Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Issue

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Issue

Unread postby diamond_diablo » June 6th, 2008, 6:53 pm

My browser is getting hijacked. Please help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:24 PM, on 6/6/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\?icrosoft.NET\?ti2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

--
End of file - 3621 bytes
You do not have the required permissions to view the files attached to this post.
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm
Advertisement
Register to Remove

Re: Malware Issue

Unread postby Shaba » June 8th, 2008, 4:55 am

Hi diamond_diablo

In the future, please don't attach any logs but copy/paste them to your reply.

We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Issue - Patches Applied, new log info posted

Unread postby diamond_diablo » June 9th, 2008, 12:01 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:14 AM, on 6/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: {48f14313-9ef1-417a-c4e4-5be3dcab13e1} - {1e31bacd-3eb5-4e4c-a714-1fe931341f84} - C:\WINDOWS\System32\lkleuyra.dll
O2 - BHO: (no name) - {88B68482-AE05-47F5-8FED-8925E4290C4B} - C:\WINDOWS\System32\byXPFxwv.dll (file missing)
O2 - BHO: (no name) - {9248BDF8-EB02-4B80-9B2E-906483477C60} - C:\WINDOWS\System32\rqRKARhi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [200518a9] rundll32.exe "C:\WINDOWS\System32\rbtcgwnw.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: byXPFxwv - byXPFxwv.dll (file missing)
O20 - Winlogon Notify: ddcywtt - ddcywtt.dll (file missing)
O20 - Winlogon Notify: gebca - C:\WINDOWS\System32\gebca.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4531 bytes
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm

Re: Malware Issue

Unread postby Shaba » June 9th, 2008, 12:34 pm

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Issue - Combo and HJT Logs

Unread postby diamond_diablo » June 10th, 2008, 9:40 am

HJ Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:05 AM, on 6/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 1411 bytes

ComboFix:
ComboFix 08-06-09.3 - Courtenay 2008-06-10 8:22:38.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.99 [GMT -5:00]
Running from: C:\Documents and Settings\Courtenay\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\system32\wnsapiisv.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 16:59 . 2008-06-09 21:27 354 ---hs---- C:\WINDOWS\system32\wnwgctbr.ini
2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-09 10:52 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-09 10:52 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-06-09 10:52 . 2008-06-09 10:55 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-09 10:50 . 2008-06-09 10:50 98,544 --a------ C:\WINDOWS\system32\lkleuyra.dll
2008-06-09 10:48 . 2008-06-09 10:48 84,704 --a------ C:\WINDOWS\system32\rbtcgwnw.dll
2008-06-09 10:37 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-06-09 10:29 . 2008-06-09 10:29 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-09 10:29 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-09 10:18 . 2003-02-28 16:34 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2008-06-09 10:18 . 2003-02-28 18:26 171,280 --a------ C:\WINDOWS\system32\jit.dll
2008-06-09 10:18 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-09 10:18 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-06-09 10:18 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-06-09 10:18 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-06-09 10:15 . 2005-10-27 14:06 226,816 --a------ C:\WINDOWS\system32\srrstr.dll
2008-06-09 10:11 . 2003-08-01 23:14 25,600 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-06-09 10:03 . 2008-06-09 10:03 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-09 10:03 . 2008-06-09 10:03 <DIR> d-------- C:\WINDOWS\ehome
2008-06-09 09:59 . 2002-08-29 05:41 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-06-09 09:58 . 2002-08-29 05:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-06-06 17:30 . 2008-06-06 17:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 16:09 . 2008-06-06 16:09 <DIR> d-------- C:\VundoFix Backups
2008-06-05 22:16 . 2008-06-05 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-05 22:15 . 2008-06-05 22:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 22:15 . 2008-06-05 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-05 21:59 . 2008-06-05 21:59 <DIR> d-------- C:\Downloads
2008-06-05 21:26 . 2008-06-05 21:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 21:17 . 2004-07-01 17:08 361,984 --a------ C:\WINDOWS\system32\dllcache\qmgr.dll
2008-06-05 21:17 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-06-05 21:17 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-06-05 21:17 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-06-05 21:13 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-06-05 21:13 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-06-05 21:13 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-06-05 21:13 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-06-05 21:13 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-06-05 21:13 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-06-05 21:13 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-06-05 20:52 . 2008-06-05 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 20:24 . 2008-06-05 20:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-05 20:24 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-06-05 17:01 . 2008-06-05 17:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-05 16:53 . 2008-06-05 10:44 <DIR> d-------- C:\SDFix
2008-06-05 16:49 . 2008-06-05 16:49 401,978 --a------ C:\Documents and Settings\Courtenay\g22.exe
2008-06-05 16:49 . 2008-06-05 21:00 63,902 --a------ C:\WINDOWS\system32\{35bec6a3-5614-5356-ee5b-0c9d1fbe3d40}.dll-uninst.exe
2008-06-05 16:19 . 2008-06-05 16:20 298,308 --a------ C:\Documents and Settings\Courtenay\gside.exe
2008-06-05 14:58 . 2008-06-05 14:58 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-05 14:53 . 2008-06-05 14:53 <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-05 14:52 . 2008-06-05 14:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-06-05 14:51 . 2008-06-05 14:51 <DIR> d-------- C:\Documents and Settings\Courtenay\Application Data\AVG7
2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-06-05 14:49 . 2008-06-05 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-05 14:49 . 2008-06-05 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-06-05 14:25 . 2008-06-05 14:25 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-05 14:13 . 2001-08-17 13:48 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-05 14:13 . 2001-08-17 13:48 13,952 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-05 14:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-05 14:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-05 14:12 . 2002-08-29 03:32 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-05 14:12 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-05 14:12 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2005-10-05 22:17 266 --sh--w C:\Program Files\desktop.ini
2005-10-05 22:17 11,079 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_16.59.07.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 21:57:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 02:27:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2002-11-18 16:27:40 392,576 ------w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys
+ 2006-05-05 09:31:04 433,152 ----a-w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys
+ 2005-03-02 00:36:44 1,900,032 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2005-03-02 00:36:42 1,955,840 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2005-03-02 00:36:44 1,928,704 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2005-03-02 01:33:36 2,040,832 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2006-08-16 09:27:12 11,776 ----a-w C:\WINDOWS\Driver Cache\i386\tunmp.sys
- 2002-09-22 01:13:26 10,752 ----a-w C:\WINDOWS\hh.exe
+ 2005-05-25 22:44:32 10,752 ----a-w C:\WINDOWS\hh.exe
- 2001-08-18 17:00:00 50,688 ----a-w C:\WINDOWS\msagent\agentdpv.dll
+ 2005-04-22 05:20:24 51,712 ----a-w C:\WINDOWS\msagent\agentdpv.dll
- 2002-08-29 10:40:48 59,392 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2006-08-16 12:14:24 95,232 ----a-w C:\WINDOWS\system32\6to4svc.dll
- 2001-08-18 17:00:00 51,200 ----a-w C:\WINDOWS\system32\authz.dll
+ 2005-03-02 18:20:04 53,760 ----a-w C:\WINDOWS\system32\authz.dll
- 2002-08-29 10:40:50 1,021,952 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2006-09-04 06:23:54 1,027,072 ----a-w C:\WINDOWS\system32\BROWSEUI.DLL
- 2001-08-18 12:00:00 215,040 ----a-w C:\WINDOWS\system32\catsrv.dll
+ 2005-07-26 04:30:34 220,672 ----a-w C:\WINDOWS\system32\catsrv.dll
- 2002-08-29 10:40:50 582,656 ----a-w C:\WINDOWS\system32\catsrvut.dll
+ 2005-07-26 04:30:38 581,632 ----a-w C:\WINDOWS\system32\catsrvut.dll
- 2001-08-18 17:00:00 142,336 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2004-12-07 23:43:02 143,360 ----a-w C:\WINDOWS\system32\CDFVIEW.DLL
- 2001-08-18 17:00:00 2,028,032 ----a-w C:\WINDOWS\system32\cdosys.dll
+ 2005-09-10 02:04:32 2,025,984 ----a-w C:\WINDOWS\system32\cdosys.dll
- 2002-08-29 10:40:50 64,512 ----a-w C:\WINDOWS\system32\ciodm.dll
+ 2006-06-22 05:19:48 64,512 ----a-w C:\WINDOWS\system32\ciodm.dll
- 2001-08-18 12:00:00 100,864 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:30:38 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
- 2001-08-18 12:00:00 468,480 ----a-w C:\WINDOWS\system32\clbcatq.dll
+ 2005-07-26 04:30:42 497,152 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2001-08-18 12:00:00 56,832 ----a-w C:\WINDOWS\system32\colbact.dll
+ 2005-07-26 04:30:42 62,464 ----a-w C:\WINDOWS\system32\colbact.dll
- 2002-08-29 10:40:50 186,880 ----a-w C:\WINDOWS\system32\Com\comadmin.dll
+ 2005-07-26 04:30:42 187,392 ----a-w C:\WINDOWS\system32\Com\comadmin.dll
- 2002-08-29 10:40:50 557,056 ----a-w C:\WINDOWS\system32\comctl32.dll
+ 2006-08-25 15:53:56 561,664 ----a-w C:\WINDOWS\system32\comctl32.dll
- 2001-08-18 12:00:00 82,432 ----a-w C:\WINDOWS\system32\comrepl.dll
+ 2005-07-26 04:30:42 89,600 ----a-w C:\WINDOWS\system32\comrepl.dll
- 2002-08-29 10:40:50 1,172,992 ----a-w C:\WINDOWS\system32\comsvcs.dll
+ 2005-07-26 04:30:50 1,179,136 ----a-w C:\WINDOWS\system32\comsvcs.dll
- 2001-08-18 12:00:00 495,616 ----a-w C:\WINDOWS\system32\comuid.dll
+ 2005-07-26 04:31:12 499,200 ----a-w C:\WINDOWS\system32\comuid.dll
- 2008-06-09 21:50:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-10 13:21:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-09 21:50:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-10 13:21:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-09 21:50:30 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-10 13:21:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2001-08-18 17:00:00 89,600 ----a-w C:\WINDOWS\system32\cscdll.dll
+ 2004-10-28 01:29:54 92,160 ----a-w C:\WINDOWS\system32\cscdll.dll
- 2002-08-29 10:40:50 986,112 ----a-w C:\WINDOWS\system32\danim.dll
+ 2005-10-21 01:08:44 986,112 ----a-w C:\WINDOWS\system32\DANIM.DLL
- 2002-08-29 10:40:50 99,840 ----a-w C:\WINDOWS\system32\dhcpcsvc.dll
+ 2006-05-19 12:15:32 103,936 ----a-w C:\WINDOWS\system32\dhcpcsvc.dll
+ 2006-08-16 12:14:24 95,232 ----a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
- 2001-08-18 17:00:00 50,688 ----a-w C:\WINDOWS\system32\dllcache\agentdpv.dll
+ 2005-04-22 05:20:24 51,712 ----a-w C:\WINDOWS\system32\dllcache\agentdpv.dll
- 2001-08-18 12:00:00 51,200 ----a-w C:\WINDOWS\system32\dllcache\authz.dll
+ 2005-03-02 18:20:04 53,760 ----a-w C:\WINDOWS\system32\dllcache\authz.dll
+ 2006-09-04 06:23:54 1,027,072 ------w C:\WINDOWS\system32\dllcache\browseui.dll
- 2001-08-18 12:00:00 215,040 ----a-w C:\WINDOWS\system32\dllcache\catsrv.dll
+ 2005-07-26 04:30:34 220,672 ----a-w C:\WINDOWS\system32\dllcache\catsrv.dll
- 2001-08-18 17:00:00 142,336 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2004-12-07 23:43:02 143,360 ----a-w C:\WINDOWS\system32\dllcache\CDFVIEW.DLL
- 2001-08-18 17:00:00 2,028,032 ----a-w C:\WINDOWS\system32\dllcache\cdosys.dll
+ 2005-09-10 02:04:32 2,025,984 ----a-w C:\WINDOWS\system32\dllcache\cdosys.dll
+ 2006-06-22 05:19:48 64,512 ------w C:\WINDOWS\system32\dllcache\ciodm.dll
- 2001-08-18 12:00:00 100,864 ----a-w C:\WINDOWS\system32\dllcache\clbcatex.dll
+ 2005-07-26 04:30:38 110,080 ----a-w C:\WINDOWS\system32\dllcache\clbcatex.dll
- 2001-08-18 12:00:00 468,480 ----a-w C:\WINDOWS\system32\dllcache\clbcatq.dll
+ 2005-07-26 04:30:42 497,152 ----a-w C:\WINDOWS\system32\dllcache\clbcatq.dll
- 2001-08-18 12:00:00 56,832 ----a-w C:\WINDOWS\system32\dllcache\colbact.dll
+ 2005-07-26 04:30:42 62,464 ----a-w C:\WINDOWS\system32\dllcache\colbact.dll
+ 2006-08-25 15:53:56 561,664 ------w C:\WINDOWS\system32\dllcache\comctl32.dll
- 2001-08-18 12:00:00 82,432 ----a-w C:\WINDOWS\system32\dllcache\comrepl.dll
+ 2005-07-26 04:30:42 89,600 ----a-w C:\WINDOWS\system32\dllcache\comrepl.dll
- 2001-08-18 12:00:00 495,616 ----a-w C:\WINDOWS\system32\dllcache\comuid.dll
+ 2005-07-26 04:31:12 499,200 ----a-w C:\WINDOWS\system32\dllcache\comuid.dll
- 2001-08-18 17:00:00 89,600 ----a-w C:\WINDOWS\system32\dllcache\cscdll.dll
+ 2004-10-28 01:29:54 92,160 ----a-w C:\WINDOWS\system32\dllcache\cscdll.dll
+ 2006-05-19 12:15:32 103,936 ------w C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
- 2001-08-18 12:00:00 76,288 ----a-w C:\WINDOWS\system32\dllcache\directdb.dll
+ 2006-02-27 18:31:38 75,776 ----a-w C:\WINDOWS\system32\dllcache\DIRECTDB.DLL
+ 2006-06-26 17:47:50 140,288 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2001-08-18 12:00:00 1,018,368 ----a-w C:\WINDOWS\system32\dllcache\esent.dll
+ 2005-10-20 22:33:08 991,232 ----a-w C:\WINDOWS\system32\dllcache\esent.dll
+ 2004-08-20 22:01:16 82,432 ------w C:\WINDOWS\system32\dllcache\fldrclnr.dll
- 2001-08-18 17:00:00 79,360 ----a-w C:\WINDOWS\system32\dllcache\fontsub.dll
+ 2005-10-17 21:29:54 77,824 ----a-w C:\WINDOWS\system32\dllcache\fontsub.dll
- 2001-08-18 17:00:00 77,850 ----a-w C:\WINDOWS\system32\dllcache\hlink.dll
+ 2006-07-21 08:30:50 72,704 ----a-w C:\WINDOWS\system32\dllcache\hlink.dll
- 2001-08-18 17:00:00 31,232 ----a-w C:\WINDOWS\system32\dllcache\inetmib1.dll
+ 2006-08-16 12:14:24 31,232 ----a-w C:\WINDOWS\system32\dllcache\inetmib1.dll
- 2001-08-18 12:00:00 47,616 ----a-w C:\WINDOWS\system32\dllcache\inetres.dll
+ 2006-02-27 18:31:50 47,616 ----a-w C:\WINDOWS\system32\dllcache\INETRES.DLL
+ 2006-08-16 12:14:24 83,456 ----a-w C:\WINDOWS\system32\dllcache\iphlpapi.dll
+ 2006-05-13 10:13:32 74,368 ------w C:\WINDOWS\system32\dllcache\ipsec.sys
- 2001-08-18 17:00:00 332,800 ----a-w C:\WINDOWS\system32\dllcache\ipsecsnp.dll
+ 2006-05-14 09:13:42 334,848 ----a-w C:\WINDOWS\system32\dllcache\ipsecsnp.dll
+ 2006-05-14 09:13:42 159,744 ------w C:\WINDOWS\system32\dllcache\ipsecsvc.dll
- 2001-08-18 17:00:00 364,032 ----a-w C:\WINDOWS\system32\dllcache\ipsmsnap.dll
+ 2006-05-14 09:13:42 364,544 ----a-w C:\WINDOWS\system32\dllcache\ipsmsnap.dll
+ 2006-08-16 09:28:56 48,640 ----a-w C:\WINDOWS\system32\dllcache\ipv6.exe
+ 2006-08-16 12:14:24 54,272 ----a-w C:\WINDOWS\system32\dllcache\ipv6mon.dll
- 2001-08-18 17:00:00 144,896 ----a-w C:\WINDOWS\system32\dllcache\jgdw400.dll
+ 2006-05-27 03:19:50 163,840 ----a-w C:\WINDOWS\system32\dllcache\JGDW400.DLL
- 2001-08-18 17:00:00 42,496 ----a-w C:\WINDOWS\system32\dllcache\jgpl400.dll
+ 2006-04-06 21:15:48 27,648 ----a-w C:\WINDOWS\system32\dllcache\JGPL400.DLL
- 2003-01-13 19:57:58 589,881 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2006-05-18 05:58:56 458,752 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2001-08-18 17:00:00 12,288 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2006-04-28 15:58:48 12,288 ----a-w C:\WINDOWS\system32\dllcache\JSPROXY.DLL
+ 2006-07-05 10:46:36 928,768 ------w C:\WINDOWS\system32\dllcache\kernel32.dll
- 2001-08-18 17:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\linkinfo.dll
+ 2005-09-01 01:49:30 16,384 ----a-w C:\WINDOWS\system32\dllcache\linkinfo.dll
- 2001-08-18 17:00:00 35,328 ----a-w C:\WINDOWS\system32\dllcache\mf3216.dll
+ 2004-03-30 01:48:36 36,864 ----a-w C:\WINDOWS\system32\dllcache\mf3216.dll
- 2001-08-18 12:00:00 6,656 ----a-w C:\WINDOWS\system32\dllcache\migregdb.exe
+ 2005-07-22 23:03:38 7,680 ----a-w C:\WINDOWS\system32\dllcache\migregdb.exe
- 2001-08-18 17:00:00 172,672 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
+ 2005-04-26 01:58:04 173,312 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
+ 2006-05-05 09:31:04 433,152 ------w C:\WINDOWS\system32\dllcache\mrxsmb.sys
- 2001-08-18 12:00:00 869,376 ----a-w C:\WINDOWS\system32\dllcache\msdtctm.dll
+ 2006-03-01 19:44:40 974,336 ----a-w C:\WINDOWS\system32\dllcache\msdtctm.dll
- 2001-08-18 12:00:00 151,040 ----a-w C:\WINDOWS\system32\dllcache\msdtcuiu.dll
+ 2006-03-01 19:44:40 150,528 ----a-w C:\WINDOWS\system32\dllcache\msdtcuiu.dll
- 2001-08-18 17:00:00 44,032 ----a-w C:\WINDOWS\system32\dllcache\msident.dll
+ 2006-02-27 18:29:32 44,032 ----a-w C:\WINDOWS\system32\dllcache\MSIDENT.DLL
- 2001-08-18 12:00:00 2,479,104 ----a-w C:\WINDOWS\system32\dllcache\msoeres.dll
+ 2006-02-27 18:32:08 2,479,616 ----a-w C:\WINDOWS\system32\dllcache\MSOERES.DLL
+ 2006-09-13 05:09:16 1,110,528 ------w C:\WINDOWS\system32\dllcache\msxml3.dll
- 2001-08-18 17:00:00 61,440 ----a-w C:\WINDOWS\system32\dllcache\mtxclu.dll
+ 2006-03-01 19:44:40 64,512 ----a-w C:\WINDOWS\system32\dllcache\mtxclu.dll
- 2001-08-18 12:00:00 83,968 ----a-w C:\WINDOWS\system32\dllcache\mtxoci.dll
+ 2006-03-01 19:44:40 83,456 ----a-w C:\WINDOWS\system32\dllcache\mtxoci.dll
+ 2006-07-14 15:53:28 307,200 ------w C:\WINDOWS\system32\dllcache\netapi32.dll
- 2001-08-18 17:00:00 82,944 ----a-w C:\WINDOWS\system32\dllcache\netsh.exe
+ 2006-08-16 09:27:50 83,456 ----a-w C:\WINDOWS\system32\dllcache\netsh.exe
+ 2006-05-14 09:13:42 257,536 ------w C:\WINDOWS\system32\dllcache\oakley.dll
- 2001-08-18 12:00:00 92,672 ----a-w C:\WINDOWS\system32\dllcache\oeimport.dll
+ 2006-02-27 18:31:58 93,184 ----a-w C:\WINDOWS\system32\dllcache\OEIMPORT.DLL
- 2001-08-18 12:00:00 55,808 ----a-w C:\WINDOWS\system32\dllcache\oemig50.exe
+ 2006-02-27 18:32:08 55,808 ----a-w C:\WINDOWS\system32\dllcache\OEMIG50.EXE
- 2001-08-18 12:00:00 32,256 ----a-w C:\WINDOWS\system32\dllcache\oemiglib.dll
+ 2006-02-27 18:32:10 31,744 ----a-w C:\WINDOWS\system32\dllcache\OEMIGLIB.DLL
- 2001-08-18 12:00:00 68,608 ----a-w C:\WINDOWS\system32\dllcache\olecli32.dll
+ 2005-07-26 04:31:14 68,608 ----a-w C:\WINDOWS\system32\dllcache\olecli32.dll
- 2001-08-18 12:00:00 34,304 ----a-w C:\WINDOWS\system32\dllcache\olecnv32.dll
+ 2005-07-26 04:31:14 35,328 ----a-w C:\WINDOWS\system32\dllcache\olecnv32.dll
- 2001-08-18 17:00:00 87,552 ----a-w C:\WINDOWS\system32\dllcache\polstore.dll
+ 2006-05-14 09:13:42 98,304 ----a-w C:\WINDOWS\system32\dllcache\polstore.dll
- 2003-05-30 14:00:02 1,962,496 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2005-08-30 14:14:00 1,227,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2006-06-22 05:19:50 1,350,144 ------w C:\WINDOWS\system32\dllcache\query.dll
- 2001-08-18 17:00:00 6,144 ----a-w C:\WINDOWS\system32\dllcache\rasadhlp.dll
+ 2006-06-26 17:47:50 6,144 ----a-w C:\WINDOWS\system32\dllcache\rasadhlp.dll
+ 2006-06-22 10:59:18 169,984 ------w C:\WINDOWS\system32\dllcache\rasmans.dll
+ 2006-05-05 09:40:32 166,656 ------w C:\WINDOWS\system32\dllcache\rdbss.sys
- 2001-08-18 17:00:00 200,064 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2006-07-13 08:41:42 199,936 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2006-09-04 06:23:54 1,351,680 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2006-07-13 13:46:56 8,353,280 ------w C:\WINDOWS\system32\dllcache\shell32.dll
- 2001-08-18 17:00:00 51,200 ----a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
+ 2005-06-10 23:55:46 53,248 ----a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
- 2002-12-20 17:36:00 322,048 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
+ 2006-08-14 08:59:20 321,536 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
- 2001-08-18 17:00:00 87,040 ----a-w C:\WINDOWS\system32\dllcache\srvsvc.dll
+ 2004-12-07 19:34:38 79,872 ----a-w C:\WINDOWS\system32\dllcache\srvsvc.dll
+ 2004-08-20 22:01:16 700,928 ------w C:\WINDOWS\system32\dllcache\sxs.dll
- 2001-08-18 17:00:00 198,656 ----a-w C:\WINDOWS\system32\dllcache\t2embed.dll
+ 2005-10-17 21:29:54 111,616 ----a-w C:\WINDOWS\system32\dllcache\t2embed.dll
+ 2006-04-20 11:38:44 340,480 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2006-08-16 09:28:58 205,120 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2006-08-16 09:27:12 11,776 ----a-w C:\WINDOWS\system32\dllcache\tunmp.sys
- 2001-08-18 17:00:00 90,624 ----a-w C:\WINDOWS\system32\dllcache\txflog.dll
+ 2005-07-26 04:31:14 97,280 ----a-w C:\WINDOWS\system32\dllcache\txflog.dll
- 2001-08-18 12:00:00 43,008 ----a-w C:\WINDOWS\system32\dllcache\wab.exe
+ 2006-02-27 18:31:46 42,496 ----a-w C:\WINDOWS\system32\dllcache\WAB.EXE
- 2001-08-18 12:00:00 30,720 ----a-w C:\WINDOWS\system32\dllcache\wabfind.dll
+ 2006-02-27 18:31:48 30,208 ----a-w C:\WINDOWS\system32\dllcache\WABFIND.DLL
- 2001-08-18 12:00:00 76,800 ----a-w C:\WINDOWS\system32\dllcache\wabimp.dll
+ 2006-02-27 18:31:44 77,824 ----a-w C:\WINDOWS\system32\dllcache\WABIMP.DLL
- 2001-08-18 12:00:00 27,648 ----a-w C:\WINDOWS\system32\dllcache\wabmig.exe
+ 2006-02-27 18:31:42 27,648 ----a-w C:\WINDOWS\system32\dllcache\WABMIG.EXE
- 2001-08-18 17:00:00 25,600 ----a-w C:\WINDOWS\system32\dllcache\winipsec.dll
+ 2006-05-14 09:13:42 29,184 ----a-w C:\WINDOWS\system32\dllcache\winipsec.dll
- 2001-08-18 12:00:00 75,264 ----a-w C:\WINDOWS\system32\dllcache\ws2_32.dll
+ 2006-08-16 12:14:24 70,656 ----a-w C:\WINDOWS\system32\dllcache\ws2_32.dll
+ 2006-08-16 12:14:24 13,312 ----a-w C:\WINDOWS\system32\dllcache\wship6.dll
- 2001-08-18 12:00:00 9,728 ----a-w C:\WINDOWS\system32\dllcache\xolehlp.dll
+ 2006-03-01 19:44:40 11,776 ----a-w C:\WINDOWS\system32\dllcache\xolehlp.dll
- 2002-08-29 10:40:50 139,264 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2006-06-26 17:47:50 140,288 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2002-08-29 09:07:22 57,984 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
+ 2006-05-13 10:13:32 74,368 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
- 2001-08-18 17:00:00 172,672 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
+ 2005-04-26 01:58:04 173,312 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
- 2002-11-18 16:27:40 392,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
+ 2006-05-05 09:31:04 433,152 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
- 2002-08-29 08:58:50 163,328 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
+ 2006-05-05 09:40:32 166,656 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
- 2002-08-29 10:46:44 115,976 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
+ 2005-06-10 04:30:16 116,104 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
- 2001-08-18 17:00:00 200,064 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
+ 2006-07-13 08:41:42 199,936 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
- 2002-12-20 17:36:00 322,048 ----a-w C:\WINDOWS\system32\drivers\srv.sys
+ 2006-08-14 08:59:20 321,536 ----a-w C:\WINDOWS\system32\drivers\srv.sys
- 2002-08-29 08:58:12 332,928 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2006-04-20 11:38:44 340,480 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2002-08-29 08:37:54 196,288 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
+ 2006-08-16 09:28:58 205,120 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
- 2002-08-29 08:35:44 9,856 ------w C:\WINDOWS\system32\drivers\tunmp.sys
+ 2006-08-16 09:27:12 11,776 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
- 2002-08-29 10:40:52 337,920 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2006-06-09 19:35:50 351,744 ----a-w C:\WINDOWS\system32\DXTMSFT.DLL
- 2002-08-29 10:40:52 194,560 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2006-06-09 19:35:30 192,512 ----a-w C:\WINDOWS\system32\DXTRANS.DLL
- 2002-08-29 10:40:52 225,280 ----a-w C:\WINDOWS\system32\es.dll
+ 2005-07-26 04:31:12 227,328 ----a-w C:\WINDOWS\system32\es.dll
- 2002-08-29 10:40:54 82,432 ----a-w C:\WINDOWS\system32\fldrclnr.dll
+ 2004-08-20 22:01:16 82,432 ----a-w C:\WINDOWS\system32\fldrclnr.dll
- 2008-06-09 15:07:16 214,472 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-10 02:27:10 214,472 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2001-08-18 17:00:00 79,360 ----a-w C:\WINDOWS\system32\fontsub.dll
+ 2005-10-17 21:29:54 77,824 ----a-w C:\WINDOWS\system32\fontsub.dll
- 2002-08-29 10:40:56 250,368 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2006-01-02 22:38:04 260,608 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2003-01-10 19:43:46 37,888 ----a-w C:\WINDOWS\system32\hhsetup.dll
+ 2005-05-27 01:59:52 38,912 ----a-w C:\WINDOWS\system32\hhsetup.dll
- 2001-08-18 17:00:00 77,850 ----a-w C:\WINDOWS\system32\hlink.dll
+ 2006-07-21 08:30:50 72,704 ----a-w C:\WINDOWS\system32\hlink.dll
- 2001-08-18 12:00:00 489,984 ----a-w C:\WINDOWS\system32\hypertrm.dll
+ 2004-11-17 17:57:02 493,056 ----a-w C:\WINDOWS\system32\hypertrm.dll
- 2002-08-29 10:40:56 236,032 ----a-w C:\WINDOWS\system32\icm32.dll
+ 2005-06-29 01:54:58 237,056 ----a-w C:\WINDOWS\system32\icm32.dll
- 2002-08-29 10:40:56 231,424 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2006-02-24 20:24:42 236,032 ----a-w C:\WINDOWS\system32\IEPEERS.DLL
- 2002-08-29 10:40:56 587,776 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2006-02-27 18:31:54 596,480 ----a-w C:\WINDOWS\system32\INETCOMM.DLL
- 2001-08-18 17:00:00 31,232 ----a-w C:\WINDOWS\system32\inetmib1.dll
+ 2006-08-16 12:14:24 31,232 ----a-w C:\WINDOWS\system32\inetmib1.dll
- 2001-08-18 12:00:00 47,616 ----a-w C:\WINDOWS\system32\inetres.dll
+ 2006-02-27 18:31:50 47,616 ----a-w C:\WINDOWS\system32\INETRES.DLL
- 2002-08-29 10:40:58 69,632 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2004-08-26 15:53:48 69,632 ----a-w C:\WINDOWS\system32\INSENG.DLL
- 2002-08-29 10:40:58 82,944 ----a-w C:\WINDOWS\system32\iphlpapi.dll
+ 2006-08-16 12:14:24 83,456 ----a-w C:\WINDOWS\system32\iphlpapi.dll
- 2001-08-18 17:00:00 332,800 ----a-w C:\WINDOWS\system32\ipsecsnp.dll
+ 2006-05-14 09:13:42 334,848 ----a-w C:\WINDOWS\system32\ipsecsnp.dll
- 2002-08-29 10:40:58 155,648 ----a-w C:\WINDOWS\system32\ipsecsvc.dll
+ 2006-05-14 09:13:42 159,744 ----a-w C:\WINDOWS\system32\ipsecsvc.dll
- 2001-08-18 17:00:00 364,032 ----a-w C:\WINDOWS\system32\ipsmsnap.dll
+ 2006-05-14 09:13:42 364,544 ----a-w C:\WINDOWS\system32\ipsmsnap.dll
- 2002-08-29 10:41:26 60,928 ----a-w C:\WINDOWS\system32\ipv6.exe
+ 2006-08-16 09:28:56 48,640 ----a-w C:\WINDOWS\system32\ipv6.exe
- 2002-08-29 10:40:58 134,144 ----a-w C:\WINDOWS\system32\ipv6mon.dll
+ 2006-08-16 12:14:24 54,272 ----a-w C:\WINDOWS\system32\ipv6mon.dll
- 2003-01-10 19:43:48 143,872 ----a-w C:\WINDOWS\system32\itircl.dll
+ 2005-05-27 01:59:52 143,872 ----a-w C:\WINDOWS\system32\itircl.dll
- 2003-01-10 19:43:48 122,368 ----a-w C:\WINDOWS\system32\itss.dll
+ 2005-05-27 01:59:52 128,000 ----a-w C:\WINDOWS\system32\itss.dll
- 2001-08-18 17:00:00 144,896 ----a-w C:\WINDOWS\system32\jgdw400.dll
+ 2006-05-27 03:19:50 163,840 ----a-w C:\WINDOWS\system32\JGDW400.DLL
- 2001-08-18 17:00:00 42,496 ----a-w C:\WINDOWS\system32\jgpl400.dll
+ 2006-04-06 21:15:48 27,648 ----a-w C:\WINDOWS\system32\JGPL400.DLL
- 2003-01-13 19:57:58 589,881 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2006-05-18 05:58:56 458,752 ----a-w C:\WINDOWS\system32\jscript.dll
- 2001-08-18 17:00:00 12,288 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2006-04-28 15:58:48 12,288 ----a-w C:\WINDOWS\system32\JSPROXY.DLL
- 2002-08-29 10:41:00 272,896 ----a-w C:\WINDOWS\system32\kerberos.dll
+ 2005-06-15 17:50:24 285,184 ----a-w C:\WINDOWS\system32\kerberos.dll
- 2002-08-29 10:41:00 930,304 ----a-w C:\WINDOWS\system32\kernel32.dll
+ 2006-07-05 10:46:36 928,768 ----a-w C:\WINDOWS\system32\kernel32.dll
- 2001-08-18 17:00:00 15,360 ----a-w C:\WINDOWS\system32\linkinfo.dll
+ 2005-09-01 01:49:30 16,384 ----a-w C:\WINDOWS\system32\linkinfo.dll
- 2002-08-29 10:41:00 671,744 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2004-10-28 01:29:54 681,984 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2001-08-18 17:00:00 35,328 ----a-w C:\WINDOWS\system32\mf3216.dll
+ 2004-03-30 01:48:36 36,864 ----a-w C:\WINDOWS\system32\mf3216.dll
- 2002-08-29 10:41:02 68,096 ----a-w C:\WINDOWS\system32\mscms.dll
+ 2005-06-29 01:54:58 68,608 ----a-w C:\WINDOWS\system32\mscms.dll
- 2002-08-29 10:41:04 359,936 ----a-w C:\WINDOWS\system32\msdtcprx.dll
+ 2006-03-01 19:44:40 368,640 ----a-w C:\WINDOWS\system32\msdtcprx.dll
- 2001-08-18 12:00:00 869,376 ----a-w C:\WINDOWS\system32\msdtctm.dll
+ 2006-03-01 19:44:40 974,336 ----a-w C:\WINDOWS\system32\msdtctm.dll
- 2001-08-18 12:00:00 151,040 ----a-w C:\WINDOWS\system32\msdtcuiu.dll
+ 2006-03-01 19:44:40 150,528 ----a-w C:\WINDOWS\system32\msdtcuiu.dll
- 2002-08-29 10:41:04 2,833,920 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2006-06-30 15:28:26 2,703,872 ----a-w C:\WINDOWS\system32\MSHTML.DLL
- 2001-08-18 17:00:00 44,032 ----a-w C:\WINDOWS\system32\msident.dll
+ 2006-02-27 18:29:32 44,032 ----a-w C:\WINDOWS\system32\MSIDENT.DLL
- 2002-08-29 10:41:04 229,888 ----a-w C:\WINDOWS\system32\msieftp.dll
+ 2005-08-05 17:23:28 230,400 ----a-w C:\WINDOWS\system32\msieftp.dll
- 2002-08-29 10:41:06 228,864 ----a-w C:\WINDOWS\system32\msoeacct.dll
+ 2006-02-27 18:31:40 229,376 ----a-w C:\WINDOWS\system32\MSOEACCT.DLL
- 2002-08-29 10:41:06 81,408 ----a-w C:\WINDOWS\system32\msoert2.dll
+ 2006-02-27 18:31:36 91,136 ----a-w C:\WINDOWS\system32\MSOERT2.DLL
- 2002-08-29 10:41:06 132,096 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2005-02-24 17:54:42 132,096 ----a-w C:\WINDOWS\system32\MSRATING.DLL
- 2002-08-29 10:41:08 496,128 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-03-03 21:13:30 498,176 ----a-w C:\WINDOWS\system32\MSTIME.DLL
- 2002-08-29 10:41:08 1,122,304 ----a-w C:\WINDOWS\system32\msxml3.dll
+ 2006-09-13 05:09:16 1,110,528 ----a-w C:\WINDOWS\system32\msxml3.dll
- 2001-08-18 17:00:00 61,440 ----a-w C:\WINDOWS\system32\mtxclu.dll
+ 2006-03-01 19:44:40 64,512 ----a-w C:\WINDOWS\system32\mtxclu.dll
- 2001-08-18 12:00:00 83,968 ----a-w C:\WINDOWS\system32\mtxoci.dll
+ 2006-03-01 19:44:40 83,456 ----a-w C:\WINDOWS\system32\mtxoci.dll
- 2002-08-29 10:41:08 309,248 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2006-07-14 15:53:28 307,200 ----a-w C:\WINDOWS\system32\netapi32.dll
- 2002-08-29 10:41:08 154,112 ----a-w C:\WINDOWS\system32\netman.dll
+ 2005-08-22 18:36:34 154,624 ----a-w C:\WINDOWS\system32\netman.dll
- 2001-08-18 17:00:00 82,944 ----a-w C:\WINDOWS\system32\netsh.exe
+ 2006-08-16 09:27:50 83,456 ----a-w C:\WINDOWS\system32\netsh.exe
- 2002-08-29 08:04:56 1,947,904 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
+ 2005-03-02 00:36:42 1,955,840 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
- 2002-08-29 09:03:30 2,042,240 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
+ 2005-03-02 01:33:36 2,040,832 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
- 2002-08-29 10:41:10 328,704 ----a-w C:\WINDOWS\system32\oakley.dll
+ 2006-05-14 09:13:42 257,536 ----a-w C:\WINDOWS\system32\oakley.dll
- 2002-08-29 10:41:10 1,169,920 ----a-w C:\WINDOWS\system32\ole32.dll
+ 2005-07-26 04:31:14 1,190,400 ----a-w C:\WINDOWS\system32\ole32.dll
- 2001-08-18 17:00:00 68,608 ----a-w C:\WINDOWS\system32\olecli32.dll
+ 2005-07-26 04:31:14 68,608 ----a-w C:\WINDOWS\system32\olecli32.dll
- 2001-08-18 17:00:00 34,304 ----a-w C:\WINDOWS\system32\olecnv32.dll
+ 2005-07-26 04:31:14 35,328 ----a-w C:\WINDOWS\system32\olecnv32.dll
- 2002-08-29 10:41:10 34,304 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2005-04-27 15:53:06 34,816 ----a-w C:\WINDOWS\system32\PNGFILT.DLL
- 2001-08-18 17:00:00 87,552 ----a-w C:\WINDOWS\system32\polstore.dll
+ 2006-05-14 09:13:42 98,304 ----a-w C:\WINDOWS\system32\polstore.dll
- 2003-05-30 14:00:02 1,962,496 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2005-08-30 14:14:00 1,227,776 ----a-w C:\WINDOWS\system32\quartz.dll
- 2002-08-29 10:41:10 1,349,120 ----a-w C:\WINDOWS\system32\query.dll
+ 2006-06-22 05:19:50 1,350,144 ----a-w C:\WINDOWS\system32\query.dll
- 2001-08-18 17:00:00 6,144 ----a-w C:\WINDOWS\system32\rasadhlp.dll
+ 2006-06-26 17:47:50 6,144 ----a-w C:\WINDOWS\system32\rasadhlp.dll
- 2002-08-29 10:41:10 158,720 ----a-w C:\WINDOWS\system32\rasmans.dll
+ 2006-06-22 10:59:18 169,984 ----a-w C:\WINDOWS\system32\rasmans.dll
- 2002-08-29 10:41:10 530,432 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2004-03-06 02:16:12 535,552 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2002-08-29 10:41:10 260,608 ----a-w C:\WINDOWS\system32\rpcss.dll
+ 2005-07-26 04:31:14 276,992 ----a-w C:\WINDOWS\system32\rpcss.dll
- 2002-08-29 10:41:12 1,341,440 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2006-09-04 06:23:54 1,351,680 ----a-w C:\WINDOWS\system32\SHDOCVW.DLL
- 2002-08-29 10:41:12 8,336,384 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2006-07-13 13:46:56 8,353,280 ----a-w C:\WINDOWS\system32\shell32.dll
- 2002-08-29 10:41:12 401,920 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2005-09-01 01:49:30 409,088 ----a-w C:\WINDOWS\system32\SHLWAPI.DLL
- 2002-08-29 10:41:12 116,224 ----a-w C:\WINDOWS\system32\shsvcs.dll
+ 2004-10-28 01:29:54 116,736 ----a-w C:\WINDOWS\system32\shsvcs.dll
- 2005-05-04 19:45:26 13,536 ------w C:\WINDOWS\system32\spmsg.dll
+ 2005-10-12 23:12:26 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2001-08-18 17:00:00 51,200 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2005-06-10 23:55:46 53,248 ----a-w C:\WINDOWS\system32\spoolsv.exe
- 2001-08-18 17:00:00 87,040 ----a-w C:\WINDOWS\system32\srvsvc.dll
+ 2004-12-07 19:34:38 79,872 ----a-w C:\WINDOWS\system32\srvsvc.dll
- 2002-08-29 10:41:18 674,816 ----a-w C:\WINDOWS\system32\sxs.dll
+ 2004-08-20 22:01:16 700,928 ----a-w C:\WINDOWS\system32\sxs.dll
- 2001-08-18 17:00:00 198,656 ----a-w C:\WINDOWS\system32\t2embed.dll
+ 2005-10-17 21:29:54 111,616 ----a-w C:\WINDOWS\system32\t2embed.dll
- 2002-08-29 10:41:18 233,984 ----a-w C:\WINDOWS\system32\tapisrv.dll
+ 2005-07-08 16:09:48 238,592 ----a-w C:\WINDOWS\system32\tapisrv.dll
- 2002-08-29 10:41:28 71,168 ----a-w C:\WINDOWS\system32\telnet.exe
+ 2005-05-11 00:09:48 72,192 ----a-w C:\WINDOWS\system32\telnet.exe
- 2001-08-18 17:00:00 90,624 ----a-w C:\WINDOWS\system32\txflog.dll
+ 2005-07-26 04:31:14 97,280 ----a-w C:\WINDOWS\system32\txflog.dll
- 2002-08-29 10:41:18 107,008 ----a-w C:\WINDOWS\system32\umpnpmgr.dll
+ 2005-08-23 03:51:10 111,104 ----a-w C:\WINDOWS\system32\umpnpmgr.dll
- 2002-08-29 10:41:18 455,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2006-08-31 01:42:56 461,824 ----a-w C:\WINDOWS\system32\URLMON.DLL
- 2002-08-29 10:41:18 560,128 ----a-w C:\WINDOWS\system32\user32.dll
+ 2005-03-02 18:20:04 561,152 ----a-w C:\WINDOWS\system32\user32.dll
+ 2006-03-17 00:49:30 25,600 ------w C:\WINDOWS\system32\verclsid.exe
- 2002-08-29 10:41:18 61,952 ----a-w C:\WINDOWS\system32\webclnt.dll
+ 2006-01-04 03:37:34 64,000 ----a-w C:\WINDOWS\system32\webclnt.dll
- 2002-08-29 09:14:20 1,813,632 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2005-10-04 01:38:18 1,799,552 ----a-w C:\WINDOWS\system32\win32k.sys
- 2002-08-29 10:41:18 99,328 ----a-w C:\WINDOWS\system32\win32spl.dll
+ 2005-06-11 02:41:12 102,400 ----a-w C:\WINDOWS\system32\win32spl.dll
- 2002-08-29 10:41:18 599,040 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-06-23 16:33:58 575,488 ----a-w C:\WINDOWS\system32\WININET.DLL
- 2001-08-18 17:00:00 25,600 ----a-w C:\WINDOWS\system32\winipsec.dll
+ 2006-05-14 09:13:42 29,184 ----a-w C:\WINDOWS\system32\winipsec.dll
- 2002-08-29 10:41:18 276,480 ----a-w C:\WINDOWS\system32\winsrv.dll
+ 2005-09-01 01:49:32 278,016 ----a-w C:\WINDOWS\system32\winsrv.dll
- 2002-08-29 10:41:18 1,404,928 ----a-w C:\WINDOWS\system32\wmpui.dll
+ 2006-04-24 21:17:14 1,425,680 ----a-w C:\WINDOWS\system32\wmpui.dll
- 2001-08-18 17:00:00 75,264 ----a-w C:\WINDOWS\system32\ws2_32.dll
+ 2006-08-16 12:14:24 70,656 ----a-w C:\WINDOWS\system32\ws2_32.dll
- 2002-08-29 10:41:20 13,312 ----a-w C:\WINDOWS\system32\wship6.dll
+ 2006-08-16 12:14:24 13,312 ----a-w C:\WINDOWS\system32\wship6.dll
- 2001-08-18 12:00:00 9,728 ----a-w C:\WINDOWS\system32\xolehlp.dll
+ 2006-03-01 19:44:40 11,776 ----a-w C:\WINDOWS\system32\xolehlp.dll
- 2004-06-30 23:59:26 158,720 ------w C:\WINDOWS\system32\xpob2res.dll
+ 2006-08-16 09:42:14 159,232 ----a-w C:\WINDOWS\system32\xpob2res.dll
+ 2006-08-25 09:14:18 595,968 ----a-w C:\WINDOWS\system32\xpsp2res.dll
+ 2005-05-17 00:43:40 7,168 ------w C:\WINDOWS\system32\xpsp3res.dll
+ 2005-08-31 23:49:28 925,184 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1740_x-ww_7cb8ab44\comctl32.dll
+ 2006-03-17 05:04:12 925,184 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1816_x-ww_7d33ba0e\comctl32.dll
+ 2006-07-13 13:46:54 925,184 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1873_x-ww_7d39bb85\comctl32.dll
+ 2006-08-25 15:53:52 925,184 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1891_x-ww_7d3bbc01\comctl32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1e31bacd-3eb5-4e4c-a714-1fe931341f84}]
2008-06-09 10:50 98544 --a------ C:\WINDOWS\System32\lkleuyra.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88B68482-AE05-47F5-8FED-8925E4290C4B}]
C:\WINDOWS\System32\byXPFxwv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 10:00 184376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 15:31 655360]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00 241714]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-05 14:49 579072]
"200518a9"="C:\WINDOWS\System32\rbtcgwnw.dll" [2008-06-09 10:48 84704]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-05 14:49 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54 24633]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2005-10-06 11:43:24 127488]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88B68482-AE05-47F5-8FED-8925E4290C4B}"= C:\WINDOWS\System32\byXPFxwv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPFxwv]
byXPFxwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcywtt]
ddcywtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebca]
C:\WINDOWS\System32\gebca.dll

R3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 12:48]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2005-10-06 02:58:34 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 08:25:00
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 8:25:47
ComboFix-quarantined-files.txt 2008-06-10 13:25:46
ComboFix2.txt 2008-06-09 21:59:46

Pre-Run: 28,737,634,304 bytes free
Post-Run: 28,717,088,768 bytes free

554 --- E O F --- 2008-06-10 01:57:43
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm

Re: Malware Issue

Unread postby Shaba » June 10th, 2008, 9:44 am

Hi

HijackThis log is incomplete.

Please re-send it :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Issue

Unread postby diamond_diablo » June 10th, 2008, 11:35 am

I re-ran the scan and here is what it spit out:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:16 AM, on 6/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: {48f14313-9ef1-417a-c4e4-5be3dcab13e1} - {1e31bacd-3eb5-4e4c-a714-1fe931341f84} - C:\WINDOWS\System32\lkleuyra.dll
O2 - BHO: (no name) - {88B68482-AE05-47F5-8FED-8925E4290C4B} - C:\WINDOWS\System32\byXPFxwv.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [200518a9] rundll32.exe "C:\WINDOWS\System32\rbtcgwnw.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: byXPFxwv - byXPFxwv.dll (file missing)
O20 - Winlogon Notify: ddcywtt - ddcywtt.dll (file missing)
O20 - Winlogon Notify: gebca - C:\WINDOWS\System32\gebca.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4763 bytes
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm

Re: Malware Issue

Unread postby Shaba » June 10th, 2008, 12:38 pm

Hi

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\wnwgctbr.ini
C:\WINDOWS\system32\lkleuyra.dll
C:\WINDOWS\system32\rbtcgwnw.dll
C:\Documents and Settings\Courtenay\g22.exe
C:\WINDOWS\system32\{35bec6a3-5614-5356-ee5b-0c9d1fbe3d40}.dll-uninst.exe
C:\Documents and Settings\Courtenay\gside.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1e31bacd-3eb5-4e4c-a714-1fe931341f84}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88B68482-AE05-47F5-8FED-8925E4290C4B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"200518a9"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88B68482-AE05-47F5-8FED-8925E4290C4B}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPFxwv]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcywtt]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebca]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Issue - UPDATED LOGS

Unread postby diamond_diablo » June 10th, 2008, 3:07 pm

combofix log --

ComboFix 08-06-09.3 - Courtenay 2008-06-10 13:56:36.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.93 [GMT -5:00]
Running from: C:\Documents and Settings\Courtenay\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Courtenay\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Courtenay\g22.exe
C:\Documents and Settings\Courtenay\gside.exe
C:\WINDOWS\system32\{35bec6a3-5614-5356-ee5b-0c9d1fbe3d40}.dll-uninst.exe
C:\WINDOWS\system32\lkleuyra.dll
C:\WINDOWS\system32\rbtcgwnw.dll
C:\WINDOWS\system32\wnwgctbr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Courtenay\g22.exe
C:\Documents and Settings\Courtenay\gside.exe
C:\WINDOWS\system32\{35bec6a3-5614-5356-ee5b-0c9d1fbe3d40}.dll-uninst.exe
C:\WINDOWS\system32\lkleuyra.dll
C:\WINDOWS\system32\rbtcgwnw.dll
C:\WINDOWS\system32\wnwgctbr.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-09 10:52 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-09 10:52 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-06-09 10:52 . 2008-06-09 10:55 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-09 10:37 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-06-09 10:29 . 2008-06-09 10:29 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-09 10:29 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-09 10:18 . 2003-02-28 16:34 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2008-06-09 10:18 . 2003-02-28 18:26 171,280 --a------ C:\WINDOWS\system32\jit.dll
2008-06-09 10:18 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-09 10:18 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-06-09 10:18 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-06-09 10:18 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-06-09 10:15 . 2005-10-27 14:06 226,816 --a------ C:\WINDOWS\system32\srrstr.dll
2008-06-09 10:11 . 2003-08-01 23:14 25,600 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-06-09 10:03 . 2008-06-09 10:03 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-09 10:03 . 2008-06-09 10:03 <DIR> d-------- C:\WINDOWS\ehome
2008-06-09 09:59 . 2002-08-29 05:41 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-06-09 09:58 . 2002-08-29 05:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-06-06 17:30 . 2008-06-06 17:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 16:09 . 2008-06-06 16:09 <DIR> d-------- C:\VundoFix Backups
2008-06-05 22:16 . 2008-06-05 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-05 22:15 . 2008-06-05 22:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 22:15 . 2008-06-05 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-05 21:59 . 2008-06-05 21:59 <DIR> d-------- C:\Downloads
2008-06-05 21:26 . 2008-06-05 21:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 21:17 . 2004-07-01 17:08 361,984 --a------ C:\WINDOWS\system32\dllcache\qmgr.dll
2008-06-05 21:17 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-06-05 21:17 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-06-05 21:17 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-06-05 21:17 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-06-05 21:13 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-06-05 21:13 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-06-05 21:13 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-06-05 21:13 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-06-05 21:13 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-06-05 21:13 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-06-05 21:13 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-06-05 20:52 . 2008-06-05 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 20:24 . 2008-06-05 20:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-05 20:24 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-06-05 17:01 . 2008-06-05 17:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-05 16:53 . 2008-06-05 10:44 <DIR> d-------- C:\SDFix
2008-06-05 14:58 . 2008-06-05 14:58 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-05 14:53 . 2008-06-05 14:53 <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-05 14:52 . 2008-06-05 14:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-06-05 14:51 . 2008-06-05 14:51 <DIR> d-------- C:\Documents and Settings\Courtenay\Application Data\AVG7
2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-06-05 14:49 . 2008-06-05 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-05 14:49 . 2008-06-05 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-06-05 14:25 . 2008-06-05 14:25 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-05 14:13 . 2001-08-17 13:48 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-05 14:13 . 2001-08-17 13:48 13,952 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-05 14:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-05 14:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-05 14:12 . 2002-08-29 03:32 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-05 14:12 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-05 14:12 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 19:00 623,555 ------w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2005-10-05 22:17 266 --sh--w C:\Program Files\desktop.ini
2005-10-05 22:17 11,079 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot_2008-06-10_ 8.25.28.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 02:27:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 19:00:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 10:00 184376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 15:31 655360]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00 241714]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-05 14:49 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-05 14:49 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54 24633]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2005-10-06 11:43:24 127488]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

R3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 12:48]

.
Contents of the 'Scheduled Tasks' folder
"2005-10-06 02:58:34 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 14:01:39
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
.
**************************************************************************
.
Completion time: 2008-06-10 14:03:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 19:03:10
ComboFix3.txt 2008-06-09 21:59:46
ComboFix2.txt 2008-06-10 13:25:50

Pre-Run: 28,654,993,408 bytes free
Post-Run: 28,663,775,232 bytes free

158 --- E O F --- 2008-06-10 01:57:43


HijackThis Log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:05 PM, on 6/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4349 bytes
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm

Re: Malware Issue

Unread postby Shaba » June 11th, 2008, 9:13 am

Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)
    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)
    Image
  • Now click on the Save as Text button
  • Savethe file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Issue

Unread postby diamond_diablo » June 11th, 2008, 12:21 pm

HijackThis---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:35 AM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4842 bytes

Kaspersky Report ---
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 11, 2008 14:51:50
Records in database: 851911
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 36653
Threat name: 15
Infected objects: 100
Suspicious objects: 0
Duration of the scan: 00:46:04


File name / Threat name / Threats count
C:\WINDOWS\system32\nwinqmdt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r 1
C:\WINDOWS\system32\lpdsrngr.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o 1
C:\WINDOWS\system32\wiveojar.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\bhmliqmm.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\vdsaqoup.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\glgtuonj.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\hvrxpsji.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\xgvdejwy.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\esddpidi.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\wnlsgpau.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\fmtbvejq.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\mlsxxdke.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\nduovdgq.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\eeaajykf.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ikblubpn.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\swqpgivr.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\bkywyqmx.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\demtjnyf.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\xlvgmgpy.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\egyoynhi.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\wdqtceuc.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\exynglrl.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\fqfkmfsy.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\hxicivwi.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\vnpi.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv 1
C:\WINDOWS\system32\jjlrckdr.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\qmyduxht.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\aqntplgp.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\nsxklnba.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\cuidccyq.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\hyjybfiq.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\rtukbijn.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\osjjtvgl.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\xgxakkqf.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\rdvnytvq.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\eqhvxspu.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\knxkessq.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\tjfkemth.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\deucurqy.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\bvqwrwax.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\kqikshph.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ijfhpjwi.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ljukkuvt.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\udcmtxvc.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\yyhyknnf.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\wyrwjgyg.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\kljpiqwj.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\aeiigbko.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ltcugkgl.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\qeqjkbtj.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\brsvfjrc.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\gsloyjpi.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\hhpvcjlb.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\hilsslvk.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\frcbuiww.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\uqqnfjkm.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\pcupbhsb.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\wnagbxux.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\lkfwncli.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\lnhkfilw.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\fydiqlow.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ofquojhf.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\uvxeshue.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\nenntycx.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\smbmtecs.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\pgivific.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\kjhnufpp.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\srwyvbfq.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ayclbjrl.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ddfjkkbm.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\kqqajafs.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\bgvwyouu.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ogtkbhsn.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\nhynwgfy.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\ptquuqtc.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\bbumxwam.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\lfivmyef.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\qdgbrduv.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\tmisolyy.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\sjbwqlca.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\tmkgjdfi.exe Infected: Trojan.Win32.Agent.bck 1
C:\WINDOWS\system32\nwinqmdq.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\WINDOWS\system32\fhalsmhv.exe Infected: Trojan.Win32.Agent.bck 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP2\A0000007.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP2\A0000008.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP2\A0000018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ymm 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP58\A0005854.exe Infected: not-virus:Hoax.Win32.Renos.cei 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP59\A0005920.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP59\A0005924.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ymn 1
C:\1C3.tmp Infected: Trojan-Downloader.Win32.PurityScan.eg 1
C:\1C5.tmp Infected: not-a-virus:Downloader.Win32.Agent.q 1
C:\1C5.tmp Infected: not-a-virus:AdWare.Win32.AdBand.c 1
C:\1C5.tmp Infected: not-a-virus:AdWare.Win32.Agent.jn 1
C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.my 1
C:\QooBox\Quarantine\C\WINDOWS\ICROSO~1.NET\аti2evxx.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pgpfsutq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ymm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rbtcgwnw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ymn 1
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe.vir Infected: not-virus:Hoax.Win32.Renos.cei 1
C:\QooBox\Quarantine\C\Documents and Settings\Courtenay\g22.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.byy 1

The selected area was scanned.
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm

Re: Malware Issue

Unread postby Shaba » June 11th, 2008, 12:42 pm

Hi

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\nwinqmdt.exe 
    C:\WINDOWS\system32\lpdsrngr.exe 
    C:\WINDOWS\system32\wiveojar.exe 
    C:\WINDOWS\system32\bhmliqmm.exe 
    C:\WINDOWS\system32\vdsaqoup.exe 
    C:\WINDOWS\system32\glgtuonj.exe 
    C:\WINDOWS\system32\hvrxpsji.exe 
    C:\WINDOWS\system32\xgvdejwy.exe 
    C:\WINDOWS\system32\esddpidi.exe 
    C:\WINDOWS\system32\wnlsgpau.exe 
    C:\WINDOWS\system32\fmtbvejq.exe 
    C:\WINDOWS\system32\mlsxxdke.exe 
    C:\WINDOWS\system32\nduovdgq.exe 
    C:\WINDOWS\system32\eeaajykf.exe 
    C:\WINDOWS\system32\ikblubpn.exe 
    C:\WINDOWS\system32\swqpgivr.exe 
    C:\WINDOWS\system32\bkywyqmx.exe 
    C:\WINDOWS\system32\demtjnyf.exe 
    C:\WINDOWS\system32\xlvgmgpy.exe 
    C:\WINDOWS\system32\egyoynhi.exe 
    C:\WINDOWS\system32\wdqtceuc.exe 
    C:\WINDOWS\system32\exynglrl.exe 
    C:\WINDOWS\system32\fqfkmfsy.exe 
    C:\WINDOWS\system32\hxicivwi.exe 
    C:\WINDOWS\system32\vnpi.dll 
    C:\WINDOWS\system32\jjlrckdr.exe
    C:\WINDOWS\system32\qmyduxht.exe 
    C:\WINDOWS\system32\aqntplgp.exe 
    C:\WINDOWS\system32\nsxklnba.exe 
    C:\WINDOWS\system32\cuidccyq.exe 
    C:\WINDOWS\system32\hyjybfiq.exe 
    C:\WINDOWS\system32\rtukbijn.exe 
    C:\WINDOWS\system32\osjjtvgl.exe 
    C:\WINDOWS\system32\xgxakkqf.exe 
    C:\WINDOWS\system32\rdvnytvq.exe 
    C:\WINDOWS\system32\eqhvxspu.exe 
    C:\WINDOWS\system32\knxkessq.exe 
    C:\WINDOWS\system32\tjfkemth.exe 
    C:\WINDOWS\system32\deucurqy.exe 
    C:\WINDOWS\system32\bvqwrwax.exe 
    C:\WINDOWS\system32\kqikshph.exe 
    C:\WINDOWS\system32\ijfhpjwi.exe 
    C:\WINDOWS\system32\ljukkuvt.exe 
    C:\WINDOWS\system32\udcmtxvc.exe 
    C:\WINDOWS\system32\yyhyknnf.exe 
    C:\WINDOWS\system32\wyrwjgyg.exe 
    C:\WINDOWS\system32\kljpiqwj.exe 
    C:\WINDOWS\system32\aeiigbko.exe 
    C:\WINDOWS\system32\ltcugkgl.exe 
    C:\WINDOWS\system32\qeqjkbtj.exe 
    C:\WINDOWS\system32\brsvfjrc.exe 
    C:\WINDOWS\system32\gsloyjpi.exe 
    C:\WINDOWS\system32\hhpvcjlb.exe 
    C:\WINDOWS\system32\hilsslvk.exe 
    C:\WINDOWS\system32\frcbuiww.exe 
    C:\WINDOWS\system32\uqqnfjkm.exe 
    C:\WINDOWS\system32\pcupbhsb.exe
    C:\WINDOWS\system32\wnagbxux.exe 
    C:\WINDOWS\system32\lkfwncli.exe 
    C:\WINDOWS\system32\lnhkfilw.exe 
    C:\WINDOWS\system32\fydiqlow.exe 
    C:\WINDOWS\system32\ofquojhf.exe 
    C:\WINDOWS\system32\uvxeshue.exe 
    C:\WINDOWS\system32\nenntycx.exe 
    C:\WINDOWS\system32\smbmtecs.exe 
    C:\WINDOWS\system32\pgivific.exe 
    C:\WINDOWS\system32\kjhnufpp.exe 
    C:\WINDOWS\system32\srwyvbfq.exe 
    C:\WINDOWS\system32\ayclbjrl.exe 
    C:\WINDOWS\system32\ddfjkkbm.exe 
    C:\WINDOWS\system32\kqqajafs.exe 
    C:\WINDOWS\system32\bgvwyouu.exe 
    C:\WINDOWS\system32\ogtkbhsn.exe 
    C:\WINDOWS\system32\nhynwgfy.exe 
    C:\WINDOWS\system32\ptquuqtc.exe 
    C:\WINDOWS\system32\bbumxwam.exe 
    C:\WINDOWS\system32\lfivmyef.exe 
    C:\WINDOWS\system32\qdgbrduv.exe 
    C:\WINDOWS\system32\tmisolyy.exe 
    C:\WINDOWS\system32\sjbwqlca.exe 
    C:\WINDOWS\system32\tmkgjdfi.exe 
    C:\WINDOWS\system32\nwinqmdq.exe
    C:\WINDOWS\system32\fhalsmhv.exe 
    C:\1C3.tmp 
    C:\1C5.tmp 
    C:\1C5.tmp 
    C:\1C5.tmp 
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Issue

Unread postby diamond_diablo » June 11th, 2008, 4:57 pm

C:\WINDOWS\system32\nwinqmdt.exe moved successfully.
C:\WINDOWS\system32\lpdsrngr.exe moved successfully.
C:\WINDOWS\system32\wiveojar.exe moved successfully.
C:\WINDOWS\system32\bhmliqmm.exe moved successfully.
C:\WINDOWS\system32\vdsaqoup.exe moved successfully.
C:\WINDOWS\system32\glgtuonj.exe moved successfully.
C:\WINDOWS\system32\hvrxpsji.exe moved successfully.
C:\WINDOWS\system32\xgvdejwy.exe moved successfully.
C:\WINDOWS\system32\esddpidi.exe moved successfully.
C:\WINDOWS\system32\wnlsgpau.exe moved successfully.
C:\WINDOWS\system32\fmtbvejq.exe moved successfully.
C:\WINDOWS\system32\mlsxxdke.exe moved successfully.
C:\WINDOWS\system32\nduovdgq.exe moved successfully.
C:\WINDOWS\system32\eeaajykf.exe moved successfully.
C:\WINDOWS\system32\ikblubpn.exe moved successfully.
C:\WINDOWS\system32\swqpgivr.exe moved successfully.
C:\WINDOWS\system32\bkywyqmx.exe moved successfully.
C:\WINDOWS\system32\demtjnyf.exe moved successfully.
C:\WINDOWS\system32\xlvgmgpy.exe moved successfully.
C:\WINDOWS\system32\egyoynhi.exe moved successfully.
C:\WINDOWS\system32\wdqtceuc.exe moved successfully.
C:\WINDOWS\system32\exynglrl.exe moved successfully.
C:\WINDOWS\system32\fqfkmfsy.exe moved successfully.
C:\WINDOWS\system32\hxicivwi.exe moved successfully.
C:\WINDOWS\system32\vnpi.dll unregistered successfully.
C:\WINDOWS\system32\vnpi.dll moved successfully.
C:\WINDOWS\system32\jjlrckdr.exe moved successfully.
C:\WINDOWS\system32\qmyduxht.exe moved successfully.
C:\WINDOWS\system32\aqntplgp.exe moved successfully.
C:\WINDOWS\system32\nsxklnba.exe moved successfully.
C:\WINDOWS\system32\cuidccyq.exe moved successfully.
C:\WINDOWS\system32\hyjybfiq.exe moved successfully.
C:\WINDOWS\system32\rtukbijn.exe moved successfully.
C:\WINDOWS\system32\osjjtvgl.exe moved successfully.
C:\WINDOWS\system32\xgxakkqf.exe moved successfully.
C:\WINDOWS\system32\rdvnytvq.exe moved successfully.
C:\WINDOWS\system32\eqhvxspu.exe moved successfully.
C:\WINDOWS\system32\knxkessq.exe moved successfully.
C:\WINDOWS\system32\tjfkemth.exe moved successfully.
C:\WINDOWS\system32\deucurqy.exe moved successfully.
C:\WINDOWS\system32\bvqwrwax.exe moved successfully.
C:\WINDOWS\system32\kqikshph.exe moved successfully.
C:\WINDOWS\system32\ijfhpjwi.exe moved successfully.
C:\WINDOWS\system32\ljukkuvt.exe moved successfully.
C:\WINDOWS\system32\udcmtxvc.exe moved successfully.
C:\WINDOWS\system32\yyhyknnf.exe moved successfully.
C:\WINDOWS\system32\wyrwjgyg.exe moved successfully.
C:\WINDOWS\system32\kljpiqwj.exe moved successfully.
C:\WINDOWS\system32\aeiigbko.exe moved successfully.
C:\WINDOWS\system32\ltcugkgl.exe moved successfully.
C:\WINDOWS\system32\qeqjkbtj.exe moved successfully.
C:\WINDOWS\system32\brsvfjrc.exe moved successfully.
C:\WINDOWS\system32\gsloyjpi.exe moved successfully.
C:\WINDOWS\system32\hhpvcjlb.exe moved successfully.
C:\WINDOWS\system32\hilsslvk.exe moved successfully.
C:\WINDOWS\system32\frcbuiww.exe moved successfully.
C:\WINDOWS\system32\uqqnfjkm.exe moved successfully.
C:\WINDOWS\system32\pcupbhsb.exe moved successfully.
C:\WINDOWS\system32\wnagbxux.exe moved successfully.
C:\WINDOWS\system32\lkfwncli.exe moved successfully.
C:\WINDOWS\system32\lnhkfilw.exe moved successfully.
C:\WINDOWS\system32\fydiqlow.exe moved successfully.
C:\WINDOWS\system32\ofquojhf.exe moved successfully.
C:\WINDOWS\system32\uvxeshue.exe moved successfully.
C:\WINDOWS\system32\nenntycx.exe moved successfully.
C:\WINDOWS\system32\smbmtecs.exe moved successfully.
C:\WINDOWS\system32\pgivific.exe moved successfully.
C:\WINDOWS\system32\kjhnufpp.exe moved successfully.
C:\WINDOWS\system32\srwyvbfq.exe moved successfully.
C:\WINDOWS\system32\ayclbjrl.exe moved successfully.
C:\WINDOWS\system32\ddfjkkbm.exe moved successfully.
C:\WINDOWS\system32\kqqajafs.exe moved successfully.
C:\WINDOWS\system32\bgvwyouu.exe moved successfully.
C:\WINDOWS\system32\ogtkbhsn.exe moved successfully.
C:\WINDOWS\system32\nhynwgfy.exe moved successfully.
C:\WINDOWS\system32\ptquuqtc.exe moved successfully.
C:\WINDOWS\system32\bbumxwam.exe moved successfully.
C:\WINDOWS\system32\lfivmyef.exe moved successfully.
C:\WINDOWS\system32\qdgbrduv.exe moved successfully.
C:\WINDOWS\system32\tmisolyy.exe moved successfully.
C:\WINDOWS\system32\sjbwqlca.exe moved successfully.
C:\WINDOWS\system32\tmkgjdfi.exe moved successfully.
C:\WINDOWS\system32\nwinqmdq.exe moved successfully.
C:\WINDOWS\system32\fhalsmhv.exe moved successfully.
C:\1C3.tmp moved successfully.
C:\1C5.tmp moved successfully.
File/Folder C:\1C5.tmp not found.
File/Folder C:\1C5.tmp not found.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06112008_155523

Hijackthis ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:05 PM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4890 bytes
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm

Re: Malware Issue

Unread postby Shaba » June 12th, 2008, 9:11 am

Hi

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Issue - UPDATED LOGS

Unread postby diamond_diablo » June 12th, 2008, 2:35 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:32 PM, on 6/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 4799 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 12, 2008 14:57:30
Records in database: 856010
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 36759
Threat name: 15
Infected objects: 100
Suspicious objects: 0
Duration of the scan: 00:45:26


File name / Threat name / Threats count
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP2\A0000007.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP2\A0000008.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP2\A0000018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ymm 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP58\A0005854.exe Infected: not-virus:Hoax.Win32.Renos.cei 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP59\A0005920.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{E3D44FE0-7C21-4D75-9F81-8F2E3CBAC05F}\RP59\A0005924.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ymn 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\nwinqmdt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\lpdsrngr.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\wiveojar.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\bhmliqmm.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\vdsaqoup.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\glgtuonj.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\hvrxpsji.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\xgvdejwy.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\esddpidi.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\wnlsgpau.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\fmtbvejq.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\mlsxxdke.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\nduovdgq.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\eeaajykf.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ikblubpn.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\swqpgivr.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\bkywyqmx.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\demtjnyf.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\xlvgmgpy.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\egyoynhi.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\wdqtceuc.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\exynglrl.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\fqfkmfsy.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\hxicivwi.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\vnpi.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\jjlrckdr.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\qmyduxht.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\aqntplgp.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\nsxklnba.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\cuidccyq.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\hyjybfiq.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\rtukbijn.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\osjjtvgl.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\xgxakkqf.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\rdvnytvq.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\eqhvxspu.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\knxkessq.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\tjfkemth.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\deucurqy.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\bvqwrwax.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\kqikshph.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ijfhpjwi.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ljukkuvt.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\udcmtxvc.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\yyhyknnf.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\wyrwjgyg.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\kljpiqwj.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\aeiigbko.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ltcugkgl.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\qeqjkbtj.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\brsvfjrc.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\gsloyjpi.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\hhpvcjlb.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\hilsslvk.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\frcbuiww.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\uqqnfjkm.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\pcupbhsb.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\wnagbxux.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\lkfwncli.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\lnhkfilw.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\fydiqlow.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ofquojhf.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\uvxeshue.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\nenntycx.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\smbmtecs.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\pgivific.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\kjhnufpp.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\srwyvbfq.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ayclbjrl.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ddfjkkbm.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\kqqajafs.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\bgvwyouu.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ogtkbhsn.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\nhynwgfy.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\ptquuqtc.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\bbumxwam.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\lfivmyef.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\qdgbrduv.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\tmisolyy.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\sjbwqlca.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\tmkgjdfi.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\nwinqmdq.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\_OTMoveIt\MovedFiles\06112008_155523\WINDOWS\system32\fhalsmhv.exe Infected: Trojan.Win32.Agent.bck 1
C:\_OTMoveIt\MovedFiles\06112008_155523\1C3.tmp Infected: Trojan-Downloader.Win32.PurityScan.eg 1
C:\_OTMoveIt\MovedFiles\06112008_155523\1C5.tmp Infected: not-a-virus:Downloader.Win32.Agent.q 1
C:\_OTMoveIt\MovedFiles\06112008_155523\1C5.tmp Infected: not-a-virus:AdWare.Win32.AdBand.c 1
C:\_OTMoveIt\MovedFiles\06112008_155523\1C5.tmp Infected: not-a-virus:AdWare.Win32.Agent.jn 1
C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.my 1
C:\QooBox\Quarantine\C\WINDOWS\ICROSO~1.NET\аti2evxx.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pgpfsutq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ymm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rbtcgwnw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ymn 1
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe.vir Infected: not-virus:Hoax.Win32.Renos.cei 1
C:\QooBox\Quarantine\C\Documents and Settings\Courtenay\g22.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.byy 1

The selected area was scanned.
diamond_diablo
Regular Member
 
Posts: 28
Joined: June 6th, 2008, 6:47 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware