[ Resolved ] Virus-infection (Trojan, I think)

Orest · December 2006

Hello there.

I have done all the seven steps that you provided, but my computer is still infected. When I push the interneticon on the desktop, two or three strange pages opens. My start homepage is google.com. Yesterday evening, as I played wow on the pc, I was disconnected and could see, that something interrupts my pc.
It would be very nice, if you can fix these problems.
Thanks for the support - best regards - Jan Laugesen

My logfile:

Logfile of HijackThis v1.99.1
Scan saved at 17:13:58, on 01-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\{982B71CD-0540-1030-0121-03010403002d}\Update.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program Files\Safety Bar\SafetyBar.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxip.dll,startup
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Report from online-scan:

Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jan Laugsen\Cookies\jan [email]laugsen@com[1].txt[/email]
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\Jan Laugsen\Cookies\jan [email]laugsen@malwarewipe[1].txt[/email]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jan Laugsen\Cookies\jan [email]laugsen@mediaplex[1].txt[/email]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Jan Laugsen\Cookies\jan [email]laugsen@stats1.reliablestats[2].txt[/email]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Jan Laugsen\Cookies\jan [email]laugsen@winantivirus[2].txt[/email]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Jan Laugsen\Cookies\jan [email]laugsen@www.winantivirus[1].txt[/email]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jan Laugsen\Cookies\jan [email]laugsen@zedo[1].txt[/email]
Possible Virus. Not disinfected C:\Documents and Settings\Jan Laugsen\Desktop\Microsoft_Windows_XP_Professional_Edition_Corporate_SP2_build_2600_serial_number\crack.exe
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Jan Laugsen\Favorites\Antivirus Test Online.url
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rqrstqo.dll
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\tpedvf.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\ulasmwrb.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\wdbdcuqt.exe

zami · December 2006

Please follow my steps in the right order...
We'll start with this:

I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.
Please go to the folder where you saved Hijackthis.exe
Right-click on it, then select Rename.
"Name it as: scanner.exe and then reboot.
After reboot, run scanner.exe (which is hijackthis of course) and post the log it creates in your next reply."

Click on start, settings, control panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist:
Toolbar888
SafetyBar
Then reboot your computer - IMPORTANT

****************************************************************************************************************

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

****************************************************************************************************************

Please download Combofix http://download.bleepingcomputer.com/sUBs/combofix.exe
to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please post Smitfraudfix report, Combofix report and a fresh scanner.exe (HJT) log.

Orest · December 2006

Hi!
I have checked my email every day because i thought, that i would recieve an email when you have replied the thread. But anyways, here goes.
I have done the steps, but have problems with the smitfraudfix thing - this message appears: Process.exe file missing! Don't know what to do about it.
Have removed the safetybar. Toolbar888 doesn't exist.
I would be very glad, if you are able to help me a step further.
Thanks a lot - regards from the cold side of Scandinavia.
A strange page called xxx.updatestate.com. starts, when I push the internet-icon.

Here is the combofix-report:

Jan Laugsen - 06-12-08 1:42:12,68 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Jan Laugsen\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{382B71CD-0540-1030-0121-03010403002d}
C:\WINDOWS\system32\ixt0.dll
C:\Program Files\Common Files\{982B71CD-0540-1030-0121-03010403002d}

((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))

2006-12-08 01:23 90,164 ---hs---- C:\WINDOWS\system32\byxwv.dll
2006-12-02 15:58 607,271 ---hs---- C:\WINDOWS\system32\wxadd.bak2
2006-12-01 17:13 <DIR> d

C:\Program Files\scanner.exe
2006-12-01 16:54 72,704 --a

C:\WINDOWS\system32\drvxip.dll
2006-12-01 16:53 40,973 ---hs---- C:\WINDOWS\system32\awtustt.dll
2006-12-01 15:47 <DIR> d

C:\WINDOWS\system32\ZoneLabs
2006-12-01 15:47 <DIR> d

C:\Program Files\Zone Labs
2006-12-01 15:46 <DIR> d

C:\WINDOWS\Internet Logs
2006-12-01 15:13 <DIR> d

C:\WINDOWS\system32\ActiveScan
2006-12-01 15:08 118,784 --a

C:\WINDOWS\system32\MSSTDFMT.DLL
2006-12-01 15:08 <DIR> d

C:\Program Files\SpywareBlaster
2006-12-01 14:44 <DIR> d

C:\Program Files\Spybot - Search & Destroy
2006-12-01 14:44 <DIR> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-01 13:44 <DIR> d

C:\Program Files\Setup
2006-12-01 13:43 <DIR> d

C:\Program Files\WinAce
2006-12-01 13:31 88,340 --a

C:\WINDOWS\system32\wdbdcuqt.exe
2006-12-01 13:31 77,824 --a

C:\WINDOWS\system32\tpedvf.dll
2006-12-01 13:31 591,528 ---hs---- C:\WINDOWS\system32\wxadd.bak1
2006-12-01 13:31 42,516 --a

C:\WINDOWS\system32\ulasmwrb.dll
2006-12-01 13:30 274,484 ---hs---- C:\WINDOWS\system32\ddaxw.dll
2006-12-01 13:26 <DIR> dr-h

C:\$VAULT$.AVG
2006-12-01 13:25 72,704 --a

C:\WINDOWS\system32\drvwov.dll
2006-12-01 13:25 40,973 ---hs---- C:\WINDOWS\system32\rqrstqo.dll
2006-12-01 13:25 19,456 --a

C:\WINDOWS\system32\winfvx32.dll
2006-11-30 14:01 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\Help
2006-11-28 14:48 <DIR> d

C:\WINDOWS\Minidump
2006-11-24 12:26 <DIR> d

C:\Documents and Settings\All Users\Application Data\e-Safekey
2006-11-21 12:31 <DIR> d

C:\Documents and Settings\Jan Laugsen\Contacts
2006-11-19 03:11 221,184 --a

C:\WINDOWS\system32\wmpns.dll
2006-11-17 12:03 79,622 --a

C:\WINDOWS\system32\EBPMON24.DLL
2006-11-17 12:03 64,000 --a

C:\WINDOWS\system32\ECBTEG.DLL
2006-11-17 12:03 34,304 --a

C:\WINDOWS\system32\EBPCHP.DLL
2006-11-17 12:03 31,744 --a

C:\WINDOWS\system32\E_DCINST.DLL
2006-11-17 12:02 <DIR> d

C:\Program Files\EPSON
2006-11-17 11:59 <DIR> d

C:\EPSON
2006-11-17 11:40 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\Lavasoft
2006-11-17 11:39 <DIR> d

C:\Program Files\Lavasoft
2006-11-17 11:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-11-17 11:31 <DIR> d

C:\Program Files\MSN Messenger
2006-11-17 11:13 <DIR> d

C:\Program Files\Common Files\Blizzard Entertainment
2006-11-17 10:48 <DIR> d--h

C:\Program Files\InstallShield Installation Information
2006-11-17 10:48 <DIR> d

C:\Program Files\Common Files\Adobe
2006-11-17 10:48 <DIR> d

C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-17 10:47 <DIR> d

C:\WINDOWS\system32\appmgmt
2006-11-17 10:47 <DIR> d

C:\Program Files\sisagp
2006-11-16 22:43 25,856 --a

C:\WINDOWS\system32\drivers\usbprint.sys
2006-11-16 12:29 <DIR> d

C:\WINDOWS\Sun
2006-11-16 12:29 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\Sun
2006-11-16 12:27 <DIR> d

C:\Program Files\Java
2006-11-16 12:25 <DIR> d

C:\Program Files\Common Files\Java
2006-11-16 12:22 <DIR> d

C:\Sydbank
2006-11-15 23:32 <DIR> d

C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-15 23:23 208,896 --a

C:\WINDOWS\system32\nvudisp.exe
2006-11-15 23:23 <DIR> d

C:\WINDOWS\nview
2006-11-15 23:22 208,896 --a

C:\WINDOWS\system32\NVUNINST.EXE
2006-11-15 23:22 <DIR> d

C:\NVIDIA
2006-11-15 23:06 816,672 --a

C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-15 23:06 499,712 --a

C:\WINDOWS\system32\msvcp71.dll
2006-11-15 23:06 4,960 --a

C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-15 23:06 4,224 --a

C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-15 23:06 348,160 --a

C:\WINDOWS\system32\msvcr71.dll
2006-11-15 23:06 3,968 --a

C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-15 23:06 28,416 --a

C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-15 23:06 18,240 --a

C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-15 23:06 <DIR> d

C:\Program Files\Grisoft
2006-11-15 23:06 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\AVG7
2006-11-15 23:06 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\AdobeUM
2006-11-15 23:06 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\Adobe
2006-11-15 23:06 <DIR> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-15 23:06 <DIR> d

C:\Documents and Settings\All Users\Application Data\avg7
2006-11-15 23:02 8,192

C:\WINDOWS\system32\bitsprx2.dll
2006-11-15 23:02 7,168

C:\WINDOWS\system32\bitsprx3.dll
2006-11-15 23:02 438,784

C:\WINDOWS\system32\xpob2res.dll
2006-11-15 23:02 351,232 --a

C:\WINDOWS\system32\winhttp.dll
2006-11-15 23:02 18,944 --a

C:\WINDOWS\system32\qmgrprxy.dll
2006-11-15 23:02 <DIR> d

C:\WINDOWS\system32\bits
2006-11-15 23:02 <DIR> d

C:\Upload
2006-11-15 23:00 41,240 --a

C:\WINDOWS\system32\wups.dll
2006-11-15 23:00 194,328 --a

C:\WINDOWS\system32\wuaueng1.dll
2006-11-15 23:00 18,200 --a

C:\WINDOWS\system32\wups2.dll
2006-11-15 23:00 172,312 --a

C:\WINDOWS\system32\wuauclt1.exe
2006-11-15 23:00 127,256 --a

C:\WINDOWS\system32\wucltui.dll
2006-11-15 22:59 465,176 --a

C:\WINDOWS\system32\wuapi.dll
2006-11-15 22:59 <DIR> d

C:\WINDOWS\SoftwareDistribution
2006-11-15 22:52 <DIR> d---s---- C:\Documents and Settings\Jan Laugsen\UserData
2006-11-15 22:46 <DIR> d

C:\Program Files\VIA Technologies, Inc
2006-11-15 22:45 26,624 --a

C:\WINDOWS\system32\drivers\usbehci.sys
2006-11-15 22:43 32,256 -ra

C:\WINDOWS\system32\drivers\sisnic.sys
2006-11-15 22:43 <DIR> d

C:\Program Files\SiSLan
2006-11-15 22:42 82,944 --a

C:\WINDOWS\system32\drivers\wdmaud.sys
2006-11-15 22:42 7,552 --a

C:\WINDOWS\system32\drivers\mskssrv.sys
2006-11-15 22:42 60,800 --a

C:\WINDOWS\system32\drivers\sysaudio.sys
2006-11-15 22:42 6,400 --a

C:\WINDOWS\system32\drivers\splitter.sys
2006-11-15 22:42 54,272 --a

C:\WINDOWS\system32\drivers\swmidi.sys
2006-11-15 22:42 52,864 --a

C:\WINDOWS\system32\drivers\dmusic.sys
2006-11-15 22:42 5,376 --a

C:\WINDOWS\system32\drivers\mspclock.sys
2006-11-15 22:42 4,992 --a

C:\WINDOWS\system32\drivers\mspqm.sys
2006-11-15 22:42 2,944 --a

C:\WINDOWS\system32\drivers\drmkaud.sys
2006-11-15 22:42 172,416 --a

C:\WINDOWS\system32\drivers\kmixer.sys
2006-11-15 22:42 142,464 --a

C:\WINDOWS\system32\drivers\aec.sys
2006-11-15 22:41 917,504 --a

C:\WINDOWS\system\cmids3d.dll
2006-11-15 22:41 712,704 --a

C:\WINDOWS\system32\Audio3D.dll
2006-11-15 22:41 712,704 --a

C:\WINDOWS\system32\a3d.dll
2006-11-15 22:41 60,288 --a

C:\WINDOWS\system32\drivers\drmk.sys
2006-11-15 22:41 53,248 --a

C:\WINDOWS\system32\cmuda.dll
2006-11-15 22:41 48,640 --a

C:\WINDOWS\system32\drivers\stream.sys
2006-11-15 22:41 451,599 --a

C:\WINDOWS\system32\drivers\cmuda.sys
2006-11-15 22:41 4,096 --a

C:\WINDOWS\system32\ksuser.dll
2006-11-15 22:41 28,672 --a

C:\WINDOWS\system32\udaprop.dll
2006-11-15 22:41 28,672 --a

C:\WINDOWS\CMIRmDriver.dll
2006-11-15 22:41 237,568 --a

C:\WINDOWS\CMIUninstall.exe
2006-11-15 22:41 212,992 --a

C:\WINDOWS\CmiRmRedundDir.exe
2006-11-15 22:41 145,792 --a

C:\WINDOWS\system32\drivers\portcls.sys
2006-11-15 22:41 140,928 --a

C:\WINDOWS\system32\drivers\ks.sys
2006-11-15 22:41 <DIR> d

C:\Program Files\C-Media 3D Audio
2006-11-15 22:38 45,056 -ra

C:\WINDOWS\winio.dll
2006-11-15 22:38 36,992 -ra

C:\WINDOWS\system32\drivers\SISAGPX.SYS
2006-11-15 22:38 32,768 --a

C:\WINDOWS\SIS_LIB.DLL
2006-11-15 22:38 306,688 --a

C:\WINDOWS\IsUninst.exe
2006-11-15 22:38 3,583 --a

C:\WINDOWS\SiSport.sys
2006-11-15 22:38 3,072 -ra

C:\WINDOWS\winio.sys
2006-11-15 22:38 28,672 -ra

C:\WINDOWS\htpatch.exe
2006-11-15 22:38 106,496 --a

C:\WINDOWS\SiSUSBrg.exe
2006-11-15 22:38 <DIR> d

C:\WINDOWS\system32\ReinstallBackups
2006-11-15 22:38 <DIR> d

C:\Documents and Settings\Jan Laugsen\WINDOWS
2006-11-15 22:37 <DIR> d

C:\WINDOWS\system32\Tools
2006-11-15 22:37 <DIR> d

C:\Program Files\Common Files\InstallShield
2006-11-15 22:26 <DIR> dr-h

C:\Documents and Settings\Jan Laugsen\SendTo
2006-11-15 22:26 <DIR> dr-h

C:\Documents and Settings\Jan Laugsen\Recent
2006-11-15 22:26 <DIR> dr-h

C:\Documents and Settings\Jan Laugsen\Application Data\.
2006-11-15 22:26 <DIR> dr-h

C:\Documents and Settings\Jan Laugsen\Application Data
2006-11-15 22:26 <DIR> dr

C:\Documents and Settings\Jan Laugsen\Start Menu
2006-11-15 22:26 <DIR> dr

C:\Documents and Settings\Jan Laugsen\My Documents
2006-11-15 22:26 <DIR> dr

C:\Documents and Settings\Jan Laugsen\Favorites
2006-11-15 22:26 <DIR> d--hs---- C:\WINDOWS\Installer
2006-11-15 22:26 <DIR> d--h

C:\Program Files\Uninstall Information
2006-11-15 22:26 <DIR> d--h

C:\Documents and Settings\Jan Laugsen\Templates
2006-11-15 22:26 <DIR> d--h

C:\Documents and Settings\Jan Laugsen\PrintHood
2006-11-15 22:26 <DIR> d--h

C:\Documents and Settings\Jan Laugsen\NetHood
2006-11-15 22:26 <DIR> d--h

C:\Documents and Settings\Jan Laugsen\Local Settings
2006-11-15 22:26 <DIR> d---s---- C:\Documents and Settings\Jan Laugsen\Cookies
2006-11-15 22:26 <DIR> d---s---- C:\Documents and Settings\Jan Laugsen\Application Data\Microsoft
2006-11-15 22:26 <DIR> d

C:\Documents and Settings\Jan Laugsen\Desktop
2006-11-15 22:26 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\Identities
2006-11-15 22:26 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\..
2006-11-15 22:26 <DIR> d

C:\Documents and Settings\Jan Laugsen\..
2006-11-15 22:26 <DIR> d

C:\Documents and Settings\Jan Laugsen\.
2006-11-15 22:21 <DIR> d--hs---- C:\System Volume Information
2006-11-15 22:16 112,128 --a

C:\WINDOWS\system32\mapi32.dll
2006-11-15 22:16 0 -rahs---- C:\MSDOS.SYS
2006-11-15 22:16 0 -rahs---- C:\IO.SYS
2006-11-15 22:16 0 --a

C:\CONFIG.SYS
2006-11-15 22:16 0 --a

C:\AUTOEXEC.BAT
2006-11-15 22:16 <DIR> d

C:\WINDOWS\system32\xircom
2006-11-15 22:16 <DIR> d

C:\Program Files\xerox
2006-11-15 22:16 <DIR> d

C:\Program Files\microsoft frontpage
2006-11-15 22:15 <DIR> dr

C:\WINDOWS\Offline Web Pages
2006-11-15 22:15 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2006-11-15 22:15 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2006-11-15 22:14 45,568 --a

C:\WINDOWS\system32\safrslv.dll
2006-11-15 22:14 43,520 --a

C:\WINDOWS\system32\safrcdlg.dll
2006-11-15 22:14 43,520 --a

C:\WINDOWS\system32\racpldlg.dll
2006-11-15 22:14 382,464 --a

C:\WINDOWS\system32\qmgr.dll
2006-11-15 22:14 29,696 --a

C:\WINDOWS\system32\safrdm.dll
2006-11-15 22:14 11,264 --a

C:\WINDOWS\system32\atrace.dll
2006-11-15 22:14 <DIR> d

C:\WINDOWS\system32\Macromed
2006-11-15 22:14 <DIR> d

C:\WINDOWS\system32\DirectX
2006-11-15 22:14 <DIR> d

C:\WINDOWS\srchasst
2006-11-15 22:14 <DIR> d

C:\Program Files\Movie Maker
2006-11-15 22:13 81,920 --a

C:\WINDOWS\system32\isign32.dll
2006-11-15 22:13 81,920 --a

C:\WINDOWS\system32\ils.dll
2006-11-15 22:13 73,728 --a

C:\WINDOWS\system32\icwdial.dll
2006-11-15 22:13 73,472 --a

C:\WINDOWS\system32\drivers\sr.sys
2006-11-15 22:13 69,632 --a

C:\WINDOWS\system32\msconf.dll
2006-11-15 22:13 679,424 --a

C:\WINDOWS\system32\inetcomm.dll
2006-11-15 22:13 67,584 --a

C:\WINDOWS\system32\srclient.dll
2006-11-15 22:13 65,536 --a

C:\WINDOWS\system32\icwphbk.dll
2006-11-15 22:13 64,512 --a

C:\WINDOWS\system32\acctres.dll
2006-11-15 22:13 48,128 --a

C:\WINDOWS\system32\inetres.dll
2006-11-15 22:13 34,560 --a

C:\WINDOWS\system32\mnmdd.dll
2006-11-15 22:13 32,768 --a

C:\WINDOWS\system32\mnmsrvc.exe
2006-11-15 22:13 32,768 --a

C:\WINDOWS\system32\isrdbg32.dll
2006-11-15 22:13 28,672 --a

C:\WINDOWS\system32\nmmkcert.dll
2006-11-15 22:13 274,944 --a

C:\WINDOWS\system32\mstask.dll
2006-11-15 22:13 274,432 --a

C:\WINDOWS\system32\inetcfg.dll
2006-11-15 22:13 252,928 --a

C:\WINDOWS\system32\msoeacct.dll
2006-11-15 22:13 239,104 --a

C:\WINDOWS\system32\srrstr.dll
2006-11-15 22:13 190,976 --a

C:\WINDOWS\system32\schedsvc.dll
2006-11-15 22:13 170,496 --a

C:\WINDOWS\system32\srsvc.dll
2006-11-15 22:13 16,384 --a

C:\WINDOWS\system32\icfgnt5.dll
2006-11-15 22:13 12,288 --a

C:\WINDOWS\system32\nmevtmsg.dll
2006-11-15 22:13 12,288 --a

C:\WINDOWS\system32\mstinit.exe
2006-11-15 22:13 105,984 --a

C:\WINDOWS\system32\msoert2.dll
2006-11-15 22:13 <DIR> d---s---- C:\WINDOWS\Tasks
2006-11-15 22:13 <DIR> d

C:\WINDOWS\system32\Restore
2006-11-15 22:13 <DIR> d

C:\WINDOWS\PCHEALTH
2006-11-15 22:13 <DIR> d

C:\Program Files\Windows Media Player
2006-11-15 22:13 <DIR> d

C:\Program Files\Outlook Express
2006-11-15 22:13 <DIR> d

C:\Program Files\NetMeeting
2006-11-15 22:13 <DIR> d

C:\Program Files\Internet Explorer
2006-11-15 22:13 <DIR> d

C:\Program Files\Common Files\System
2006-11-15 22:13 <DIR> d

C:\Program Files\Common Files\Services
2006-11-15 22:13 <DIR> d

C:\Program Files\Common Files\MSSoap
2006-11-15 22:12 73,216 --a

C:\WINDOWS\system32\avwav.dll
2006-11-15 22:12 5,632 --a

C:\WINDOWS\system32\write.exe
2006-11-15 22:12 44,544 --a

C:\WINDOWS\system32\hticons.dll
2006-11-15 22:12 35,328 --a

C:\WINDOWS\system32\winchat.exe
2006-11-15 22:12 347,136 --a

C:\WINDOWS\system32\hypertrm.dll
2006-11-15 22:12 343,040 --a

C:\WINDOWS\system32\mspaint.exe
2006-11-15 22:12 227,840 --a

C:\WINDOWS\system32\avtapi.dll
2006-11-15 22:12 183,808 --a

C:\WINDOWS\system32\accwiz.exe
2006-11-15 22:12 16,384 --a

C:\WINDOWS\system32\avmeter.dll
2006-11-15 22:12 138,752 --a

C:\WINDOWS\system32\sndvol32.exe
2006-11-15 22:12 131,584 --a

C:\WINDOWS\system32\sndrec32.exe
2006-11-15 22:12 123,392 --a

C:\WINDOWS\system32\mplay32.exe
2006-11-15 22:12 <DIR> d--h

C:\Program Files\WindowsUpdate
2006-11-15 22:12 <DIR> d

C:\WINDOWS\Registration
2006-11-15 22:12 <DIR> d

C:\Program Files\Windows NT
2006-11-15 22:12 <DIR> d

C:\Program Files\Online Services
2006-11-15 22:12 <DIR> d

C:\Program Files\MSN Gaming Zone
2006-11-15 22:12 <DIR> d

C:\Program Files\MSN
2006-11-15 22:12 <DIR> d

C:\Program Files\Messenger
2006-11-15 22:12 <DIR> d

C:\Program Files\ComPlus Applications
2006-11-15 22:11 97,792 --a

C:\WINDOWS\system32\comrepl.dll
2006-11-15 22:11 956,416 --a

C:\WINDOWS\system32\msdtctm.dll
2006-11-15 22:11 93,696 --a

C:\WINDOWS\system32\tscfgwmi.dll
2006-11-15 22:11 91,136 --a

C:\WINDOWS\system32\mtxoci.dll
2006-11-15 22:11 9,728 --a

C:\WINDOWS\system32\reset.exe
2006-11-15 22:11 87,176 --a

C:\WINDOWS\system32\rdpwsx.dll
2006-11-15 22:11 85,504 --a

C:\WINDOWS\system32\catsrvps.dll
2006-11-15 22:11 80,384 --a

C:\WINDOWS\system32\charmap.exe
2006-11-15 22:11 67,072 --a

C:\WINDOWS\system32\rdshost.exe
2006-11-15 22:11 655,360 --a

C:\WINDOWS\system32\mstscax.dll
2006-11-15 22:11 625,152 --a

C:\WINDOWS\system32\catsrvut.dll
2006-11-15 22:11 62,464 --a

C:\WINDOWS\system32\rdpclip.exe
2006-11-15 22:11 605,696 --a

C:\WINDOWS\system32\getuname.dll
2006-11-15 22:11 60,416 --a

C:\WINDOWS\system32\remotepg.dll
2006-11-15 22:11 60,416 --a

C:\WINDOWS\system32\colbact.dll
2006-11-15 22:11 6,656 --a

C:\WINDOWS\system32\wuauserv.dll
2006-11-15 22:11 6,144 --a

C:\WINDOWS\system32\msdtc.exe
2006-11-15 22:11 58,880 --a

C:\WINDOWS\system32\msdtclog.dll
2006-11-15 22:11 58,880 --a

C:\WINDOWS\system32\licwmi.dll
2006-11-15 22:11 56,832 --a

C:\WINDOWS\system32\sol.exe
2006-11-15 22:11 56,320 --a

C:\WINDOWS\system32\servdeps.dll
2006-11-15 22:11 55,296 --a

C:\WINDOWS\system32\freecell.exe
2006-11-15 22:11 540,160 --a

C:\WINDOWS\system32\comuid.dll
2006-11-15 22:11 54,272 --a

C:\WINDOWS\system32\stclient.dll
2006-11-15 22:11 538,624 --a

C:\WINDOWS\system32\spider.exe
2006-11-15 22:11 5,120 --a

C:\WINDOWS\system32\dcomcnfg.exe
2006-11-15 22:11 498,688 --a

C:\WINDOWS\system32\clbcatq.dll
2006-11-15 22:11 44,544 --a

C:\WINDOWS\system32\tscupgrd.exe
2006-11-15 22:11 426,496 --a

C:\WINDOWS\system32\msdtcprx.dll
2006-11-15 22:11 407,552 --a

C:\WINDOWS\system32\mstsc.exe
2006-11-15 22:11 40,840 --a

C:\WINDOWS\system32\drivers\termdd.sys
2006-11-15 22:11 4,096 --a

C:\WINDOWS\system32\rdpcfgex.dll
2006-11-15 22:11 4,096 --a

C:\WINDOWS\system32\mtxex.dll
2006-11-15 22:11 38,912 --a

C:\WINDOWS\system32\cfgbkend.dll
2006-11-15 22:11 33,792 --a

C:\WINDOWS\system32\regini.exe
2006-11-15 22:11 295,424 --a

C:\WINDOWS\system32\termsrv.dll
2006-11-15 22:11 25,600 --a

C:\WINDOWS\system32\comaddin.dll
2006-11-15 22:11 25,088 --a

C:\WINDOWS\system32\mtxlegih.dll
2006-11-15 22:11 225,792 --a

C:\WINDOWS\system32\catsrv.dll
2006-11-15 22:11 22,016 --a

C:\WINDOWS\system32\qwinsta.exe
2006-11-15 22:11 21,896 --a

C:\WINDOWS\system32\drivers\tdtcp.sys
2006-11-15 22:11 20,992 --a

C:\WINDOWS\system32\msg.exe
2006-11-15 22:11 20,480 --a

C:\WINDOWS\system32\qprocess.exe
2006-11-15 22:11 20,480 --a

C:\WINDOWS\system32\mtxdm.dll
2006-11-15 22:11 196,864 --a

C:\WINDOWS\system32\drivers\rdpdr.sys
2006-11-15 22:11 19,968 --a

C:\WINDOWS\system32\rdpsnd.dll
2006-11-15 22:11 185,344 --a

C:\WINDOWS\system32\cmprops.dll
2006-11-15 22:11 17,408 --a

C:\WINDOWS\system32\mmfutil.dll
2006-11-15 22:11 161,280 --a

C:\WINDOWS\system32\msdtcuiu.dll
2006-11-15 22:11 16,896 --a

C:\WINDOWS\system32\tsshutdn.exe
2006-11-15 22:11 16,896 --a

C:\WINDOWS\system32\qappsrv.exe
2006-11-15 22:11 16,384 --a

C:\WINDOWS\system32\tskill.exe
2006-11-15 22:11 15,872 --a

C:\WINDOWS\system32\rwinsta.exe
2006-11-15 22:11 15,872 --a

C:\WINDOWS\system32\cdmodem.dll
2006-11-15 22:11 15,360 --a

C:\WINDOWS\system32\logoff.exe
2006-11-15 22:11 147,968 --a

C:\WINDOWS\system32\rdchost.dll
2006-11-15 22:11 147,456 --a

C:\WINDOWS\system32\comsnap.dll
2006-11-15 22:11 140,800 --a

C:\WINDOWS\system32\sessmgr.exe
2006-11-15 22:11 14,848 --a

C:\WINDOWS\system32\tsdiscon.exe
2006-11-15 22:11 14,848 --a

C:\WINDOWS\system32\tscon.exe
2006-11-15 22:11 14,848 --a

C:\WINDOWS\system32\shadow.exe
2006-11-15 22:11 139,528 --a

C:\WINDOWS\system32\drivers\rdpwd.sys
2006-11-15 22:11 13,824 --a

C:\WINDOWS\system32\rdsaddin.exe
2006-11-15 22:11 126,976 --a

C:\WINDOWS\system32\mshearts.exe
2006-11-15 22:11 124,184 --a

C:\WINDOWS\system32\wuauclt.exe
2006-11-15 22:11 12,040 --a

C:\WINDOWS\system32\drivers\tdpipe.sys
2006-11-15 22:11 119,808 --a

C:\WINDOWS\system32\winmine.exe
2006-11-15 22:11 114,688 --a

C:\WINDOWS\system32\calc.exe
2006-11-15 22:11 110,080 --a

C:\WINDOWS\system32\clbcatex.dll
2006-11-15 22:11 11,776 --a

C:\WINDOWS\system32\xolehlp.dll
2006-11-15 22:11 11,264 --a

C:\WINDOWS\system32\icaapi.dll
2006-11-15 22:11 102,912 --a

C:\WINDOWS\system32\clipbrd.exe
2006-11-15 22:11 1,343,768 --a

C:\WINDOWS\system32\wuaueng.dll
2006-11-15 22:11 1,267,200 --a

C:\WINDOWS\system32\comsvcs.dll
2006-11-15 22:11 1,161 --a

C:\WINDOWS\system32\usrlogon.cmd
2006-11-15 22:11 <DIR> d

C:\WINDOWS\system32\MsDtc
2006-11-15 22:11 <DIR> d

C:\WINDOWS\system32\Com
2006-11-15 20:28 <DIR> d--hs---- C:\RECYCLER
2006-11-15 18:27 <DIR> d--h

C:\WINDOWS\$hf_mig$
2006-11-15 18:27 <DIR> d

C:\WINDOWS\system32\PreInstall
2006-11-15 17:05 <DIR> d

C:\Program Files\Adobe
2006-11-15 16:26 <DIR> d

C:\Documents and Settings\Jan Laugsen\Application Data\Macromedia
2006-11-15 15:57 127,208 --a

C:\WINDOWS\system32\mucltui.dll
2006-11-15 15:55 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2006-11-15 15:55 <DIR> d

C:\WINDOWS\Prefetch
2006-11-15 15:44 95,424

C:\WINDOWS\system32\drivers\slnthal.sys
2006-11-15 15:44 937,984

C:\WINDOWS\system32\winbrand.dll
2006-11-15 15:44 9,728

C:\WINDOWS\system32\comsdupd.exe
2006-11-15 15:44 896,512

C:\WINDOWS\system32\wmspdmoe.dll
2006-11-15 15:44 88,064

C:\WINDOWS\system32\p2pnetsh.dll
2006-11-15 15:44 870,784

C:\WINDOWS\system32\ati3d1ag.dll
2006-11-15 15:44 86,016

C:\WINDOWS\system32\p2pgasvc.dll
2006-11-15 15:44 86,016

C:\WINDOWS\system32\mdmxsdk.dll
2006-11-15 15:44 81,920

C:\WINDOWS\system32\ieencode.dll
2006-11-15 15:44 81,408

C:\WINDOWS\system32\wscsvc.dll
2006-11-15 15:44 8,192

C:\WINDOWS\system32\smbinst.exe
2006-11-15 15:44 78,464

C:\WINDOWS\system32\drivers\usbvideo.sys
2006-11-15 15:44 75,776

C:\WINDOWS\system32\strmfilt.dll
2006-11-15 15:44 73,832

C:\WINDOWS\system32\slcoinst.dll
2006-11-15 15:44 73,796

C:\WINDOWS\system32\slserv.exe
2006-11-15 15:44 73,216

C:\WINDOWS\system32\drivers\atintuxx.sys
2006-11-15 15:44 71,680

C:\WINDOWS\system32\blastcln.exe
2006-11-15 15:44 701,440

C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-11-15 15:44 7,680

C:\WINDOWS\system32\kbdsmsno.dll
2006-11-15 15:44 7,680

C:\WINDOWS\system32\kbdsmsfi.dll
2006-11-15 15:44 7,168

C:\WINDOWS\system32\kbdukx.dll
2006-11-15 15:44 7,168

C:\WINDOWS\system32\kbdno1.dll
2006-11-15 15:44 7,168

C:\WINDOWS\system32\kbdfi1.dll
2006-11-15 15:44 7,168

C:\WINDOWS\system32\hccoin.dll
2006-11-15 15:44 685,056

C:\WINDOWS\system32\drivers\hsfcxts2.sys
2006-11-15 15:44 67,584

C:\WINDOWS\system32\drivers\sdbus.sys
2006-11-15 15:44 63,663

C:\WINDOWS\system32\drivers\ati1rvxx.sys
2006-11-15 15:44 63,488

C:\WINDOWS\system32\drivers\atinxsxx.sys
2006-11-15 15:44 60,416

C:\WINDOWS\system32\fwcfg.dll
2006-11-15 15:44 6,656

C:\WINDOWS\system32\kbdinmal.dll
2006-11-15 15:44 6,656

C:\WINDOWS\system32\kbdinben.dll
2006-11-15 15:44 6,144

C:\WINDOWS\system32\kbdmlt48.dll
2006-11-15 15:44 6,144

C:\WINDOWS\system32\kbdmlt47.dll
2006-11-15 15:44 6,144

C:\WINDOWS\system32\kbdinbe1.dll
2006-11-15 15:44 6,016

C:\WINDOWS\system32\drivers\smbali.sys
2006-11-15 15:44 59,648

C:\WINDOWS\system32\drivers\rfcomm.sys
2006-11-15 15:44 57,856

C:\WINDOWS\system32\drivers\atinbtxx.sys
2006-11-15 15:44 56,623

C:\WINDOWS\system32\drivers\ati1btxx.sys
2006-11-15 15:44 537,088

C:\WINDOWS\system32\msftedit.dll
2006-11-15 15:44 526,848

C:\WINDOWS\system32\p2psvc.dll
2006-11-15 15:44 52,224

C:\WINDOWS\system32\mspmsnsv.dll
2006-11-15 15:44 52,224

C:\WINDOWS\system32\drivers\atinraxx.sys
2006-11-15 15:44 516,768

C:\WINDOWS\system32\ativvaxx.dll
2006-11-15 15:44 50,688

C:\WINDOWS\system32\btpanui.dll
2006-11-15 15:44 50,176

C:\WINDOWS\system32\xmlprovi.dll
2006-11-15 15:44 5,632

C:\WINDOWS\system32\kbdmaori.dll
2006-11-15 15:44 49,152

C:\WINDOWS\system32\powercfg.exe
2006-11-15 15:44 484,864

C:\WINDOWS\system32\wmspdmod.dll
2006-11-15 15:44 48,640

C:\WINDOWS\system32\pnrpnsp.dll
2006-11-15 15:44 46,464

C:\WINDOWS\system32\drivers\gagp30kx.sys
2006-11-15 15:44 452,736

C:\WINDOWS\system32\drivers\mtxparhm.sys
2006-11-15 15:44 44,928

C:\WINDOWS\system32\drivers\agpcpq.sys
2006-11-15 15:44 44,672

C:\WINDOWS\system32\drivers\uagp35.sys
2006-11-15 15:44 44,032

C:\WINDOWS\system32\twext.dll
2006-11-15 15:44 43,008

C:\WINDOWS\system32\drivers\amdagp.sys
2006-11-15 15:44 42,752

C:\WINDOWS\system32\drivers\alim1541.sys
2006-11-15 15:44 42,368

C:\WINDOWS\system32\drivers\agp440.sys
2006-11-15 15:44 42,240

C:\WINDOWS\system32\drivers\viaagp.sys
2006-11-15 15:44 404,990

C:\WINDOWS\system32\drivers\slntamr.sys
2006-11-15 15:44 40,832

C:\WINDOWS\system32\drivers\irbus.sys
2006-11-15 15:44 4,255

C:\WINDOWS\system32\drivers\adv01nt5.dll
2006-11-15 15:44 4,096

C:\WINDOWS\system32\dsprpres.dll
2006-11-15 15:44 397,056

C:\WINDOWS\system32\s3gnb.dll
2006-11-15 15:44 384,512

C:\WINDOWS\system32\mp4sdmod.dll
2006-11-15 15:44 38,016

C:\WINDOWS\system32\drivers\bthmodem.sys
2006-11-15 15:44 377,984

C:\WINDOWS\system32\ati2dvaa.dll
2006-11-15 15:44 37,376

C:\WINDOWS\system32\drivers\amdk7.sys
2006-11-15 15:44 36,463

C:\WINDOWS\system32\drivers\ati1tuxx.sys
2006-11-15 15:44 36,096

C:\WINDOWS\system32\drivers\intelppm.sys
2006-11-15 15:44 35,456

C:\WINDOWS\system32\drivers\bthprint.sys
2006-11-15 15:44 34,735

C:\WINDOWS\system32\drivers\ati1xsxx.sys
2006-11-15 15:44 327,040

C:\WINDOWS\system32\drivers\ati2mtaa.sys
2006-11-15 15:44 32,866

C:\WINDOWS\system32\slrundll.exe
2006-11-15 15:44 32,866

C:\WINDOWS\slrundll.exe
2006-11-15 15:44 32,768

C:\WINDOWS\system32\ativtmxx.dll
2006-11-15 15:44 32,768

C:\WINDOWS\system32\asr_pfu.exe
2006-11-15 15:44 32,285

C:\WINDOWS\system32\hsfcisp2.dll
2006-11-15 15:44 312,320

C:\WINDOWS\system32\p2pgraph.dll
2006-11-15 15:44 310,272

C:\WINDOWS\system32\mp43dmod.dll
2006-11-15 15:44 31,744

C:\WINDOWS\system32\drivers\atinxbxx.sys
2006-11-15 15:44 30,671

C:\WINDOWS\system32\drivers\ati1raxx.sys
2006-11-15 15:44 30,208

C:\WINDOWS\system32\bthserv.dll
2006-11-15 15:44 30,080

C:\WINDOWS\system32\drivers\rndismpx.sys
2006-11-15 15:44 3,967

C:\WINDOWS\system32\drivers\adv02nt5.dll
2006-11-15 15:44 3,901

C:\WINDOWS\system32\drivers\siint5.dll
2006-11-15 15:44 3,775

C:\WINDOWS\system32\drivers\adv11nt5.dll
2006-11-15 15:44 3,711

C:\WINDOWS\system32\drivers\adv09nt5.dll
2006-11-15 15:44 3,647

C:\WINDOWS\system32\drivers\adv07nt5.dll
2006-11-15 15:44 3,615

C:\WINDOWS\system32\drivers\adv05nt5.dll
2006-11-15 15:44 3,135

C:\WINDOWS\system32\drivers\adv08nt5.dll
2006-11-15 15:44 29,455

C:\WINDOWS\system32\drivers\ati1xbxx.sys
2006-11-15 15:44 29,184

C:\WINDOWS\system32\sdhcinst.dll
2006-11-15 15:44 29,056

C:\WINDOWS\system32\drivers\ip6fw.sys
2006-11-15 15:44 286,792

C:\WINDOWS\system32\slextspk.dll
2006-11-15 15:44 28,672

C:\WINDOWS\system32\drivers\atinsnxx.sys
2006-11-15 15:44 274,304

C:\WINDOWS\system32\drivers\bthport.sys
2006-11-15 15:44 270,848

C:\WINDOWS\system32\sbe.dll
2006-11-15 15:44 262,784

C:\WINDOWS\system32\drivers\http.sys
2006-11-15 15:44 26,367

C:\WINDOWS\system32\drivers\ati1snxx.sys
2006-11-15 15:44 25,600

C:\WINDOWS\system32\drivers\hidbth.sys
2006-11-15 15:44 25,471

C:\WINDOWS\system32\drivers\watv10nt.sys
2006-11-15 15:44 25,471

C:\WINDOWS\system32\drivers\atv04nt5.dll
2006-11-15 15:44 24,576

C:\WINDOWS\system32\httpapi.dll
2006-11-15 15:44 233,472

C:\WINDOWS\system32\wmpdxm.dll
2006-11-15 15:44 23,040 --a

C:\WINDOWS\system32\fltmc.exe
2006-11-15 15:44 229,376

C:\WINDOWS\system32\ati2cqag.dll
2006-11-15 15:44 220,032

C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2006-11-15 15:44 22,271

C:\WINDOWS\system32\drivers\watv06nt.sys
2006-11-15 15:44 21,343

C:\WINDOWS\system32\drivers\ati1ttxx.sys
2006-11-15 15:44 21,183

C:\WINDOWS\system32\drivers\atv01nt5.dll
2006-11-15 15:44 201,728

C:\WINDOWS\system32\ati2dvag.dll
2006-11-15 15:44 20,992

C:\WINDOWS\system32\bthci.dll
2006-11-15 15:44 20,480

C:\WINDOWS\system32\encapi.dll
2006-11-15 15:44 2,113,536

C:\WINDOWS\system32\dxdiagn.dll
2006-11-15 15:44 193,024

C:\WINDOWS\system32\fsquirt.exe
2006-11-15 15:44 188,508

C:\WINDOWS\system32\slgen.dll
2006-11-15 15:44 187,392

C:\WINDOWS\system32\xpsp1res.dll
2006-11-15 15:44 186,368

C:\WINDOWS\system32\encdec.dll
2006-11-15 15:44 180,360

C:\WINDOWS\system32\drivers\ntmtlfax.sys
2006-11-15 15:44 18,944

C:\WINDOWS\system32\drivers\bthusb.sys
2006-11-15 15:44 17,408

C:\WINDOWS\system32\winshfhc.dll
2006-11-15 15:44 17,279

C:\WINDOWS\system32\drivers\atv10nt5.dll
2006-11-15 15:44 17,024

C:\WINDOWS\system32\drivers\bthenum.sys
2006-11-15 15:44 168,448

C:\WINDOWS\system32\wmerror.dll
2006-11-15 15:44 166,912

C:\WINDOWS\system32\drivers\s3gnbm.sys
2006-11-15 15:44 16,896 --a

C:\WINDOWS\system32\fltlib.dll
2006-11-15 15:44 159,232

C:\WINDOWS\system32\sbeio.dll
2006-11-15 15:44 151,552

C:\WINDOWS\system32\wmidx.dll
2006-11-15 15:44 15,872

C:\WINDOWS\system32\w3ssl.dll
2006-11-15 15:44 15,488

C:\WINDOWS\system32\drivers\mssmbios.sys
2006-11-15 15:44 15,423

C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2006-11-15 15:44 15,104

C:\WINDOWS\system32\drivers\hidir.sys
2006-11-15 15:44 14,336

C:\WINDOWS\system32\drivers\atinpdxx.sys
2006-11-15 15:44 14,336

C:\WINDOWS\system32\auditusr.exe
2006-11-15 15:44 14,143

C:\WINDOWS\system32\drivers\atv06nt5.dll
2006-11-15 15:44 134,656

C:\WINDOWS\system32\mssap.dll
2006-11-15 15:44 13,824

C:\WINDOWS\system32\wscntfy.exe
2006-11-15 15:44 13,824

C:\WINDOWS\system32\drivers\atinttxx.sys
2006-11-15 15:44 13,824

C:\WINDOWS\system32\drivers\atinmdxx.sys
2006-11-15 15:44 13,824

C:\WINDOWS\system32\cmsetacl.dll
2006-11-15 15:44 13,776

C:\WINDOWS\system32\drivers\recagent.sys
2006-11-15 15:44 13,568

C:\WINDOWS\system32\drivers\wacompen.sys
2006-11-15 15:44 13,240

C:\WINDOWS\system32\drivers\slwdmsup.sys
2006-11-15 15:44 129,536

C:\WINDOWS\system32\xmlprov.dll
2006-11-15 15:44 129,535

C:\WINDOWS\system32\drivers\slnt7554.sys
2006-11-15 15:44 128,896

C:\WINDOWS\system32\drivers\fltmgr.sys
2006-11-15 15:44 126,686

C:\WINDOWS\system32\drivers\mtlmnt5.sys
2006-11-15 15:44 12,800

C:\WINDOWS\system32\spiisupd.exe
2006-11-15 15:44 12,672

C:\WINDOWS\system32\drivers\usb8023x.sys
2006-11-15 15:44 12,672

C:\WINDOWS\system32\drivers\mutohpen.sys
2006-11-15 15:44 12,416

C:\WINDOWS\system32\drivers\tunmp.sys
2006-11-15 15:44 12,047

C:\WINDOWS\system32\drivers\ati1pdxx.sys
2006-11-15 15:44 118,784

C:\WINDOWS\system32\msdadiag.dll
2006-11-15 15:44 116,224

C:\WINDOWS\system32\p2p.dll
2006-11-15 15:44 114,688

C:\WINDOWS\system32\wmpasf.dll
2006-11-15 15:44 11,935

C:\WINDOWS\system32\drivers\wadv11nt.sys
2006-11-15 15:44 11,871

C:\WINDOWS\system32\drivers\wadv09nt.sys
2006-11-15 15:44 11,868

C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-11-15 15:44 11,807

C:\WINDOWS\system32\drivers\wadv07nt.sys
2006-11-15 15:44 11,615

C:\WINDOWS\system32\drivers\ati1mdxx.sys
2006-11-15 15:44 11,359

C:\WINDOWS\system32\drivers\atv02nt5.dll
2006-11-15 15:44 11,325

C:\WINDOWS\system32\drivers\vchnt5.dll
2006-11-15 15:44 11,295

C:\WINDOWS\system32\drivers\wadv08nt.sys
2006-11-15 15:44 11,136

C:\WINDOWS\system32\drivers\sffdisk.sys
2006-11-15 15:44 108,032

C:\WINDOWS\system32\wshbth.dll
2006-11-15 15:44 104,960

C:\WINDOWS\system32\drivers\atinrvxx.sys
2006-11-15 15:44 100,992

C:\WINDOWS\system32\drivers\bthpan.sys
2006-11-15 15:44 10,240

C:\WINDOWS\system32\drivers\sffp_sd.sys
2006-11-15 15:44 1,888,992

C:\WINDOWS\system32\ati3duag.dll
2006-11-15 15:44 1,737,856

C:\WINDOWS\system32\mtxparhd.dll
2006-11-15 15:44 1,689,088

C:\WINDOWS\system32\d3d9.dll
2006-11-15 15:44 1,309,184

C:\WINDOWS\system32\drivers\mtlstrm.sys
2006-11-15 15:44 1,119,744

C:\WINDOWS\system32\wmsdmoe2.dll
2006-11-15 15:44 1,041,536

C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2006-11-15 15:44 1,001,472

C:\WINDOWS\system32\wmvdmoe2.dll
2006-11-15 15:44 <DIR> d

C:\WINDOWS\provisioning
2006-11-15 15:44 <DIR> d

C:\WINDOWS\peernet
2006-11-15 15:41 <DIR> d

C:\WINDOWS\ServicePackFiles
2006-11-15 15:38 2,897,920

C:\WINDOWS\system32\xpsp2res.dll
2006-11-15 15:37 22,752 --a

C:\WINDOWS\system32\spupdsvc.exe
2006-11-15 15:34 <DIR> d

C:\WINDOWS\EHome
2006-11-15 13:56 3,072 --a

C:\WINDOWS\system32\drivers\audstub.sys
2006-11-15 13:55 57,472 --a

C:\WINDOWS\system32\drivers\redbook.sys
2006-11-15 13:54 74,240 --a

C:\WINDOWS\system32\usbui.dll
2006-11-15 13:54 41,088 --a

C:\WINDOWS\system32\drivers\sisagp.sys
2006-11-15 13:53 9,936 --a

C:\WINDOWS\system\LZEXPAND.DLL
2006-11-15 13:53 9,008 --a

C:\WINDOWS\system\VER.DLL
2006-11-15 13:53 85,020 --a

C:\WINDOWS\system32\dgsetup.dll
2006-11-15 13:53 82,944 --a

C:\WINDOWS\system\OLECLI.DLL
2006-11-15 13:53 8,704 --a

C:\WINDOWS\system32\batt.dll
2006-11-15 13:53 8,192 -ra

C:\WINDOWS\system32\kbdhept.dll
2006-11-15 13:53 74,752 --a

C:\WINDOWS\system32\storprop.dll
2006-11-15 13:53 7,168 -ra

C:\WINDOWS\system32\kbdcz.dll
2006-11-15 13:53 69,584 --a

C:\WINDOWS\system\AVICAP.DLL
2006-11-15 13:53 69,120 --a

C:\WINDOWS\notepad.exe
2006-11-15 13:53 68,768 --a

C:\WINDOWS\system\mmsystem.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdycl.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdsl1.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdsl.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdpl.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdhu.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdhela3.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdcz2.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdcz1.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\kbdcr.dll
2006-11-15 13:53 6,656 -ra

C:\WINDOWS\system32\KBDAL.DLL
2006-11-15 13:53 6,144 -ra

C:\WINDOWS\system32\kbdtuq.dll
2006-11-15 13:53 6,144 -ra

C:\WINDOWS\system32\kbdtuf.dll
2006-11-15 13:53 6,144 -ra

C:\WINDOWS\system32\kbdlv1.dll
2006-11-15 13:53 6,144 -ra

C:\WINDOWS\system32\kbdlv.dll
2006-11-15 13:53 6,144 -ra

C:\WINDOWS\system32\kbdhela2.dll
2006-11-15 13:53 6,144 -ra

C:\WINDOWS\system32\kbdgkl.dll
2006-11-15 13:53 6,144 -ra

C:\WINDOWS\system32\kbdest.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdycc.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbduzb.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdur.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdtat.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdru1.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdru.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdro.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdpl1.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdmon.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdlt1.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdlt.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdkyr.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdkaz.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdhu1.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdhe319.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdhe220.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdhe.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdbu.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdblr.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdazel.dll
2006-11-15 13:53 5,632 -ra

C:\WINDOWS\system32\kbdaze.dll
2006-11-15 13:53 5,120 --a

C:\WINDOWS\system\SHELL.DLL
2006-11-15 13:53 32,816 --a

C:\WINDOWS\system\COMMDLG.DLL
2006-11-15 13:53 24,661 --a

C:\WINDOWS\system32\spxcoins.dll
2006-11-15 13:53 24,064 --a

C:\WINDOWS\system\OLESVR.DLL
2006-11-15 13:53 19,200 --a

C:\WINDOWS\system\TAPI.DLL
2006-11-15 13:53 176,157 --a

C:\WINDOWS\system32\dgrpsetu.dll
2006-11-15 13:53 15,360 --a

C:\WINDOWS\TASKMAN.EXE
2006-11-15 13:53 13,312 --a

C:\WINDOWS\system32\irclass.dll
2006-11-15 13:53 126,912 --a

C:\WINDOWS\system\MSVIDEO.DLL
2006-11-15 13:53 11,264 --a

C:\WINDOWS\system32\drivers\irenum.sys
2006-11-15 13:53 109,456 --a

C:\WINDOWS\system\AVIFILE.DLL
2006-11-15 13:53 103,424 --a

C:\WINDOWS\system32\EqnClass.Dll
2006-11-15 13:53 <DIR> dr

C:\Documents and Settings\All Users\Start Menu
2006-11-15 13:53 <DIR> dr

C:\Documents and Settings\All Users\Documents
2006-11-15 13:53 <DIR> d-ahs---- C:\Program Files\..
2006-11-15 13:53 <DIR> d-a

C:\Program Files\Common Files\..
2006-11-15 13:53 <DIR> d-a

C:\Program Files\.
2006-11-15 13:53 <DIR> d-a

C:\Program Files
2006-11-15 13:53 <DIR> d--h

C:\Documents and Settings\All Users\Templates
2006-11-15 13:53 <DIR> d

C:\Program Files\Common Files\SpeechEngines
2006-11-15 13:53 <DIR> d

C:\Program Files\Common Files\ODBC
2006-11-15 13:53 <DIR> d

C:\Program Files\Common Files\Microsoft Shared
2006-11-15 13:53 <DIR> d

C:\Program Files\Common Files\.
2006-11-15 13:53 <DIR> d

C:\Program Files\Common Files
2006-11-15 13:53 <DIR> d

C:\Documents and Settings\All Users\Favorites
2006-11-15 13:53 <DIR> d

C:\Documents and Settings\All Users\Desktop
2006-11-15 13:52 <DIR> dr-h

C:\Documents and Settings\All Users\Application Data\.
2006-11-15 13:52 <DIR> dr-h

C:\Documents and Settings\All Users\Application Data
2006-11-15 13:52 <DIR> d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-11-15 13:52 <DIR> d

C:\WINDOWS\system32\CatRoot2
2006-11-15 13:52 <DIR> d

C:\WINDOWS\system32\CatRoot
2006-11-15 13:52 <DIR> d

C:\Documents and Settings\All Users\Application Data\..
2006-11-15 13:52 <DIR> d

C:\Documents and Settings\All Users\..
2006-11-15 13:52 <DIR> d

C:\Documents and Settings\All Users\.
2006-11-15 13:52 <DIR> d

C:\Documents and Settings
2006-11-15 13:47 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2006-11-15 13:47 <DIR> dr--s---- C:\WINDOWS\Fonts
2006-11-15 13:47 <DIR> dr

C:\WINDOWS\Web
2006-11-15 13:47 <DIR> d-ahs---- C:\WINDOWS\..
2006-11-15 13:47 <DIR> d--h

C:\WINDOWS\inf
2006-11-15 13:47 <DIR> d

C:\WINDOWS\WinSxS
2006-11-15 13:47 <DIR> d

C:\WINDOWS\twain_32
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Temp
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\wins
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\wbem
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\usmt
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\spool
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\ShellExt
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\Setup
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\ras
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\oobe
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\npp
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\mui
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\inetsrv
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\IME
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\icsxml
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\ias
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\export
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\drivers\etc
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\drivers\disdn
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\drivers\..
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\drivers\.
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\drivers
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\dhcp
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\config
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\3com_dmi
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\3076
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\2052
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1054
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1042
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1041
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1037
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1033
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1031
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1028
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\1025
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\..
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32\.
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system32
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system\..
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system\.
2006-11-15 13:47 <DIR> d

C:\WINDOWS\system
2006-11-15 13:47 <DIR> d

C:\WINDOWS\security
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Resources
2006-11-15 13:47 <DIR> d

C:\WINDOWS\repair
2006-11-15 13:47 <DIR> d

C:\WINDOWS\mui
2006-11-15 13:47 <DIR> d

C:\WINDOWS\msapps
2006-11-15 13:47 <DIR> d

C:\WINDOWS\msagent
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Media
2006-11-15 13:47 <DIR> d

C:\WINDOWS\java
2006-11-15 13:47 <DIR> d

C:\WINDOWS\ime
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Help
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Driver Cache
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Debug
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Cursors
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Connection Wizard
2006-11-15 13:47 <DIR> d

C:\WINDOWS\Config
2006-11-15 13:47 <DIR> d

C:\WINDOWS\AppPatch
2006-11-15 13:47 <DIR> d

C:\WINDOWS\addins
2006-11-15 13:47 <DIR> d

C:\WINDOWS\.
2006-11-15 13:47 <DIR> d

C:\WINDOWS

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"expatriates"="{1a01a98c-4f25-42e1-971a-185cf63569b2}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaxw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winfvx32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-08 1:46:33.33
C:\ComboFix.txt ... 06-12-08 01:46

Orest · December 2006

And here follows the HJT-log:

Logfile of HijackThis v1.99.1
Scan saved at 02:00:26, on 08-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\scanner.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dr.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

zami · December 2006

Hi.Did You scan SmitfraudFix?
Please do it, and send a log, thanks.
And I wrote:
I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.
Please go to the folder where you saved Hijackthis.exe
Right-click Hijackthis, then select Rename.
"Name it as: scanner.exe and then reboot.
After reboot, run scanner.exe (which is hijackthis of course) and post the log it creates in your next reply."

Orest · December 2006

Hi.
I have renamed the Hijackthis-folder. What is a reboot exactly? Sorry, I'm not that smart in computertechnology

Is it a restart after scanning, or pressing F8, when I turn on my compter?
Thanks - Orest

Here is the SmitFraudFix-log:

SmitFraudFix v2.128

Scan done at 15:37:07,48, 08-12-2006
Run from C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\tpedvf.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jan Laugsen

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jan Laugsen\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JANLAU~1\FAVORI~1

C:\DOCUME~1\JANLAU~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"

[HKEY_CLASSES_ROOT\CLSID\{1a01a98c-4f25-42e1-971a-185cf63569b2}\InProcServer32]
@="C:\WINDOWS\system32\tpedvf.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1a01a98c-4f25-42e1-971a-185cf63569b2}\InProcServer32]
@="C:\WINDOWS\system32\tpedvf.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

zami · December 2006

Please rename hijackthis.exe to scanner.exe, not the folder.....

Reboot means restart your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a fresh HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Orest · December 2006

Thanks for a detailed description.

Report:

SmitFraudFix v2.128

Scan done at 19:53:39,82, 08-12-2006
Run from C:\Documents and Settings\Jan Laugsen\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"

[HKEY_CLASSES_ROOT\CLSID\{1a01a98c-4f25-42e1-971a-185cf63569b2}\InProcServer32]
@="C:\WINDOWS\system32\tpedvf.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1a01a98c-4f25-42e1-971a-185cf63569b2}\InProcServer32]
@="C:\WINDOWS\system32\tpedvf.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\tpedvf.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\tpedvf.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\DOCUME~1\JANLAU~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 20:02:25, on 08-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\scanner.exe\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ulasmwrb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {98C9A4C5-A265-4E02-AF6B-CF698983E8CC} - C:\WINDOWS\system32\ddaxw.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddaxw - C:\WINDOWS\system32\ddaxw.dll
O20 - Winlogon Notify: winfvx32 - C:\WINDOWS\SYSTEM32\winfvx32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

zami · December 2006

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK
Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please include Vundofix report and a fresh HJT log to your next reply.

Orest · December 2006

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.9

Scan started at 21:28:49 08-12-2006

Listing files found while scanning....

C:\WINDOWS\system32\ddaxw.dll
C:\WINDOWS\system32\wxadd.ini
C:\WINDOWS\system32\wxadd.bak1
C:\WINDOWS\system32\wxadd.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddaxw.dll
C:\WINDOWS\system32\ddaxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxadd.ini
C:\WINDOWS\system32\wxadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxadd.bak1
C:\WINDOWS\system32\wxadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxadd.bak2
C:\WINDOWS\system32\wxadd.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 21:41:08, on 08-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\scanner.exe\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ulasmwrb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {98C9A4C5-A265-4E02-AF6B-CF698983E8CC} - C:\WINDOWS\system32\ddaxw.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163627954423
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163629580442
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winfvx32 - winfvx32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

zami · December 2006

With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries:

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ulasmwrb.dll (file missing)
O2 - BHO: (no name) - {98C9A4C5-A265-4E02-AF6B-CF698983E8CC} - C:\WINDOWS\system32\ddaxw.dll (file missing)

Select Fix Checked

Looks good now! Your log is clean!
How's the system running now?

Orest · December 2006

Hi!

Looks perfect now

It's a nice feeling - no strange web-pages, internet-connection runs fast again. My pc is healthy again, i think.
Thanks a lot for detailed description and a quick reply. Vety nice with such a free forum site.

Best regards from Orest

zami · January 2007

Since this issue appears resolved, this Topic is closed, glad we could help .

If you need this topic reopened, please request this by sending the moderating team
a PM, with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

[ Resolved ] Virus-infection (Trojan, I think)

Comments