-05 06:28 98,816 --a

C:\WINDOWS\system32\clipbrd.exe
2006-09-05 06:28 94,720 --a

C:\WINDOWS\system32\dmusic.dll
2006-09-05 06:28 91,648 --a

C:\WINDOWS\system32\ahui.exe
2006-09-05 06:28 91,136 --a

C:\WINDOWS\system32\advpack.dll
2006-09-05 06:28 9,216 --a

C:\WINDOWS\system32\dumprep.exe
2006-09-05 06:28 802,304 --a

C:\WINDOWS\system32\dxmrtp.dll
2006-09-05 06:28 8,192 --a

C:\WINDOWS\system32\autolfn.exe
2006-09-05 06:28 786,432 --a

C:\WINDOWS\system32\dxdiag.exe
2006-09-05 06:28 77,312 --a

C:\WINDOWS\system32\dmscript.dll
2006-09-05 06:28 76,288 --a

C:\WINDOWS\system32\dfrgfat.exe
2006-09-05 06:28 76,288 --a

C:\WINDOWS\system32\avifil32.dll
2006-09-05 06:28 74,810 --a

C:\WINDOWS\system32\atl.dll
2006-09-05 06:28 71,680 --a

C:\WINDOWS\system32\browsewm.dll
2006-09-05 06:28 70,656 --a

C:\WINDOWS\system32\defrag.exe
2006-09-05 06:28 70,144 --a

C:\WINDOWS\system32\cryptdlg.dll
2006-09-05 06:28 66,560 --a

C:\WINDOWS\system32\faultrep.dll
2006-09-05 06:28 64,512 --a

C:\WINDOWS\system32\ciodm.dll
2006-09-05 06:28 62,976 --a

C:\WINDOWS\system32\browselc.dll
2006-09-05 06:28 62,464 --a

C:\WINDOWS\system32\adsmsext.dll
2006-09-05 06:28 61,440 --a

C:\WINDOWS\system32\dbnetlib.dll
2006-09-05 06:28 6,656 --a

C:\WINDOWS\system32\batt.dll
2006-09-05 06:28 59,904 --a

C:\WINDOWS\system32\cabinet.dll
2006-09-05 06:28 58,368 --a

C:\WINDOWS\system32\dpvsetup.exe
2006-09-05 06:28 57,344 --a

C:\WINDOWS\system32\dmcompos.dll
2006-09-05 06:28 56,320 --a

C:\WINDOWS\system32\dpnhupnp.dll
2006-09-05 06:28 55,296 --a

C:\WINDOWS\system32\digest.dll
2006-09-05 06:28 54,272 --a

C:\WINDOWS\system32\clusapi.dll
2006-09-05 06:28 53,248 --a

C:\WINDOWS\system32\cryptsvc.dll
2006-09-05 06:28 5,120 --a

C:\WINDOWS\system32\asferror.dll
2006-09-05 06:28 498,205 --a

C:\WINDOWS\system32\dxmasf.dll
2006-09-05 06:28 49,664 --a

C:\WINDOWS\system32\dpwsockx.dll
2006-09-05 06:28 49,152 --a

C:\WINDOWS\system32\eventlog.dll
2006-09-05 06:28 49,152 --a

C:\WINDOWS\system32\browser.dll
2006-09-05 06:28 489,984 --a

C:\WINDOWS\system32\dbghelp.dll
2006-09-05 06:28 471,040 --a

C:\WINDOWS\system32\cryptui.dll
2006-09-05 06:28 45,568 --a

C:\WINDOWS\system32\docprop2.dll
2006-09-05 06:28 41,984 --a

C:\WINDOWS\system32\alg.exe
2006-09-05 06:28 41,472 --a

C:\WINDOWS\system32\cmdl32.exe
2006-09-05 06:28 380,445 --a

C:\WINDOWS\system32\expsrv.dll
2006-09-05 06:28 38,912 --a

C:\WINDOWS\system32\audiosrv.dll
2006-09-05 06:28 35,328 --a

C:\WINDOWS\system32\dfrgsnap.dll
2006-09-05 06:28 324,608 --a

C:\WINDOWS\system32\cmdial32.dll
2006-09-05 06:28 32,768 --a

C:\WINDOWS\system32\cfgbkend.dll
2006-09-05 06:28 31,744 --a

C:\WINDOWS\system32\dmloader.dll
2006-09-05 06:28 307,712 --a

C:\WINDOWS\system32\cscui.dll
2006-09-05 06:28 29,696 --a

C:\WINDOWS\system32\dpnhpast.dll
2006-09-05 06:28 28,672 --a

C:\WINDOWS\system32\dbnmpntw.dll
2006-09-05 06:28 263,680 --a

C:\WINDOWS\system32\duser.dll
2006-09-05 06:28 263,168 --a

C:\WINDOWS\system32\devmgr.dll
2006-09-05 06:28 26,112 --a

C:\WINDOWS\system32\dmband.dll
2006-09-05 06:28 253,440 --a

C:\WINDOWS\system32\ddraw.dll
2006-09-05 06:28 25,600 --a

C:\WINDOWS\system32\dfsshlex.dll
2006-09-05 06:28 24,576 --a

C:\WINDOWS\system32\dbmsvinn.dll
2006-09-05 06:28 24,576 --a

C:\WINDOWS\system32\dbmsrpcn.dll
2006-09-05 06:28 24,576 --a

C:\WINDOWS\system32\conime.exe
2006-09-05 06:28 239,616 --a

C:\WINDOWS\system32\adsnt.dll
2006-09-05 06:28 238,592 --a

C:\WINDOWS\system32\compatui.dll
2006-09-05 06:28 227,840 --a

C:\WINDOWS\system32\dsquery.dll
2006-09-05 06:28 22,528 --a

C:\WINDOWS\system32\at.exe
2006-09-05 06:28 206,336 --a

C:\WINDOWS\system32\dpvoice.dll
2006-09-05 06:28 20,480 --a

C:\WINDOWS\system32\dbmsadsn.dll
2006-09-05 06:28 19,456 --a

C:\WINDOWS\system32\fontview.exe
2006-09-05 06:28 19,456 --a

C:\WINDOWS\system32\ersvc.dll
2006-09-05 06:28 186,880 --a

C:\WINDOWS\system32\certcli.dll
2006-09-05 06:28 180,224 --a

C:\WINDOWS\system32\dwwin.exe
2006-09-05 06:28 178,688 --a

C:\WINDOWS\system32\eudcedit.exe
2006-09-05 06:28 172,544 --a

C:\WINDOWS\system32\dmime.dll
2006-09-05 06:28 168,960 --a

C:\WINDOWS\system32\dinput8.dll
2006-09-05 06:28 165,376 --a

C:\WINDOWS\system32\els.dll
2006-09-05 06:28 162,816 --a

C:\WINDOWS\system32\adsldp.dll
2006-09-05 06:28 16,384 --a

C:\WINDOWS\system32\ds32gt.dll
2006-09-05 06:28 158,720 --a

C:\WINDOWS\system32\credui.dll
2006-09-05 06:28 156,672 --a

C:\WINDOWS\system32\dpnet.dll
2006-09-05 06:28 151,552 --a

C:\WINDOWS\system32\dinput.dll
2006-09-05 06:28 14,366 --a

C:\WINDOWS\system32\asfsipc.dll
2006-09-05 06:28 139,776 --a

C:\WINDOWS\system32\adsldpc.dll
2006-09-05 06:28 135,680 --a

C:\WINDOWS\system32\dsprop.dll
2006-09-05 06:28 13,312 --a

C:\WINDOWS\system32\ctfmon.exe
2006-09-05 06:28 124,928 --a

C:\WINDOWS\system32\dssenh.dll
2006-09-05 06:28 115,712 --a

C:\WINDOWS\system32\apphelp.dll
2006-09-05 06:28 113,152 --a

C:\WINDOWS\system32\dfrgui.dll
2006-09-05 06:28 110,080 --a

C:\WINDOWS\system32\dmstyle.dll
2006-09-05 06:28 103,424 --a

C:\WINDOWS\system32\dgnet.dll
2006-09-05 06:28 1,180,672 --a

C:\WINDOWS\system32\d3d8.dll
2006-09-05 06:28 1,004,032 --a

C:\WINDOWS\explorer.exe
2006-09-05 05:17 89,088 --a

C:\WINDOWS\system32\atl71.dll
2006-09-05 05:17 1,060,864 --a

C:\WINDOWS\system32\mfc71.dll
2006-09-04 18:44 78,488 --a

C:\WINDOWS\system32\XMD5.dll
2006-09-04 18:44 101,888 --a

C:\WINDOWS\system32\vb6stkit.dll
2006-09-04 18:20 499,712 --a

C:\WINDOWS\system32\msvcp71.dll
2006-09-04 17:47 108 --a

C:\check.bat
2006-08-14 20:52 78,848 --a

C:\WINDOWS\system32\nsnAB5.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-09 10:04

d

C:\Program Files\Hijackthis
2006-09-08 23:43

d

C:\Program Files\Mozilla Firefox
2006-09-08 18:06

d

C:\Program Files\ewido anti-spyware 4.0
2006-09-08 16:23

d

C:\Program Files\Common Files\misc002
2006-09-07 22:21

d

C:\Program Files\Common Files
2006-09-07 15:28

d

C:\Program Files\Viewpoint
2006-09-07 03:11

d

C:\Program Files\Windows Media Player
2006-09-07 03:04

d

C:\Program Files\Outlook Express
2006-09-07 03:04

d

C:\Program Files\Common Files\System
2006-09-06 21:17

d

C:\Documents and Settings\Marie\Application Data\Help
2006-09-06 16:29

d

C:\Documents and Settings\Marie\Application Data\AVG7
2006-09-06 16:20 777472 --a

C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-06 16:20 4288 --a

C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-06 16:20 27904 --a

C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-06 16:20 23424 --a

C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-06 09:55

d

C:\Program Files\Common Files\wmri
2006-09-06 07:17

d

C:\Program Files\Grisoft
2006-09-06 06:27 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-09-06 06:11

d--h

C:\Program Files\WindowsUpdate
2006-09-06 06:11

d

C:\Program Files\Windows NT
2006-09-06 06:11

d

C:\Program Files\Messenger
2006-09-05 10:30

d

C:\Program Files\Internet Explorer
2006-09-05 06:53

d

C:\Program Files\NetMeeting
2006-09-05 06:39

d

C:\Program Files\Movie Maker
2006-09-05 05:27

d

C:\Documents and Settings\Marie\Application Data\SystemDoctor 2006 Free
2006-09-04 16:40

d

C:\Program Files\Zone Labs
2006-09-04 12:22

d

C:\Program Files\ArtMoney
2006-08-31 11:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-30 10:47

d

C:\Program Files\HP Real Estate Document Assistant
2006-08-26 14:46

d

C:\Documents and Settings\Marie\Application Data\AdobeUM
2006-08-20 18:04

d

C:\Program Files\Virtools Web Player 3.0
2006-08-14 12:25

d

C:\Program Files\TLI
2006-07-21 12:14

d---s---- C:\Documents and Settings\Marie\Application Data\Microsoft
2006-07-21 12:03

d

C:\Program Files\Lavasoft
2006-07-21 12:03

d

C:\Documents and Settings\Marie\Application Data\Lavasoft
2006-07-21 12:00

d

C:\Program Files\Clicker
2006-07-21 11:58

d

C:\Program Files\WinRAR
2006-07-21 07:50

d

C:\Program Files\InterActual
2006-07-21 04:30 72704 --a

C:\WINDOWS\system32\hlink.dll
2006-07-16 08:39

d

C:\Documents and Settings\Marie\Application Data\Macromedia
2006-07-13 04:50 595968 --a

C:\WINDOWS\system32\xpsp2res.dll
2006-07-12 20:25

d

C:\Documents and Settings\Marie\Application Data\Talkback
2006-07-12 20:24

d

C:\Documents and Settings\Marie\Application Data\Mozilla
2006-06-14 15:59 8715352 --a

C:\Program Files\Install_AIM.exe
2006-06-14 15:53 9409224 --a

C:\Program Files\Install_MSN_Messenger.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Etle"="\"C:\\PROGRA~1\\COMMON~1\\CROSOF~1\\scanregw.exe\" -vt yazr"
"wmri"="C:\\PROGRA~1\\COMMON~1\\wmri\\wmrim.exe"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\WindowsUpdate\\kyzev.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Messenger\\howysyh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Completion time: Sat 09/09/2006 10:09:07.30
ComboFix.txt
ComboFix2.txt

Ryan06 · September 2006

hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:04:44 AM, on 9/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Rfwin\rfwin95.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nc.rr.com/default.cfm
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Etle] "C:\PROGRA~1\COMMON~1\CROSOF~1\scanregw.exe" -vt yazr
O4 - HKCU\..\Run: [wmri] C:\PROGRA~1\COMMON~1\wmri\wmrim.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139178629022
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Trogan · September 2006

Hi Ryan! Sorry for the delay. Can you do the following...

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKCU\..\Run: [Etle] "C:\PROGRA~1\COMMON~1\CROSOF~1\scanregw.exe" -vt yazr
O4 - HKCU\..\Run: [wmri] C:\PROGRA~1\COMMON~1\wmri\wmrim.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"

O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HijackThis

=====

Please download Killbox and save it to your desktop.

Next, find and delete the following...

C:\Program Files\Common Files\CROSOF~1\scanregw.exe << this file
C:\Program Files\Common Files\wmri << this folder
C:\Program Files\PSLister << this folder

Now, copy everything in the Quote box below by pressing Ctrl+C

C:\WINDOWS\srvfedyvfp.exe
C:\WINDOWS\ms0635567-16097.exe

Next, open Killbox
Go to File tab and select Paste from Clipboard
Select the Delete on Reboot option
Select All Files
Now click on the Red Circle with the White X
Press Yes to reboot your computer.

Once rebooted, please post a new HijackThis log, and let me know how things are.

help much appreciated, virus on work computer

Comments