Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help remove spyware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help remove spyware

Unread postby cQuinc » June 9th, 2008, 11:11 pm

My computer opens unwanted browser windows and sometimes tells me I have spyware and wants me to click on links to remove it. Also last week it had bugs that would come out and eat my open windows! After a couple of scans with adaware this seems to have stopped but I still have windows that pop open and warnings that come up.

Log file is attached

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:05 PM, on 6/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Palm\Hotsync.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runwinlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [BM378aa275] Rundll32.exe "C:\WINDOWS\System32\cptmymyi.dll",s
O4 - HKLM\..\Run: [34b991e9] rundll32.exe "C:\WINDOWS\System32\cxxgilii.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [A00F7A13D.exe] C:\DOCUME~1\QC\LOCALS~1\Temp\_A00F7A13D.exe
O4 - HKCU\..\Run: [A00F1502B05.exe] C:\DOCUME~1\QC\LOCALS~1\Temp\_A00F1502B05.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O21 - SSODL: Gptog - {A471FF25-581D-0AF2-24CA-C603A247C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Etowej - {A471FD36-582D-1FF2-25CA-C603A257A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TCP/IP NetBIOS Helper LmHostslanmanworkstation (LmHostslanmanworkstation) - Unknown owner - C:\WINDOWS\System32\adsmsextw.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Removable Storage NtmsSvcsrservice (NtmsSvcsrservice) - Unknown owner - C:\WINDOWS\System32\2052m.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8052 bytes
cQuinc
Regular Member
 
Posts: 50
Joined: June 9th, 2008, 10:57 pm
Advertisement
Register to Remove

Re: Please help remove spyware

Unread postby dan12 » June 10th, 2008, 3:42 am

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help remove spyware

Unread postby dan12 » June 10th, 2008, 3:44 am

I believe we have some files hiding from us, we need to flush them out.

Please go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe. Right click on the HijackThis.exe file and select "Rename". Rename it cQuinc.exe,

Then run HijackThis again and post a new log please.

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help remove spyware

Unread postby cQuinc » June 10th, 2008, 9:15 pm

Here is the requested log with "hijack this" renamed.

The computer is pretty sick. Keeps trying to sell me a program called "antispywaremaster" I ignore that. Also running very slow.

Here is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:34 PM, on 6/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\cQuinc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: {023b94f9-89a5-e3cb-98d4-10eac71f7221} - {1227f17c-ae01-4d89-bc3e-5a989f49b320} - C:\WINDOWS\System32\qveikdfh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9365A075-11C9-44F7-BEA4-3DA7588C45D2} - C:\WINDOWS\System32\jkkKcDUO.dll
O2 - BHO: (no name) - {CC7F9B71-38F2-4409-8037-2E61990F54A1} - C:\WINDOWS\System32\nnnkJCTJ.dll
O2 - BHO: (no name) - {D2499801-648F-4843-8BA7-61F890649D8D} - C:\WINDOWS\System32\ssqOFUOg.dll
O2 - BHO: (no name) - {EBA603E3-AD3F-4CDF-B12E-9D7603FAE4D2} - C:\WINDOWS\System32\byXPHaYS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runwinlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [34b991e9] rundll32.exe "C:\WINDOWS\System32\cxxgilii.dll",b
O4 - HKLM\..\Run: [BM378aa275] Rundll32.exe "C:\WINDOWS\System32\cptmymyi.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [A00F7A13D.exe] C:\DOCUME~1\QC\LOCALS~1\Temp\_A00F7A13D.exe
O4 - HKCU\..\Run: [A00F1502B05.exe] C:\DOCUME~1\QC\LOCALS~1\Temp\_A00F1502B05.exe
O4 - HKCU\..\Run: [A00FFC1CE.exe] C:\DOCUME~1\QC\LOCALS~1\Temp\_A00FFC1CE.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O20 - Winlogon Notify: __c00CFBF7 - C:\WINDOWS\System32\__c00CFBF7.dat
O21 - SSODL: Gptog - {A471FF25-581D-0AF2-24CA-C603A247C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Etowej - {A471FD36-582D-1FF2-25CA-C603A257A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TCP/IP NetBIOS Helper LmHostslanmanworkstation (LmHostslanmanworkstation) - Unknown owner - C:\WINDOWS\System32\adsmsextw.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Removable Storage NtmsSvcsrservice (NtmsSvcsrservice) - Unknown owner - C:\WINDOWS\System32\2052m.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8828 bytes
cQuinc
Regular Member
 
Posts: 50
Joined: June 9th, 2008, 10:57 pm

Re: Please help remove spyware

Unread postby dan12 » June 11th, 2008, 4:44 am

Your system is compromised by running sp1 something we will need to address when cleaned up.

Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help remove spyware

Unread postby cQuinc » June 12th, 2008, 2:30 am

Recovery Console Installed...
Add Remove file created...
Combofix file created...
HJ report run again...

Acronis True Image
Ad-Aware
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Apple Software Update
Brother MFL-Pro Suite
CheckIt Diagnostics
Classic Chess
Compatibility Pack for the 2007 Office system
Corel Paint Shop Pro X
Creative Software AutoUpdate
Creative System Information
FileZilla (remove only)
Google Earth
HijackThis 2.0.2
IrfanView (remove only)
Java(TM) 6 Update 3
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash MX 2004
McAfee SecurityCenter
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.14)
NVIDIA Drivers
Palm
PaperPort
PokerStars
QuickTime
Sony Vegas Movie Studio 6.0
Sound Blaster Audigy
Sound Blaster Live! Value
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
XLCalendar 1.5

ComboFix 08-06-10.5 - QC 2008-06-11 23:08:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.184 [GMT -7:00]
Running from: H:\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\QC\My Documents\CROSOF~1
C:\Documents and Settings\QC\Start Menu\Programs\Internet Speed Monitor
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dictys.gz
C:\Program Files\QdrPack\trgtys.gz
C:\WINDOWS\BM378aa275.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\file.bat
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\agdxafqt.ini
C:\WINDOWS\system32\andseslg.ini
C:\WINDOWS\system32\bhsogtec.dll
C:\WINDOWS\system32\byXPHaYS.dll
C:\WINDOWS\system32\dxjbpujj.ini
C:\WINDOWS\system32\gOUFOqss.ini
C:\WINDOWS\system32\gOUFOqss.ini2
C:\WINDOWS\system32\gqpxeyvm.ini
C:\WINDOWS\system32\hpofhyfa.dll
C:\WINDOWS\system32\hupaelyb.dll
C:\WINDOWS\system32\iiligxxc.ini
C:\WINDOWS\system32\jkkKcDUO.dll
C:\WINDOWS\system32\JTCJknnn.ini
C:\WINDOWS\system32\JTCJknnn.ini2
C:\WINDOWS\system32\jwodiouk.dll
C:\WINDOWS\system32\kjhdkhdf.ini
C:\WINDOWS\system32\ksqasldq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mWwENqss.ini
C:\WINDOWS\system32\mWwENqss.ini2
C:\WINDOWS\system32\nnnkJCTJ.dll
C:\WINDOWS\system32\OUDcKkkj.ini
C:\WINDOWS\system32\OUDcKkkj.ini2
C:\WINDOWS\system32\qdlsaqsk.dll
C:\WINDOWS\system32\qveikdfh.dll
C:\WINDOWS\system32\ssqNEwWm.dll
C:\WINDOWS\system32\ssqOFUOg.dll
C:\WINDOWS\system32\ssqQkICV.dll
C:\WINDOWS\system32\swruvptp.ini
C:\WINDOWS\system32\SYaHPXyb.ini
C:\WINDOWS\system32\SYaHPXyb.ini2
C:\WINDOWS\system32\tmuicdxa.dll
C:\WINDOWS\system32\tuiliiau.dll
C:\WINDOWS\system32\uaiiliut.ini
C:\WINDOWS\system32\uufqngpf.dll
C:\WINDOWS\system32\VCIkQqss.ini
C:\WINDOWS\system32\wehxlkkj.dll
C:\WINDOWS\system32\xvosxhpr.dll
C:\WINDOWS\system32\yiyrlunx.ini
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-11 22:42 . 2008-06-11 22:42 37,888 --a------ C:\WINDOWS\system32\loeikrlf.exe
2008-06-11 22:42 . 1980-08-16 17:00 24,576 --a------ C:\WINDOWS\system32\__c00816F9.dat
2008-06-10 17:58 . 2008-06-10 17:58 37,888 --a------ C:\WINDOWS\system32\pkpvlrxu.exe
2008-06-10 17:58 . 1980-08-16 17:00 24,576 --a------ C:\WINDOWS\system32\__c005E56A.dat
2008-06-10 17:52 . 2008-06-10 17:52 37,888 --a------ C:\WINDOWS\system32\cyfkffdq.exe
2008-06-10 17:52 . 1980-08-16 17:00 24,576 --a------ C:\WINDOWS\system32\__c0082AAF.dat
2008-06-09 17:21 . 2008-06-09 17:21 37,888 --a------ C:\WINDOWS\system32\dttqcldp.exe
2008-06-09 17:21 . 1980-08-16 17:00 24,576 --a------ C:\WINDOWS\system32\__c0095A04.dat
2008-06-09 17:19 . 2008-06-09 17:19 98,544 --a------ C:\WINDOWS\system32\ydgurexu.dll
2008-06-09 17:03 . 2008-06-09 17:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 11:06 . 2008-06-09 11:06 98,544 --a------ C:\WINDOWS\system32\eiguukgn.dll
2008-06-09 11:03 . 2008-06-09 11:03 37,888 --a------ C:\WINDOWS\system32\jxxeflsn.exe
2008-06-09 11:03 . 2008-06-11 22:52 24,576 --a------ C:\WINDOWS\system32\__c00CFBF7.dat
2008-06-09 11:02 . 2008-06-09 11:02 0 --a------ C:\WINDOWS\system32\yiyrlunx.tmp
2008-05-27 18:12 . 2008-05-27 18:12 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2008-05-27 12:28 . 2008-05-27 14:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-05-27 12:27 . 2008-05-27 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-26 19:56 . 2008-05-26 19:56 <DIR> d-------- C:\Documents and Settings\QC\Application Data\McAfee
2008-05-26 18:03 . 2008-05-26 18:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-26 18:00 . 2008-05-26 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 16:36 . 2008-05-26 16:36 <DIR> d-------- C:\Documents and Settings\Administrator.QC-DESKTOP
2008-05-25 20:51 . 2008-06-11 23:14 5,535 --a------ C:\WINDOWS\system32\Config.MPF
2008-05-25 20:02 . 2008-05-27 18:08 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-05-25 20:02 . 2008-05-27 06:07 <DIR> d-------- C:\Documents and Settings\QC\Application Data\SiteAdvisor
2008-05-25 20:01 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-25 20:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-25 20:01 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-25 20:01 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-05-25 20:01 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-25 20:01 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-05-25 20:00 . 2008-05-25 20:00 <DIR> d-------- C:\Program Files\McAfee.com
2008-05-25 20:00 . 2008-05-26 20:46 <DIR> d-------- C:\Program Files\McAfee
2008-05-25 20:00 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-25 19:59 . 2008-05-26 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-25 17:24 . 2008-05-25 17:24 20,480 --ahs---- C:\WINDOWS\system32\adsntz.dll
2008-05-25 17:24 . 2008-05-25 17:24 14,848 --a-s---- C:\WINDOWS\crapwinlogoncrap.exe
2008-05-25 17:23 . 2008-05-25 17:22 41,984 -r-hs---- C:\WINDOWS\system32\2052m.exe
2008-05-25 17:21 . 2008-05-25 17:21 41,984 -r-hs---- C:\WINDOWS\system32\adsmsextw.exe
2008-05-25 17:21 . 2008-06-09 11:10 161 --a-s---- C:\WINDOWS\system32\3589786380.dat
2008-05-25 17:14 . 2008-05-25 17:13 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-25 17:13 . 2008-05-25 17:14 <DIR> d-------- C:\Documents and Settings\QC\.housecall6.6
2008-05-25 16:32 . 2008-05-25 16:32 <DIR> d-------- C:\Program Files\CheckIt
2008-05-25 16:16 . 2008-05-25 16:22 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-05-24 22:16 . 2008-05-26 16:44 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-24 22:16 . 2008-05-26 16:45 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-24 22:14 . 2008-05-24 22:14 14,848 --a------ C:\iic6to.exe
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 06:06 --------- d-----w C:\Documents and Settings\QC\Application Data\U3
2008-05-27 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speed racer"="C:\Program Files\Creative\PlayCenter\CTSRReg.exe" [1999-11-16 01:00 5632]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-11-30 01:00 204800]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"P17Helper"="P17.dll" [2005-05-03 04:38 64512 C:\WINDOWS\system32\P17.dll]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 08:46 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 13:18 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2006-07-24 13:28 35992]

C:\Documents and Settings\QC\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2007-09-02 11:09:46 2441216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Gptog"= {A471FF25-581D-0AF2-24CA-C603A247C60D} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Etowej"= {A471FD36-582D-1FF2-25CA-C603A257A60A} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Poqwup"= {C471AF71-547F-2DD3-35AD-F036D360A84A} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Eaxnmcado"= {A825DC14-463A-0AF4-47DA-F741D827A60A} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00CFBF7]
C:\WINDOWS\System32\__c00CFBF7.dat 2008-06-11 22:52 24576 C:\WINDOWS\system32\__c00CFBF7.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys [2001-08-17 05:11]
S2 LmHostslanmanworkstation;TCP/IP NetBIOS Helper LmHostslanmanworkstation;C:\WINDOWS\System32\adsmsextw.exe [2008-05-25 17:21]
S2 NtmsSvcsrservice;Removable Storage NtmsSvcsrservice;C:\WINDOWS\System32\2052m.exe [2008-05-25 17:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 03:01:06 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-05-26 03:01:05 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 23:14:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\__c00CFBF7.dat
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-06-11 23:17:00 - machine was rebooted [QC]
ComboFix-quarantined-files.txt 2008-06-12 06:16:52

Pre-Run: 152,224,747,520 bytes free
Post-Run: 152,181,329,920 bytes free

222


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:39 PM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\CF20558.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\cQuinc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O20 - Winlogon Notify: __c00CFBF7 - C:\WINDOWS\System32\__c00CFBF7.dat
O21 - SSODL: Gptog - {A471FF25-581D-0AF2-24CA-C603A247C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Etowej - {A471FD36-582D-1FF2-25CA-C603A257A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Poqwup - {C471AF71-547F-2DD3-35AD-F036D360A84A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Eaxnmcado - {A825DC14-463A-0AF4-47DA-F741D827A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Bciasuco - {A406FC16-521F-8FC3-28CD-A173A147C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TCP/IP NetBIOS Helper LmHostslanmanworkstation (LmHostslanmanworkstation) - Unknown owner - C:\WINDOWS\System32\adsmsextw.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Removable Storage NtmsSvcsrservice (NtmsSvcsrservice) - Unknown owner - C:\WINDOWS\System32\2052m.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8069 bytes
cQuinc
Regular Member
 
Posts: 50
Joined: June 9th, 2008, 10:57 pm

Re: Please help remove spyware

Unread postby dan12 » June 12th, 2008, 3:57 pm

Before you run this next script for me we have to change a couple of things, you need to read Instruction carefully!
Firstly combofix .exe has to be on the desktop to work correctly, you have it here Running from: "H:\ComboFix.exe"
Secondly your av is still active when you cariied out the scan which can present misreadings and other issues.
* Resident AV is active

ComboFix 08-06-10.5 - QC 2008-06-11 23:08:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.184 [GMT -7:00]
Running from: H:\ComboFix.exe
* Created a new restore point
* Resident AV is active

Your Instruction:
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop. An image showing this is below.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

__________________


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\WINDOWS\System32\jmesiuppo.dll
Click Submit/Send File
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal

_____________

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?p=308803#p308803
Collect::[4]
C:\WINDOWS\system32\adsntz.dll
C:\WINDOWS\crapwinlogoncrap.exe
File::
C:\WINDOWS\system32\loeikrlf.exe
C:\WINDOWS\system32\__c00816F9.dat
C:\WINDOWS\system32\pkpvlrxu.exe
C:\WINDOWS\system32\__c005E56A.dat
C:\WINDOWS\system32\cyfkffdq.exe
C:\WINDOWS\system32\__c0082AAF.dat
C:\WINDOWS\system32\dttqcldp.exe
C:\WINDOWS\system32\__c0095A04.dat
C:\WINDOWS\system32\ydgurexu.dll
C:\WINDOWS\system32\eiguukgn.dll
C:\WINDOWS\system32\jxxeflsn.exe
C:\WINDOWS\system32\__c00CFBF7.dat
C:\WINDOWS\system32\yiyrlunx.tmp
C:\WINDOWS\system32\2052m.exe
C:\WINDOWS\system32\adsmsextw.exe
C:\WINDOWS\system32\3589786380.dat
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\blackster.scr
C:\iic6to.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00CFBF7]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule16"=-


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

Image

Click OK.

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

Image

Click on Send File.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Post the combo report and the jotti's report.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help remove spyware

Unread postby cQuinc » June 15th, 2008, 10:22 pm

I have run into a couple of minor problems that are slowing me down. I disabled the McAfee firewall but Combofix still reports AV active. I can't see how to really disable McAfee. Even can't find it in the help file, can't even find the version of McAfee. Looked under help and about but no version! Can't disable with a right click in the system tray like most programs to disable.

The other problem... Computer is running so slow it is difficult to get anything done. The scans seem to go ok but web browsers are slow. Could not submit the file for analysis yet. Will try again later. I did get combofix on the desktop now.

Quin
cQuinc
Regular Member
 
Posts: 50
Joined: June 9th, 2008, 10:57 pm

Re: Please help remove spyware

Unread postby dan12 » June 16th, 2008, 4:21 am

Do you not get an option when you right click the system tray icon? if so click exit\or disable depending on version.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help remove spyware

Unread postby cQuinc » June 19th, 2008, 12:28 am

I apparently got McAfee disabled. Here is the combofix report resulting from the script.

ComboFix 08-06-10.5 - QC 2008-06-18 21:12:57.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.214 [GMT -7:00]
Running from: C:\Documents and Settings\QC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\QC\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\iic6to.exe
C:\WINDOWS\system32\__c005E56A.dat
C:\WINDOWS\system32\__c00816F9.dat
C:\WINDOWS\system32\__c0082AAF.dat
C:\WINDOWS\system32\__c0095A04.dat
C:\WINDOWS\system32\__c00CFBF7.dat
C:\WINDOWS\system32\2052m.exe
C:\WINDOWS\system32\3589786380.dat
C:\WINDOWS\system32\adsmsextw.exe
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\cyfkffdq.exe
C:\WINDOWS\system32\dttqcldp.exe
C:\WINDOWS\system32\eiguukgn.dll
C:\WINDOWS\system32\jxxeflsn.exe
C:\WINDOWS\system32\loeikrlf.exe
C:\WINDOWS\system32\pkpvlrxu.exe
C:\WINDOWS\system32\ydgurexu.dll
C:\WINDOWS\system32\yiyrlunx.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000018_.tmp.dll
C:\WINDOWS\system32\_000023_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-13 17:30 . 2005-10-20 15:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-06-13 17:29 . 2005-07-08 09:09 238,592 --a------ C:\WINDOWS\system32\tapisrv.dll
2008-06-13 17:29 . 2005-08-31 18:49 16,384 --a------ C:\WINDOWS\system32\linkinfo.dll
2008-06-13 17:26 . 2004-12-07 12:34 79,872 --a--c--- C:\WINDOWS\system32\dllcache\srvsvc.dll
2008-06-13 17:16 . 2008-06-13 17:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-13 17:16 . 2008-06-18 21:12 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-13 17:16 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-09 17:03 . 2008-06-09 17:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 18:12 . 2008-05-27 18:12 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2008-05-27 12:28 . 2008-05-27 14:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-05-27 12:27 . 2008-05-27 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-26 19:56 . 2008-05-26 19:56 <DIR> d-------- C:\Documents and Settings\QC\Application Data\McAfee
2008-05-26 18:03 . 2008-05-26 18:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-26 18:00 . 2008-05-26 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 16:36 . 2008-05-26 16:36 <DIR> d-------- C:\Documents and Settings\Administrator.QC-DESKTOP
2008-05-25 20:51 . 2008-06-18 21:18 5,823 --a------ C:\WINDOWS\system32\Config.MPF
2008-05-25 20:02 . 2008-05-27 18:08 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-05-25 20:02 . 2008-05-27 06:07 <DIR> d-------- C:\Documents and Settings\QC\Application Data\SiteAdvisor
2008-05-25 20:01 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-25 20:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-25 20:01 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-25 20:01 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-05-25 20:01 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-25 20:01 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-05-25 20:00 . 2008-05-25 20:00 <DIR> d-------- C:\Program Files\McAfee.com
2008-05-25 20:00 . 2008-05-26 20:46 <DIR> d-------- C:\Program Files\McAfee
2008-05-25 20:00 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-25 19:59 . 2008-05-26 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-25 17:14 . 2008-05-25 17:13 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-25 17:13 . 2008-05-25 17:14 <DIR> d-------- C:\Documents and Settings\QC\.housecall6.6
2008-05-25 16:32 . 2008-05-25 16:32 <DIR> d-------- C:\Program Files\CheckIt
2008-05-25 16:16 . 2008-05-25 16:22 <DIR> d---s---- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 06:06 --------- d-----w C:\Documents and Settings\QC\Application Data\U3
2008-05-27 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-15_17.39.38.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-11-17 17:41:24 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB873339\SP2GDR\hypertrm.dll
+ 2004-11-17 17:31:32 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB873339\SP2QFE\hypertrm.dll
+ 2004-10-14 17:34:52 7,168 ----a-w C:\WINDOWS\$hf_mig$\KB873339\spmsg.dll
+ 2004-10-14 17:36:18 169,984 ----a-w C:\WINDOWS\$hf_mig$\KB873339\spuninst.exe
+ 2004-10-14 17:36:16 21,504 ----a-w C:\WINDOWS\$hf_mig$\KB873339\update\spcustom.dll
+ 2004-10-14 17:34:54 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB873339\update\update.exe
+ 2005-04-22 05:06:42 57,344 ----a-w C:\WINDOWS\$hf_mig$\KB890046\SP2GDR\agentdpv.dll
+ 2005-05-17 00:25:35 15,360 ----a-w C:\WINDOWS\$hf_mig$\KB890046\SP2GDR\xpsp3res.dll
+ 2005-04-22 05:18:52 57,344 ----a-w C:\WINDOWS\$hf_mig$\KB890046\SP2QFE\agentdpv.dll
+ 2005-05-17 00:26:30 17,920 ----a-w C:\WINDOWS\$hf_mig$\KB890046\SP2QFE\xpsp3res.dll
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB890046\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB890046\spuninst.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\updspapi.dll
+ 2004-11-30 21:46:38 7,168 ----a-w C:\WINDOWS\$hf_mig$\KB891781\spmsg.dll
+ 2004-12-01 03:22:42 169,984 ----a-w C:\WINDOWS\$hf_mig$\KB891781\spuninst.exe
+ 2004-12-01 03:22:40 21,504 ----a-w C:\WINDOWS\$hf_mig$\KB891781\update\spcustom.dll
+ 2004-11-30 21:46:40 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB891781\update\update.exe
+ 2005-05-26 23:22:01 10,752 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2GDR\hh.exe
+ 2005-05-27 02:04:27 41,472 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2GDR\hhsetup.dll
+ 2005-05-27 02:04:27 155,136 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2GDR\itircl.dll
+ 2005-05-27 02:04:27 137,216 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2GDR\itss.dll
+ 2005-05-26 23:26:50 10,752 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hh.exe
+ 2005-05-27 02:08:59 41,472 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hhsetup.dll
+ 2005-05-27 02:08:59 155,136 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itircl.dll
+ 2005-05-27 02:08:59 137,216 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itss.dll
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896358\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896358\spuninst.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\updspapi.dll
+ 2005-06-10 23:53:32 57,856 ----a-w C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
+ 2005-06-11 00:17:13 57,856 ----a-w C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spuninst.exe
+ 2005-06-29 23:54:32 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\arpidfix.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\updspapi.dll
+ 2005-10-06 03:09:36 280,064 ----a-w C:\WINDOWS\$hf_mig$\KB896424\SP2GDR\gdi32.dll
+ 2005-10-06 00:05:59 1,839,488 ----a-w C:\WINDOWS\$hf_mig$\KB896424\SP2GDR\win32k.sys
+ 2005-10-06 03:18:28 280,064 ----a-w C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\gdi32.dll
+ 2005-10-06 00:10:04 1,839,360 ----a-w C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\win32k.sys
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896424\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896424\spuninst.exe
+ 2005-10-05 23:39:46 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB896424\update\arpidfix.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896424\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896424\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896424\update\updspapi.dll
+ 2005-06-10 04:09:46 139,528 ----a-w C:\WINDOWS\$hf_mig$\KB899591\SP2GDR\rdpwd.sys
+ 2005-06-10 04:06:01 139,528 ----a-w C:\WINDOWS\$hf_mig$\KB899591\SP2QFE\rdpwd.sys
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB899591\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB899591\spuninst.exe
+ 2005-06-29 23:54:32 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\arpidfix.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\updspapi.dll
+ 2005-09-10 01:53:41 2,067,968 ----a-w C:\WINDOWS\$hf_mig$\KB901017\SP2GDR\cdosys.dll
+ 2005-09-10 01:48:47 2,068,480 ----a-w C:\WINDOWS\$hf_mig$\KB901017\SP2QFE\cdosys.dll
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB901017\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB901017\spuninst.exe
+ 2005-09-09 23:26:26 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\arpidfix.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\updspapi.dll
+ 2005-06-29 01:46:00 254,976 ----a-w C:\WINDOWS\$hf_mig$\KB901214\SP2GDR\icm32.dll
+ 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB901214\SP2GDR\mscms.dll
+ 2005-06-29 01:49:55 254,976 ----a-w C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\icm32.dll
+ 2005-06-29 01:49:55 73,728 ----a-w C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\mscms.dll
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB901214\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB901214\spuninst.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\updspapi.dll
+ 2005-07-26 04:39:42 225,792 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\catsrv.dll
+ 2005-07-26 04:39:43 625,152 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\catsrvut.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatq.dll
+ 2005-07-26 04:39:43 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\colbact.dll
+ 2005-07-26 04:39:44 195,072 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\comadmin.dll
+ 2005-07-26 04:39:44 97,792 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\comrepl.dll
+ 2005-07-26 04:39:44 1,267,200 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\comsvcs.dll
+ 2005-07-26 04:39:45 540,160 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\comuid.dll
+ 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\es.dll
+ 2005-07-25 23:46:57 7,680 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\migregdb.exe
+ 2005-07-26 04:39:46 425,472 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\msdtcprx.dll
+ 2005-07-26 04:39:47 945,152 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\msdtctm.dll
+ 2005-07-26 04:39:47 161,280 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\msdtcuiu.dll
+ 2005-07-26 04:39:47 66,560 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\mtxclu.dll
+ 2005-07-26 04:39:47 91,136 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\mtxoci.dll
+ 2005-07-26 04:39:48 1,285,120 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\ole32.dll
+ 2005-07-26 04:39:48 74,752 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\olecli32.dll
+ 2005-07-26 04:39:49 37,888 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\olecnv32.dll
+ 2005-07-26 04:39:49 397,824 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\rpcss.dll
+ 2005-07-26 04:39:49 101,376 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\txflog.dll
+ 2005-07-26 04:39:49 11,776 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\xolehlp.dll
+ 2005-07-26 04:20:23 225,792 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrv.dll
+ 2005-07-26 04:20:23 625,152 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrvut.dll
+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2005-07-26 04:20:24 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\colbact.dll
+ 2005-07-26 04:20:24 195,072 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comadmin.dll
+ 2005-07-26 04:20:25 97,792 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comrepl.dll
+ 2005-07-26 04:20:27 1,267,200 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comsvcs.dll
+ 2005-07-26 04:20:28 540,160 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comuid.dll
+ 2005-07-26 04:20:28 243,200 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll
+ 2005-07-25 23:42:35 8,704 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\migregdb.exe
+ 2005-07-26 04:20:29 425,472 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcprx.dll
+ 2005-07-26 04:20:31 945,152 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtctm.dll
+ 2005-07-26 04:20:31 161,280 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcuiu.dll
+ 2005-07-26 04:20:39 66,560 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxclu.dll
+ 2005-07-26 04:20:40 91,136 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxoci.dll
+ 2005-07-26 04:20:40 1,285,632 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\ole32.dll
+ 2005-07-26 04:20:40 74,752 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecli32.dll
+ 2005-07-26 04:20:40 37,376 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecnv32.dll
+ 2005-07-26 04:20:40 398,336 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
+ 2005-07-26 04:20:40 101,376 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\txflog.dll
+ 2005-07-26 04:20:40 11,776 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\xolehlp.dll
+ 2005-02-25 03:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB902400\spmsg.dll
+ 2005-02-25 03:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB902400\spuninst.exe
+ 2005-07-26 02:21:18 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\arpidfix.exe
+ 2005-02-25 03:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\spcustom.dll
+ 2005-02-25 03:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\update.exe
+ 2005-02-25 03:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\updspapi.dll
+ 2005-08-22 18:29:46 197,632 ----a-w C:\WINDOWS\$hf_mig$\KB905414\SP2GDR\netman.dll
+ 2005-08-22 18:24:55 197,632 ----a-w C:\WINDOWS\$hf_mig$\KB905414\SP2QFE\netman.dll
+ 2005-02-25 03:35:05 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB905414\spmsg.dll
+ 2005-02-25 03:35:05 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB905414\spuninst.exe
+ 2005-08-19 23:50:31 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\arpidfix.exe
+ 2005-02-25 03:35:05 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\spcustom.dll
+ 2005-02-25 03:35:05 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\update.exe
+ 2005-02-25 03:35:06 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\updspapi.dll
+ 2006-06-22 10:47:18 181,248 ----a-w C:\WINDOWS\$hf_mig$\KB911280\SP2GDR\rasmans.dll
+ 2006-06-22 10:36:52 180,736 ----a-w C:\WINDOWS\$hf_mig$\KB911280\SP2QFE\rasmans.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB911280\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB911280\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\updspapi.dll
+ 2006-03-23 05:44:21 143,360 ----a-w C:\WINDOWS\$hf_mig$\KB911562\SP2GDR\msadco.dll
+ 2006-03-23 05:53:08 143,360 ----a-w C:\WINDOWS\$hf_mig$\KB911562\SP2QFE\msadco.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB911562\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB911562\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\updspapi.dll
+ 2005-12-29 02:54:35 280,064 ----a-w C:\WINDOWS\$hf_mig$\KB912919\SP2GDR\gdi32.dll
+ 2005-12-29 03:04:05 280,064 ----a-w C:\WINDOWS\$hf_mig$\KB912919\SP2QFE\gdi32.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB912919\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB912919\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB912919\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB912919\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB912919\update\updspapi.dll
+ 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\$hf_mig$\KB917344\SP2GDR\jscript.dll
+ 2006-05-18 05:37:43 450,560 ----a-w C:\WINDOWS\$hf_mig$\KB917344\SP2QFE\jscript.dll
+ 2005-10-12 23:16:49 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB917344\spmsg.dll
+ 2005-10-12 23:16:49 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB917344\spuninst.exe
+ 2005-10-12 23:16:49 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB917344\update\spcustom.dll
+ 2005-10-12 23:16:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917344\update\update.exe
+ 2005-10-12 23:16:56 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB917344\update\updspapi.dll
+ 2006-07-05 10:55:01 984,064 ----a-w C:\WINDOWS\$hf_mig$\KB917422\SP2GDR\kernel32.dll
+ 2006-07-05 10:57:10 985,088 ----a-w C:\WINDOWS\$hf_mig$\KB917422\SP2QFE\kernel32.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB917422\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB917422\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB917422\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917422\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB917422\update\updspapi.dll
+ 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\$hf_mig$\KB919007\SP2GDR\rmcast.sys
+ 2006-07-13 11:43:08 202,496 ----a-w C:\WINDOWS\$hf_mig$\KB919007\SP2QFE\rmcast.sys
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB919007\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB919007\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\updspapi.dll
+ 2006-07-21 08:24:43 72,704 ----a-w C:\WINDOWS\$hf_mig$\KB920670\SP2GDR\hlink.dll
+ 2006-07-21 08:26:49 72,704 ----a-w C:\WINDOWS\$hf_mig$\KB920670\SP2QFE\hlink.dll
+ 2005-10-12 23:16:49 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB920670\spmsg.dll
+ 2005-10-12 23:16:49 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB920670\spuninst.exe
+ 2005-10-12 23:16:49 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\spcustom.dll
+ 2005-10-12 23:16:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\update.exe
+ 2005-10-12 23:16:56 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\updspapi.dll
+ 2006-07-13 13:33:27 8,453,632 ----a-w C:\WINDOWS\$hf_mig$\KB921398\SP2GDR\shell32.dll
+ 2006-07-13 14:03:23 8,457,728 ----a-w C:\WINDOWS\$hf_mig$\KB921398\SP2QFE\shell32.dll
+ 2006-07-13 11:22:27 150,016 ----a-w C:\WINDOWS\$hf_mig$\KB921398\SP2QFE\xpsp3res.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB921398\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB921398\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB921398\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921398\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB921398\update\updspapi.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB922616\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB922616\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB922616\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922616\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB922616\update\updspapi.dll
+ 2006-08-25 15:45:58 617,472 ----a-w C:\WINDOWS\$hf_mig$\KB923191\SP2QFE\comctl32.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB923191\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB923191\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB923191\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923191\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB923191\update\updspapi.dll
+ 2006-09-04 06:08:01 1,494,016 ----a-w C:\WINDOWS\$hf_mig$\KB924496\SP2GDR\shdocvw.dll
+ 2006-09-04 06:12:56 1,497,088 ----a-w C:\WINDOWS\$hf_mig$\KB924496\SP2QFE\shdocvw.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB924496\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB924496\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\updspapi.dll
+ 2005-10-12 23:12:25 22,752 -c----w C:\WINDOWS\$NtUninstallKB908531$\spcustom.dll
+ 2005-10-12 23:12:25 14,048 -c----w C:\WINDOWS\$NtUninstallKB908531$\spmsg.dll
+ 2005-10-12 23:12:26 213,216 -c----w C:\WINDOWS\$NtUninstallKB908531$\spuninst.exe
+ 2005-10-12 23:12:29 716,000 -c----w C:\WINDOWS\$NtUninstallKB908531$\update.exe
+ 2005-10-12 23:12:34 371,424 -c----w C:\WINDOWS\$NtUninstallKB908531$\updspapi.dll
- 2008-06-16 00:35:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 04:17:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-05-19 08:44:15 11,776 ------w C:\WINDOWS\Driver Cache\i386\tunmp.sys
- 2003-03-31 12:00:00 10,752 ----a-w C:\WINDOWS\hh.exe
+ 2005-05-25 22:44:31 10,752 ----a-w C:\WINDOWS\hh.exe
- 2003-03-31 12:00:00 50,688 ----a-w C:\WINDOWS\msagent\agentdpv.dll
+ 2005-04-22 05:20:24 51,712 ----a-w C:\WINDOWS\msagent\agentdpv.dll
+ 2008-06-19 04:16:21 2,296 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{2B52C8AF-903A-4A9B-9331-1311F993393B}.bin
- 2003-03-31 12:00:00 59,392 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2006-05-19 12:15:32 95,232 ----a-w C:\WINDOWS\system32\6to4svc.dll
- 2003-03-31 12:00:00 1,021,952 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2006-09-04 06:23:53 1,027,072 ----a-w C:\WINDOWS\system32\BROWSEUI.DLL
- 2003-03-31 12:00:00 215,040 ----a-w C:\WINDOWS\system32\catsrv.dll
+ 2005-07-26 04:30:34 220,672 ----a-w C:\WINDOWS\system32\catsrv.dll
- 2003-03-31 12:00:00 582,656 ----a-w C:\WINDOWS\system32\catsrvut.dll
+ 2005-07-26 04:30:38 581,632 ----a-w C:\WINDOWS\system32\catsrvut.dll
- 2003-03-31 12:00:00 142,336 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2004-12-08 01:43:02 143,360 ----a-w C:\WINDOWS\system32\CDFVIEW.DLL
- 2003-03-31 12:00:00 2,028,032 ----a-w C:\WINDOWS\system32\cdosys.dll
+ 2005-09-10 02:04:32 2,025,984 ----a-w C:\WINDOWS\system32\cdosys.dll
- 2003-03-31 12:00:00 64,512 ----a-w C:\WINDOWS\system32\ciodm.dll
+ 2006-06-22 05:19:48 64,512 ----a-w C:\WINDOWS\system32\ciodm.dll
- 2003-03-31 12:00:00 100,864 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:30:38 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
- 2003-03-31 12:00:00 468,480 ----a-w C:\WINDOWS\system32\clbcatq.dll
+ 2005-07-26 04:30:41 497,152 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2003-03-31 12:00:00 56,832 ----a-w C:\WINDOWS\system32\colbact.dll
+ 2005-07-26 04:30:41 62,464 ----a-w C:\WINDOWS\system32\colbact.dll
- 2003-03-31 12:00:00 186,880 ----a-w C:\WINDOWS\system32\Com\comadmin.dll
+ 2005-07-26 04:30:42 187,392 ----a-w C:\WINDOWS\system32\Com\comadmin.dll
- 2003-03-31 12:00:00 557,056 ----a-w C:\WINDOWS\system32\comctl32.dll
+ 2006-08-25 15:53:55 561,664 ----a-w C:\WINDOWS\system32\comctl32.dll
- 2003-03-31 12:00:00 82,432 ----a-w C:\WINDOWS\system32\comrepl.dll
+ 2005-07-26 04:30:42 89,600 ----a-w C:\WINDOWS\system32\comrepl.dll
- 2003-03-31 12:00:00 1,172,992 ----a-w C:\WINDOWS\system32\comsvcs.dll
+ 2005-07-26 04:30:49 1,179,136 ----a-w C:\WINDOWS\system32\comsvcs.dll
- 2003-03-31 12:00:00 495,616 ----a-w C:\WINDOWS\system32\comuid.dll
+ 2005-07-26 04:31:11 499,200 ----a-w C:\WINDOWS\system32\comuid.dll
- 2008-06-16 00:06:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-19 04:01:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-16 00:06:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-19 04:01:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-19 04:01:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-03-31 12:00:00 986,112 ----a-w C:\WINDOWS\system32\danim.dll
+ 2005-10-21 03:08:44 986,112 ----a-w C:\WINDOWS\system32\DANIM.DLL
- 2003-03-31 12:00:00 99,840 ----a-w C:\WINDOWS\system32\dhcpcsvc.dll
+ 2006-05-19 12:15:32 103,936 ----a-w C:\WINDOWS\system32\dhcpcsvc.dll
- 2003-03-31 12:00:00 59,392 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
+ 2006-05-19 12:15:32 95,232 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
- 2003-03-31 12:00:00 50,688 -c--a-w C:\WINDOWS\system32\dllcache\agentdpv.dll
+ 2005-04-22 05:20:24 51,712 -c--a-w C:\WINDOWS\system32\dllcache\agentdpv.dll
- 2003-03-31 12:00:00 1,021,952 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2006-09-04 06:23:53 1,027,072 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2003-03-31 12:00:00 215,040 -c--a-w C:\WINDOWS\system32\dllcache\catsrv.dll
+ 2005-07-26 04:30:34 220,672 -c--a-w C:\WINDOWS\system32\dllcache\catsrv.dll
- 2003-03-31 12:00:00 582,656 -c--a-w C:\WINDOWS\system32\dllcache\catsrvut.dll
+ 2005-07-26 04:30:38 581,632 -c--a-w C:\WINDOWS\system32\dllcache\catsrvut.dll
- 2003-03-31 12:00:00 142,336 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2004-12-08 01:43:02 143,360 -c--a-w C:\WINDOWS\system32\dllcache\CDFVIEW.DLL
- 2003-03-31 12:00:00 2,028,032 -c--a-w C:\WINDOWS\system32\dllcache\cdosys.dll
+ 2005-09-10 02:04:32 2,025,984 -c--a-w C:\WINDOWS\system32\dllcache\cdosys.dll
- 2003-03-31 12:00:00 64,512 -c--a-w C:\WINDOWS\system32\dllcache\ciodm.dll
+ 2006-06-22 05:19:48 64,512 -c--a-w C:\WINDOWS\system32\dllcache\ciodm.dll
- 2003-03-31 12:00:00 100,864 -c--a-w C:\WINDOWS\system32\dllcache\clbcatex.dll
+ 2005-07-26 04:30:38 110,080 -c--a-w C:\WINDOWS\system32\dllcache\clbcatex.dll
- 2003-03-31 12:00:00 468,480 -c--a-w C:\WINDOWS\system32\dllcache\clbcatq.dll
+ 2005-07-26 04:30:41 497,152 -c--a-w C:\WINDOWS\system32\dllcache\clbcatq.dll
- 2003-03-31 12:00:00 56,832 -c--a-w C:\WINDOWS\system32\dllcache\colbact.dll
+ 2005-07-26 04:30:41 62,464 -c--a-w C:\WINDOWS\system32\dllcache\colbact.dll
- 2003-03-31 12:00:00 186,880 -c--a-w C:\WINDOWS\system32\dllcache\comadmin.dll
+ 2005-07-26 04:30:42 187,392 -c--a-w C:\WINDOWS\system32\dllcache\comadmin.dll
- 2003-03-31 12:00:00 557,056 -c--a-w C:\WINDOWS\system32\dllcache\comctl32.dll
+ 2006-08-25 15:53:55 561,664 -c--a-w C:\WINDOWS\system32\dllcache\comctl32.dll
- 2003-03-31 12:00:00 82,432 -c--a-w C:\WINDOWS\system32\dllcache\comrepl.dll
+ 2005-07-26 04:30:42 89,600 -c--a-w C:\WINDOWS\system32\dllcache\comrepl.dll
- 2003-03-31 12:00:00 1,172,992 -c--a-w C:\WINDOWS\system32\dllcache\comsvcs.dll
+ 2005-07-26 04:30:49 1,179,136 -c--a-w C:\WINDOWS\system32\dllcache\comsvcs.dll
- 2003-03-31 12:00:00 495,616 -c--a-w C:\WINDOWS\system32\dllcache\comuid.dll
+ 2005-07-26 04:31:11 499,200 -c--a-w C:\WINDOWS\system32\dllcache\comuid.dll
- 2003-03-31 12:00:00 986,112 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2005-10-21 03:08:44 986,112 -c--a-w C:\WINDOWS\system32\dllcache\DANIM.DLL
- 2003-03-31 12:00:00 99,840 -c--a-w C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
+ 2006-05-19 12:15:32 103,936 -c--a-w C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
- 2003-03-31 12:00:00 76,288 -c--a-w C:\WINDOWS\system32\dllcache\directdb.dll
+ 2006-02-27 20:31:38 75,776 -c--a-w C:\WINDOWS\system32\dllcache\DIRECTDB.DLL
- 2003-03-31 12:00:00 337,920 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2006-06-09 21:35:50 351,744 -c--a-w C:\WINDOWS\system32\dllcache\DXTMSFT.DLL
- 2003-03-31 12:00:00 194,560 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2006-06-09 21:35:30 192,512 -c--a-w C:\WINDOWS\system32\dllcache\DXTRANS.DLL
- 2003-03-31 12:00:00 225,280 -c--a-w C:\WINDOWS\system32\dllcache\es.dll
+ 2005-07-26 04:31:12 227,328 -c--a-w C:\WINDOWS\system32\dllcache\es.dll
- 2003-03-31 12:00:00 1,018,368 -c--a-w C:\WINDOWS\system32\dllcache\esent.dll
+ 2005-10-20 22:33:08 991,232 -c--a-w C:\WINDOWS\system32\dllcache\esent.dll
- 2003-03-31 12:00:00 82,432 -c----w C:\WINDOWS\system32\dllcache\fldrclnr.dll
+ 2004-08-20 22:01:15 82,432 -c--a-w C:\WINDOWS\system32\dllcache\fldrclnr.dll
- 2003-03-31 12:00:00 250,368 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2006-01-02 22:38:03 260,608 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2003-03-31 12:00:00 10,752 -c--a-w C:\WINDOWS\system32\dllcache\hh.exe
+ 2005-05-25 22:44:31 10,752 -c--a-w C:\WINDOWS\system32\dllcache\hh.exe
- 2003-03-31 12:00:00 37,888 -c--a-w C:\WINDOWS\system32\dllcache\hhsetup.dll
+ 2005-05-27 01:59:52 38,912 -c--a-w C:\WINDOWS\system32\dllcache\hhsetup.dll
- 2003-03-31 12:00:00 77,850 -c--a-w C:\WINDOWS\system32\dllcache\hlink.dll
+ 2006-07-21 08:30:50 72,704 -c--a-w C:\WINDOWS\system32\dllcache\hlink.dll
- 2003-03-31 12:00:00 236,032 -c--a-w C:\WINDOWS\system32\dllcache\icm32.dll
+ 2005-06-29 01:54:58 237,056 -c--a-w C:\WINDOWS\system32\dllcache\icm32.dll
- 2003-03-31 12:00:00 231,424 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2006-02-24 22:24:42 236,032 -c--a-w C:\WINDOWS\system32\dllcache\IEPEERS.DLL
- 2003-03-31 12:00:00 587,776 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2006-02-27 20:31:54 596,480 -c--a-w C:\WINDOWS\system32\dllcache\INETCOMM.DLL
- 2003-03-31 12:00:00 31,232 -c--a-w C:\WINDOWS\system32\dllcache\inetmib1.dll
+ 2006-05-19 12:15:33 31,232 -c--a-w C:\WINDOWS\system32\dllcache\inetmib1.dll
- 2003-03-31 12:00:00 47,616 -c--a-w C:\WINDOWS\system32\dllcache\inetres.dll
+ 2006-02-27 20:31:50 47,616 -c--a-w C:\WINDOWS\system32\dllcache\INETRES.DLL
- 2003-03-31 12:00:00 69,632 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2004-08-26 17:53:48 69,632 -c--a-w C:\WINDOWS\system32\dllcache\INSENG.DLL
- 2003-03-31 12:00:00 82,944 -c--a-w C:\WINDOWS\system32\dllcache\iphlpapi.dll
+ 2006-05-19 12:15:33 83,456 -c--a-w C:\WINDOWS\system32\dllcache\iphlpapi.dll
- 2003-03-31 12:00:00 57,984 -c--a-w C:\WINDOWS\system32\dllcache\ipsec.sys
+ 2006-05-13 10:13:31 74,368 -c--a-w C:\WINDOWS\system32\dllcache\ipsec.sys
- 2003-03-31 12:00:00 332,800 -c--a-w C:\WINDOWS\system32\dllcache\ipsecsnp.dll
+ 2006-05-14 09:13:41 334,848 -c--a-w C:\WINDOWS\system32\dllcache\ipsecsnp.dll
- 2003-03-31 12:00:00 155,648 -c--a-w C:\WINDOWS\system32\dllcache\ipsecsvc.dll
+ 2006-05-14 09:13:41 159,744 -c--a-w C:\WINDOWS\system32\dllcache\ipsecsvc.dll
- 2003-03-31 12:00:00 364,032 -c--a-w C:\WINDOWS\system32\dllcache\ipsmsnap.dll
+ 2006-05-14 09:13:41 364,544 -c--a-w C:\WINDOWS\system32\dllcache\ipsmsnap.dll
- 2003-03-31 12:00:00 60,928 -c--a-w C:\WINDOWS\system32\dllcache\ipv6.exe
+ 2006-05-19 08:46:02 48,640 -c--a-w C:\WINDOWS\system32\dllcache\ipv6.exe
- 2003-03-31 12:00:00 134,144 -c--a-w C:\WINDOWS\system32\dllcache\ipv6mon.dll
+ 2006-05-19 12:15:33 54,272 -c--a-w C:\WINDOWS\system32\dllcache\ipv6mon.dll
- 2003-03-31 12:00:00 143,872 -c--a-w C:\WINDOWS\system32\dllcache\itircl.dll
+ 2005-05-27 01:59:52 143,872 -c--a-w C:\WINDOWS\system32\dllcache\itircl.dll
- 2003-03-31 12:00:00 122,368 -c--a-w C:\WINDOWS\system32\dllcache\itss.dll
+ 2005-05-27 01:59:52 128,000 -c--a-w C:\WINDOWS\system32\dllcache\itss.dll
- 2003-03-31 12:00:00 144,896 -c--a-w C:\WINDOWS\system32\dllcache\jgdw400.dll
+ 2006-05-27 05:19:50 163,840 -c--a-w C:\WINDOWS\system32\dllcache\JGDW400.DLL
- 2003-03-31 12:00:00 42,496 -c--a-w C:\WINDOWS\system32\dllcache\jgpl400.dll
+ 2006-04-06 23:15:48 27,648 -c--a-w C:\WINDOWS\system32\dllcache\JGPL400.DLL
- 2003-03-31 12:00:00 593,948 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2006-05-18 05:58:56 458,752 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2003-03-31 12:00:00 12,288 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2006-04-28 17:58:48 12,288 -c--a-w C:\WINDOWS\system32\dllcache\JSPROXY.DLL
- 2003-03-31 12:00:00 930,304 -c--a-w C:\WINDOWS\system32\dllcache\kernel32.dll
+ 2006-07-05 10:46:36 928,768 -c--a-w C:\WINDOWS\system32\dllcache\kernel32.dll
- 2003-03-31 12:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\linkinfo.dll
+ 2005-09-01 01:49:29 16,384 -c--a-w C:\WINDOWS\system32\dllcache\linkinfo.dll
- 2003-03-31 12:00:00 35,328 -c--a-w C:\WINDOWS\system32\dllcache\mf3216.dll
+ 2004-03-30 01:48:36 36,864 -c--a-w C:\WINDOWS\system32\dllcache\mf3216.dll
- 2003-03-31 12:00:00 6,656 -c--a-w C:\WINDOWS\system32\dllcache\migregdb.exe
+ 2005-07-22 23:03:37 7,680 -c--a-w C:\WINDOWS\system32\dllcache\migregdb.exe
- 2003-03-31 12:00:00 131,072 -c--a-w C:\WINDOWS\system32\dllcache\msadco.dll
+ 2006-03-23 06:05:25 135,168 -c--a-w C:\WINDOWS\system32\dllcache\msadco.dll
- 2003-03-31 12:00:00 68,096 -c--a-w C:\WINDOWS\system32\dllcache\mscms.dll
+ 2005-06-29 01:54:58 68,608 -c--a-w C:\WINDOWS\system32\dllcache\mscms.dll
- 2003-03-31 12:00:00 2,833,920 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2006-06-30 17:28:26 2,703,872 -c--a-w C:\WINDOWS\system32\dllcache\MSHTML.DLL
- 2003-03-31 12:00:00 44,032 -c--a-w C:\WINDOWS\system32\dllcache\msident.dll
+ 2006-02-27 20:29:32 44,032 -c--a-w C:\WINDOWS\system32\dllcache\MSIDENT.DLL
- 2003-03-31 12:00:00 229,888 -c--a-w C:\WINDOWS\system32\dllcache\msieftp.dll
+ 2005-08-05 17:23:27 230,400 -c--a-w C:\WINDOWS\system32\dllcache\msieftp.dll
- 2003-03-31 12:00:00 57,344 -c--a-w C:\WINDOWS\system32\dllcache\msimn.exe
+ 2006-02-27 20:32:04 56,832 -c--a-w C:\WINDOWS\system32\dllcache\MSIMN.EXE
- 2003-03-31 12:00:00 1,174,016 -c--a-w C:\WINDOWS\system32\dllcache\msoe.dll
+ 2006-02-27 20:32:00 1,176,064 -c--a-w C:\WINDOWS\system32\dllcache\MSOE.DLL
- 2003-03-31 12:00:00 228,864 -c--a-w C:\WINDOWS\system32\dllcache\msoeacct.dll
+ 2006-02-27 20:31:40 229,376 -c--a-w C:\WINDOWS\system32\dllcache\MSOEACCT.DLL
- 2003-03-31 12:00:00 2,479,104 -c--a-w C:\WINDOWS\system32\dllcache\msoeres.dll
+ 2006-02-27 20:32:08 2,479,616 -c--a-w C:\WINDOWS\system32\dllcache\MSOERES.DLL
- 2003-03-31 12:00:00 81,408 -c--a-w C:\WINDOWS\system32\dllcache\msoert2.dll
+ 2006-02-27 20:31:36 91,136 -c--a-w C:\WINDOWS\system32\dllcache\MSOERT2.DLL
- 2003-03-31 12:00:00 132,096 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2005-02-24 19:54:42 132,096 -c--a-w C:\WINDOWS\system32\dllcache\MSRATING.DLL
- 2003-03-31 12:00:00 496,128 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2006-03-03 23:13:30 498,176 -c--a-w C:\WINDOWS\system32\dllcache\MSTIME.DLL
- 2003-03-31 12:00:00 154,112 -c--a-w C:\WINDOWS\system32\dllcache\netman.dll
+ 2005-08-22 18:36:34 154,624 -c--a-w C:\WINDOWS\system32\dllcache\netman.dll
- 2003-03-31 12:00:00 82,944 -c--a-w C:\WINDOWS\system32\dllcache\netsh.exe
+ 2006-05-19 08:44:56 83,456 -c--a-w C:\WINDOWS\system32\dllcache\netsh.exe
- 2003-03-31 12:00:00 364,544 -c--a-w C:\WINDOWS\system32\dllcache\npdsplay.dll
+ 2005-11-29 23:27:06 364,544 -c--a-w C:\WINDOWS\system32\dllcache\npdsplay.dll
- 2003-03-31 12:00:00 328,704 -c--a-w C:\WINDOWS\system32\dllcache\oakley.dll
+ 2006-05-14 09:13:41 257,536 -c--a-w C:\WINDOWS\system32\dllcache\oakley.dll
- 2003-03-31 12:00:00 92,672 -c--a-w C:\WINDOWS\system32\dllcache\oeimport.dll
+ 2006-02-27 20:31:58 93,184 -c--a-w C:\WINDOWS\system32\dllcache\OEIMPORT.DLL
- 2003-03-31 12:00:00 55,808 -c--a-w C:\WINDOWS\system32\dllcache\oemig50.exe
+ 2006-02-27 20:32:08 55,808 -c--a-w C:\WINDOWS\system32\dllcache\OEMIG50.EXE
- 2003-03-31 12:00:00 32,256 -c--a-w C:\WINDOWS\system32\dllcache\oemiglib.dll
+ 2006-02-27 20:32:10 31,744 -c--a-w C:\WINDOWS\system32\dllcache\OEMIGLIB.DLL
- 2003-03-31 12:00:00 1,169,920 -c--a-w C:\WINDOWS\system32\dllcache\ole32.dll
+ 2005-07-26 04:31:13 1,190,400 -c--a-w C:\WINDOWS\system32\dllcache\ole32.dll
- 2003-03-31 12:00:00 68,608 -c--a-w C:\WINDOWS\system32\dllcache\olecli32.dll
+ 2005-07-26 04:31:13 68,608 -c--a-w C:\WINDOWS\system32\dllcache\olecli32.dll
- 2003-03-31 12:00:00 34,304 -c--a-w C:\WINDOWS\system32\dllcache\olecnv32.dll
+ 2005-07-26 04:31:13 35,328 -c--a-w C:\WINDOWS\system32\dllcache\olecnv32.dll
- 2003-03-31 12:00:00 34,304 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2005-04-27 17:53:06 34,816 -c--a-w C:\WINDOWS\system32\dllcache\PNGFILT.DLL
- 2003-03-31 12:00:00 87,552 -c--a-w C:\WINDOWS\system32\dllcache\polstore.dll
+ 2006-05-14 09:13:41 98,304 -c--a-w C:\WINDOWS\system32\dllcache\polstore.dll
- 2003-05-30 16:00:02 1,962,496 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2005-08-30 16:14:00 1,227,776 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2003-03-31 12:00:00 1,349,120 -c--a-w C:\WINDOWS\system32\dllcache\query.dll
+ 2006-06-22 05:19:49 1,350,144 -c--a-w C:\WINDOWS\system32\dllcache\query.dll
- 2003-03-31 12:00:00 158,720 -c--a-w C:\WINDOWS\system32\dllcache\rasmans.dll
+ 2006-06-22 10:59:17 169,984 -c--a-w C:\WINDOWS\system32\dllcache\rasmans.dll
- 2003-03-31 12:00:00 115,976 -c--a-w C:\WINDOWS\system32\dllcache\rdpwd.sys
+ 2005-06-10 04:30:15 116,104 -c--a-w C:\WINDOWS\system32\dllcache\rdpwd.sys
- 2003-03-31 12:00:00 200,064 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2006-07-13 08:41:42 199,936 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2003-03-31 12:00:00 530,432 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2004-03-06 02:16:11 535,552 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2003-03-31 12:00:00 260,608 -c--a-w C:\WINDOWS\system32\dllcache\rpcss.dll
+ 2005-07-26 04:31:13 276,992 -c--a-w C:\WINDOWS\system32\dllcache\rpcss.dll
- 2003-03-31 12:00:00 1,341,440 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2006-09-04 06:23:53 1,351,680 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2003-03-31 12:00:00 8,336,384 -c----w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2006-07-13 13:46:56 8,353,280 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2003-03-31 12:00:00 401,920 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2005-09-01 01:49:30 409,088 -c--a-w C:\WINDOWS\system32\dllcache\SHLWAPI.DLL
- 2003-03-31 12:00:00 51,200 -c--a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
+ 2005-06-10 23:55:46 53,248 -c--a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
- 2003-03-31 12:00:00 674,816 -c----w C:\WINDOWS\system32\dllcache\sxs.dll
+ 2004-08-20 22:01:15 700,928 -c--a-w C:\WINDOWS\system32\dllcache\sxs.dll
- 2003-03-31 12:00:00 233,984 -c--a-w C:\WINDOWS\system32\dllcache\tapisrv.dll
+ 2005-07-08 16:09:48 238,592 -c--a-w C:\WINDOWS\system32\dllcache\tapisrv.dll
- 2003-03-31 12:00:00 332,928 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2006-04-20 11:38:44 340,480 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2003-03-31 12:00:00 196,288 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2006-05-19 08:46:02 203,008 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2006-05-19 08:44:15 11,776 -c----w C:\WINDOWS\system32\dllcache\tunmp.sys
- 2003-03-31 12:00:00 90,624 -c--a-w C:\WINDOWS\system32\dllcache\txflog.dll
+ 2005-07-26 04:31:13 97,280 -c--a-w C:\WINDOWS\system32\dllcache\txflog.dll
- 2003-03-31 12:00:00 455,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2006-08-31 03:42:56 461,824 -c--a-w C:\WINDOWS\system32\dllcache\URLMON.DLL
- 2003-03-31 12:00:00 802,304 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2006-09-18 21:20:10 851,456 -c--a-w C:\WINDOWS\system32\dllcache\VGX.DLL
- 2003-03-31 12:00:00 43,008 -c--a-w C:\WINDOWS\system32\dllcache\wab.exe
+ 2006-02-27 20:31:46 42,496 -c--a-w C:\WINDOWS\system32\dllcache\WAB.EXE
- 2003-03-31 12:00:00 459,776 -c--a-w C:\WINDOWS\system32\dllcache\wab32.dll
+ 2006-03-16 23:08:34 465,408 -c--a-w C:\WINDOWS\system32\dllcache\WAB32.DLL
- 2003-03-31 12:00:00 30,720 -c--a-w C:\WINDOWS\system32\dllcache\wabfind.dll
+ 2006-02-27 20:31:48 30,208 -c--a-w C:\WINDOWS\system32\dllcache\WABFIND.DLL
- 2003-03-31 12:00:00 76,800 -c--a-w C:\WINDOWS\system32\dllcache\wabimp.dll
+ 2006-02-27 20:31:44 77,824 -c--a-w C:\WINDOWS\system32\dllcache\WABIMP.DLL
- 2003-03-31 12:00:00 27,648 -c--a-w C:\WINDOWS\system32\dllcache\wabmig.exe
+ 2006-02-27 20:31:42 27,648 -c--a-w C:\WINDOWS\system32\dllcache\WABMIG.EXE
- 2005-03-02 01:34:32 1,797,120 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2005-10-04 01:38:18 1,799,552 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2003-03-31 12:00:00 99,328 -c--a-w C:\WINDOWS\system32\dllcache\win32spl.dll
+ 2005-06-11 02:41:12 102,400 -c--a-w C:\WINDOWS\system32\dllcache\win32spl.dll
- 2003-03-31 12:00:00 599,040 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2006-06-23 18:33:58 575,488 -c--a-w C:\WINDOWS\system32\dllcache\WININET.DLL
- 2003-03-31 12:00:00 25,600 -c--a-w C:\WINDOWS\system32\dllcache\winipsec.dll
+ 2006-05-14 09:13:41 29,184 -c--a-w C:\WINDOWS\system32\dllcache\winipsec.dll
- 2005-03-02 18:20:03 277,504 -c--a-w C:\WINDOWS\system32\dllcache\winsrv.dll
+ 2005-09-01 01:49:31 278,016 -c--a-w C:\WINDOWS\system32\dllcache\winsrv.dll
- 2003-03-31 12:00:00 75,264 -c--a-w C:\WINDOWS\system32\dllcache\ws2_32.dll
+ 2006-05-19 12:15:33 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ws2_32.dll
- 2003-03-31 12:00:00 13,312 -c--a-w C:\WINDOWS\system32\dllcache\wship6.dll
+ 2006-05-19 12:15:33 13,312 -c--a-w C:\WINDOWS\system32\dllcache\wship6.dll
- 2003-03-31 12:00:00 57,984 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
+ 2006-05-13 10:13:31 74,368 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
- 2003-03-31 12:00:00 115,976 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
+ 2005-06-10 04:30:15 116,104 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
- 2003-03-31 12:00:00 200,064 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
+ 2006-07-13 08:41:42 199,936 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2003-03-31 12:00:00 332,928 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2006-04-20 11:38:44 340,480 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2003-03-31 12:00:00 196,288 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
+ 2006-05-19 08:46:02 203,008 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
- 2003-03-31 12:00:00 9,856 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
+ 2006-05-19 08:44:15 11,776 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
- 2003-03-31 12:00:00 337,920 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2006-06-09 21:35:50 351,744 ----a-w C:\WINDOWS\system32\DXTMSFT.DLL
- 2003-03-31 12:00:00 194,560 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2006-06-09 21:35:30 192,512 ----a-w C:\WINDOWS\system32\DXTRANS.DLL
- 2003-03-31 12:00:00 225,280 ----a-w C:\WINDOWS\system32\es.dll
+ 2005-07-26 04:31:12 227,328 ----a-w C:\WINDOWS\system32\es.dll
- 2003-03-31 12:00:00 82,432 ------w C:\WINDOWS\system32\fldrclnr.dll
+ 2004-08-20 22:01:15 82,432 ----a-w C:\WINDOWS\system32\fldrclnr.dll
- 2008-06-16 00:35:27 130,888 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-19 04:17:45 130,888 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2003-03-31 12:00:00 250,368 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2006-01-02 22:38:03 260,608 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2003-03-31 12:00:00 37,888 ----a-w C:\WINDOWS\system32\hhsetup.dll
+ 2005-05-27 01:59:52 38,912 ----a-w C:\WINDOWS\system32\hhsetup.dll
- 2003-03-31 12:00:00 77,850 ----a-w C:\WINDOWS\system32\hlink.dll
+ 2006-07-21 08:30:50 72,704 ----a-w C:\WINDOWS\system32\hlink.dll
- 2003-03-31 12:00:00 489,984 ----a-w C:\WINDOWS\system32\hypertrm.dll
+ 2004-11-17 17:57:01 493,056 ----a-w C:\WINDOWS\system32\hypertrm.dll
- 2003-03-31 12:00:00 236,032 ----a-w C:\WINDOWS\system32\icm32.dll
+ 2005-06-29 01:54:58 237,056 ----a-w C:\WINDOWS\system32\icm32.dll
- 2003-03-31 12:00:00 231,424 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2006-02-24 22:24:42 236,032 ----a-w C:\WINDOWS\system32\IEPEERS.DLL
- 2003-03-31 12:00:00 587,776 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2006-02-27 20:31:54 596,480 ----a-w C:\WINDOWS\system32\INETCOMM.DLL
- 2003-03-31 12:00:00 31,232 ----a-w C:\WINDOWS\system32\inetmib1.dll
+ 2006-05-19 12:15:33 31,232 ----a-w C:\WINDOWS\system32\inetmib1.dll
- 2003-03-31 12:00:00 47,616 ----a-w C:\WINDOWS\system32\inetres.dll
+ 2006-02-27 20:31:50 47,616 ----a-w C:\WINDOWS\system32\INETRES.DLL
- 2003-03-31 12:00:00 69,632 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2004-08-26 17:53:48 69,632 ----a-w C:\WINDOWS\system32\INSENG.DLL
- 2003-03-31 12:00:00 82,944 ----a-w C:\WINDOWS\system32\iphlpapi.dll
+ 2006-05-19 12:15:33 83,456 ----a-w C:\WINDOWS\system32\iphlpapi.dll
- 2003-03-31 12:00:00 332,800 ----a-w C:\WINDOWS\system32\ipsecsnp.dll
+ 2006-05-14 09:13:41 334,848 ----a-w C:\WINDOWS\system32\ipsecsnp.dll
- 2003-03-31 12:00:00 155,648 ----a-w C:\WINDOWS\system32\ipsecsvc.dll
+ 2006-05-14 09:13:41 159,744 ----a-w C:\WINDOWS\system32\ipsecsvc.dll
- 2003-03-31 12:00:00 364,032 ----a-w C:\WINDOWS\system32\ipsmsnap.dll
+ 2006-05-14 09:13:41 364,544 ----a-w C:\WINDOWS\system32\ipsmsnap.dll
- 2003-03-31 12:00:00 60,928 ----a-w C:\WINDOWS\system32\ipv6.exe
+ 2006-05-19 08:46:02 48,640 ----a-w C:\WINDOWS\system32\ipv6.exe
- 2003-03-31 12:00:00 134,144 ----a-w C:\WINDOWS\system32\ipv6mon.dll
+ 2006-05-19 12:15:33 54,272 ----a-w C:\WINDOWS\system32\ipv6mon.dll
- 2003-03-31 12:00:00 143,872 ----a-w C:\WINDOWS\system32\itircl.dll
+ 2005-05-27 01:59:52 143,872 ----a-w C:\WINDOWS\system32\itircl.dll
- 2003-03-31 12:00:00 122,368 ----a-w C:\WINDOWS\system32\itss.dll
+ 2005-05-27 01:59:52 128,000 ----a-w C:\WINDOWS\system32\itss.dll
- 2003-03-31 12:00:00 144,896 ----a-w C:\WINDOWS\system32\jgdw400.dll
+ 2006-05-27 05:19:50 163,840 ----a-w C:\WINDOWS\system32\JGDW400.DLL
- 2003-03-31 12:00:00 42,496 ----a-w C:\WINDOWS\system32\jgpl400.dll
+ 2006-04-06 23:15:48 27,648 ----a-w C:\WINDOWS\system32\JGPL400.DLL
- 2003-03-31 12:00:00 593,948 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2006-05-18 05:58:56 458,752 ----a-w C:\WINDOWS\system32\jscript.dll
- 2003-03-31 12:00:00 12,288 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2006-04-28 17:58:48 12,288 ----a-w C:\WINDOWS\system32\JSPROXY.DLL
- 2003-03-31 12:00:00 930,304 ----a-w C:\WINDOWS\system32\kernel32.dll
+ 2006-07-05 10:46:36 928,768 ----a-w C:\WINDOWS\system32\kernel32.dll
- 2003-03-31 12:00:00 35,328 ----a-w C:\WINDOWS\system32\mf3216.dll
+ 2004-03-30 01:48:36 36,864 ----a-w C:\WINDOWS\system32\mf3216.dll
- 2003-03-31 12:00:00 68,096 ----a-w C:\WINDOWS\system32\mscms.dll
+ 2005-06-29 01:54:58 68,608 ----a-w C:\WINDOWS\system32\mscms.dll
- 2003-03-31 12:00:00 2,833,920 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2006-06-30 17:28:26 2,703,872 ----a-w C:\WINDOWS\system32\MSHTML.DLL
- 2003-03-31 12:00:00 44,032 ----a-w C:\WINDOWS\system32\msident.dll
+ 2006-02-27 20:29:32 44,032 ----a-w C:\WINDOWS\system32\MSIDENT.DLL
- 2003-03-31 12:00:00 229,888 ----a-w C:\WINDOWS\system32\msieftp.dll
+ 2005-08-05 17:23:27 230,400 ----a-w C:\WINDOWS\system32\msieftp.dll
- 2003-03-31 12:00:00 228,864 ----a-w C:\WINDOWS\system32\msoeacct.dll
+ 2006-02-27 20:31:40 229,376 ----a-w C:\WINDOWS\system32\MSOEACCT.DLL
- 2003-03-31 12:00:00 81,408 ----a-w C:\WINDOWS\system32\msoert2.dll
+ 2006-02-27 20:31:36 91,136 ----a-w C:\WINDOWS\system32\MSOERT2.DLL
- 2003-03-31 12:00:00 132,096 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2005-02-24 19:54:42 132,096 ----a-w C:\WINDOWS\system32\MSRATING.DLL
- 2003-03-31 12:00:00 496,128 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-03-03 23:13:30 498,176 ----a-w C:\WINDOWS\system32\MSTIME.DLL
- 2003-03-31 12:00:00 154,112 ----a-w C:\WINDOWS\system32\netman.dll
+ 2005-08-22 18:36:34 154,624 ----a-w C:\WINDOWS\system32\netman.dll
- 2003-03-31 12:00:00 82,944 ----a-w C:\WINDOWS\system32\netsh.exe
+ 2006-05-19 08:44:56 83,456 ----a-w C:\WINDOWS\system32\netsh.exe
- 2003-03-31 12:00:00 328,704 ----a-w C:\WINDOWS\system32\oakley.dll
+ 2006-05-14 09:13:41 257,536 ----a-w C:\WINDOWS\system32\oakley.dll
- 2003-03-31 12:00:00 1,169,920 ----a-w C:\WINDOWS\system32\ole32.dll
+ 2005-07-26 04:31:13 1,190,400 ----a-w C:\WINDOWS\system32\ole32.dll
- 2003-03-31 12:00:00 68,608 ----a-w C:\WINDOWS\system32\olecli32.dll
+ 2005-07-26 04:31:13 68,608 ----a-w C:\WINDOWS\system32\olecli32.dll
- 2003-03-31 12:00:00 34,304 ----a-w C:\WINDOWS\system32\olecnv32.dll
+ 2005-07-26 04:31:13 35,328 ----a-w C:\WINDOWS\system32\olecnv32.dll
- 2003-03-31 12:00:00 34,304 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2005-04-27 17:53:06 34,816 ----a-w C:\WINDOWS\system32\PNGFILT.DLL
- 2003-03-31 12:00:00 87,552 ----a-w C:\WINDOWS\system32\polstore.dll
+ 2006-05-14 09:13:41 98,304 ----a-w C:\WINDOWS\system32\polstore.dll
- 2003-05-30 16:00:02 1,962,496 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2005-08-30 16:14:00 1,227,776 ----a-w C:\WINDOWS\system32\quartz.dll
- 2003-03-31 12:00:00 1,349,120 ----a-w C:\WINDOWS\system32\query.dll
+ 2006-06-22 05:19:49 1,350,144 ----a-w C:\WINDOWS\system32\query.dll
- 2003-03-31 12:00:00 158,720 ----a-w C:\WINDOWS\system32\rasmans.dll
+ 2006-06-22 10:59:17 169,984 ----a-w C:\WINDOWS\system32\rasmans.dll
- 2003-03-31 12:00:00 530,432 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2004-03-06 02:16:11 535,552 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2003-03-31 12:00:00 260,608 ----a-w C:\WINDOWS\system32\rpcss.dll
+ 2005-07-26 04:31:13 276,992 ----a-w C:\WINDOWS\system32\rpcss.dll
- 2003-03-31 12:00:00 1,341,440 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2006-09-04 06:23:53 1,351,680 ----a-w C:\WINDOWS\system32\SHDOCVW.DLL
- 2003-03-31 12:00:00 8,336,384 ------w C:\WINDOWS\system32\shell32.dll
+ 2006-07-13 13:46:56 8,353,280 ----a-w C:\WINDOWS\system32\shell32.dll
- 2003-03-31 12:00:00 401,920 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2005-09-01 01:49:30 409,088 ----a-w C:\WINDOWS\system32\SHLWAPI.DLL
- 2003-03-31 12:00:00 51,200 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2005-06-10 23:55:46 53,248 ----a-w C:\WINDOWS\system32\spoolsv.exe
- 2003-03-31 12:00:00 87,040 ----a-w C:\WINDOWS\system32\srvsvc.dll
+ 2004-12-07 19:34:37 79,872 ----a-w C:\WINDOWS\system32\srvsvc.dll
- 2003-03-31 12:00:00 674,816 ------w C:\WINDOWS\system32\sxs.dll
+ 2004-08-20 22:01:15 700,928 ----a-w C:\WINDOWS\system32\sxs.dll
- 2003-03-31 12:00:00 90,624 ----a-w C:\WINDOWS\system32\txflog.dll
+ 2005-07-26 04:31:13 97,280 ----a-w C:\WINDOWS\system32\txflog.dll
- 2003-03-31 12:00:00 455,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2006-08-31 03:42:56 461,824 ----a-w C:\WINDOWS\system32\URLMON.DLL
- 2005-03-02 01:34:32 1,797,120 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2005-10-04 01:38:18 1,799,552 ----a-w C:\WINDOWS\system32\win32k.sys
- 2003-03-31 12:00:00 99,328 ----a-w C:\WINDOWS\system32\win32spl.dll
+ 2005-06-11 02:41:12 102,400 ----a-w C:\WINDOWS\system32\win32spl.dll
- 2003-03-31 12:00:00 599,040 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-06-23 18:33:58 575,488 ----a-w C:\WINDOWS\system32\WININET.DLL
- 2003-03-31 12:00:00 25,600 ----a-w C:\WINDOWS\system32\winipsec.dll
+ 2006-05-14 09:13:41 29,184 ----a-w C:\WINDOWS\system32\winipsec.dll
- 2005-03-02 18:20:03 277,504 ----a-w C:\WINDOWS\system32\winsrv.dll
+ 2005-09-01 01:49:31 278,016 ----a-w C:\WINDOWS\system32\winsrv.dll
- 2003-03-31 12:00:00 75,264 ----a-w C:\WINDOWS\system32\ws2_32.dll
+ 2006-05-19 12:15:33 70,656 ----a-w C:\WINDOWS\system32\ws2_32.dll
- 2003-03-31 12:00:00 13,312 ----a-w C:\WINDOWS\system32\wship6.dll
+ 2006-05-19 12:15:33 13,312 ----a-w C:\WINDOWS\system32\wship6.dll
- 2004-06-30 23:59:25 158,720 ------w C:\WINDOWS\system32\xpob2res.dll
+ 2006-05-19 08:51:01 159,232 ----a-w C:\WINDOWS\system32\xpob2res.dll
- 2006-03-22 01:28:49 594,944 ------w C:\WINDOWS\system32\xpsp2res.dll
+ 2006-08-25 09:14:17 595,968 ----a-w C:\WINDOWS\system32\xpsp2res.dll
+ 2005-05-17 00:43:39 7,168 ------w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-06-19 04:18:56 616,448 ---ha-w C:\WINDOWS\Temp\StashIMAPI.bin
+ 2006-03-17 05:04:12 925,184 ----a-w C:\WINDOWS\WinSxS\InstallTemp\590419\comctl32.dll
+ 2005-09-01 01:49:28 925,184 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1740_x-ww_7cb8ab44\comctl32.dll
+ 2006-07-13 13:46:53 925,184 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1873_x-ww_7d39bb85\comctl32.dll
+ 2006-08-25 15:53:52 925,184 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1891_x-ww_7d3bbc01\comctl32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speed racer"="C:\Program Files\Creative\PlayCenter\CTSRReg.exe" [1999-11-16 01:00 5632]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-11-30 01:00 204800]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"P17Helper"="P17.dll" [2005-05-03 04:38 64512 C:\WINDOWS\system32\P17.dll]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 08:46 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 13:18 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2006-07-24 13:28 35992]

C:\Documents and Settings\QC\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2007-09-02 11:09:46 2441216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Gptog"= {A471FF25-581D-0AF2-24CA-C603A247C60D} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Etowej"= {A471FD36-582D-1FF2-25CA-C603A257A60A} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Poqwup"= {C471AF71-547F-2DD3-35AD-F036D360A84A} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Eaxnmcado"= {A825DC14-463A-0AF4-47DA-F741D827A60A} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Bciasuco"= {A406FC16-521F-8FC3-28CD-A173A147C60D} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Upqapiup"= {A460DC60-825D-2DC3-58FC-D360D871D03F} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Nmevjeev"= {D527CF27-730D-7DA1-06FC-F052A638A47C} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Jlinepito"= {D368DC14-460A-8FC4-46DA-D870A825A47C} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Eaxcopojm"= {A825CA60-251D-0AF2-03AF-A471F258F60C} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Coebxeepi"= {D058FD14-360D-1DC3-35FF-D360D714D36D} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Kuesipoca"= {F684DD54-763F-1CC0-22AF-F258F716A82A} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Ciepipca"= {D748AD03-358C-1FD3-25AC-D624A600D38F} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]
"Gapicray"= {D146DA82-147C-6AF4-47CA-C032C147C60D} - C:\WINDOWS\System32\jmesiuppo.dll [2003-03-31 05:00 275968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys [2001-08-17 05:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 03:01:06 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-05-26 03:01:05 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 21:19:05
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-18 21:22:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 04:22:52
ComboFix2.txt 2008-06-16 01:18:42
ComboFix3.txt 2008-06-16 00:40:39
ComboFix4.txt 2008-06-14 02:12:50
ComboFix5.txt 2008-06-14 01:58:00

Pre-Run: 147,965,865,984 bytes free
Post-Run: 147,454,443,520 bytes free

808 --- E O F --- 2008-06-14 00:17:08

I will post the next report soon.

Quin
cQuinc
Regular Member
 
Posts: 50
Joined: June 9th, 2008, 10:57 pm

Re: Please help remove spyware

Unread postby cQuinc » June 19th, 2008, 12:37 am

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: jmesiuppo.dll_
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 75dc5319d0f2f2dc3fd37154ddae03c9
Packers detected: -

Scanner results
Scan taken on 19 Jun 2008 04:34:24 (GMT)
A-Squared Found nothing
AntiVir Found TR/PSW.Agent.275968
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found PSW.Generic6.KYR
BitDefender Found BehavesLike:Trojan.ShellObject (probable variant)
ClamAV Found Trojan.Spy-38039
CPsecure Found Troj.PSW.W32.Delf.bjj
Dr.Web Found Trojan.Warx.origin
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-PSW.Win32.Delf.bjj
Fortinet Found W32/Generic.A!tr.pws
Ikarus Found BehavesLikeWin32.ExplorerHijack
Kaspersky Anti-Virus Found Trojan-PSW.Win32.Delf.bjj
NOD32 Found nothing
Norman Virus Control Found W32/Delf.BYFI
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found Trojan-PSW.Win32.Delf.bjj

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: ShockwaveFlash.Swf.scr (MD5: dd6fe5cd88e39b3cb166d4424886df27, size: 17408 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/VB.Downloader.Gen
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure Troj.Dropper.W32.Agent.amm
Dr.Web modification of.DownLoader.38407
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Trojan-Downloader.Win32.Banload.brf
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

© 2004-2008 Jotti <jotti@jotti.org>
cQuinc
Regular Member
 
Posts: 50
Joined: June 9th, 2008, 10:57 pm

Re: Please help remove spyware

Unread postby dan12 » June 19th, 2008, 3:46 am

Thanks for the returned log I will be looking at it soon.
I can see you have run cf several times which is making it difficult for me to know if my script has been dealt with as I have a log from the sixth run of the tool.
This tool is very powerful and if you try to fix things on your own you can end up nuking your system.
I will be back with you later. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help remove spyware

Unread postby dan12 » June 19th, 2008, 4:47 am

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\System32\jmesiuppo.dll 
DirLook::
C:\WINDOWS\system32\bits
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Gptog"=-
"Etowej"=-
"Poqwup"=-
"Eaxnmcado"=-
"Bciasuco"=-
"Upqapiup"=-
"Nmevjeev"=-
"Jlinepito"=-
"Eaxcopojm"=-
"Coebxeepi"=-
"Kuesipoca"=-
"Ciepipca"=-
"Gapicray"=-

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Post the above reports and a fresh HJT log
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help remove spyware

Unread postby cQuinc » June 21st, 2008, 11:45 pm

Malwarebytes' Anti-Malware 1.18
Database version: 876

8:40:19 PM 6/21/2008
mbam-log-6-21-2008 (20-40-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 82288
Time elapsed: 18 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\blackster.scr.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F83803A8-5BE4-476D-823E-0E6AF17A3A77}\RP324\A0022808.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:32 PM, on 6/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\cQuinc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O21 - SSODL: Gptog - {A471FF25-581D-0AF2-24CA-C603A247C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Etowej - {A471FD36-582D-1FF2-25CA-C603A257A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Poqwup - {C471AF71-547F-2DD3-35AD-F036D360A84A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Eaxnmcado - {A825DC14-463A-0AF4-47DA-F741D827A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Bciasuco - {A406FC16-521F-8FC3-28CD-A173A147C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Hkuesij - {D582CA47-603A-5FD8-71FD-F258A713F25A} - (no file)
O21 - SSODL: Upqapiup - {A460DC60-825D-2DC3-58FC-D360D871D03F} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Nmevjeev - {D527CF27-730D-7DA1-06FC-F052A638A47C} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Jlinepito - {D368DC14-460A-8FC4-46DA-D870A825A47C} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Eaxcopojm - {A825CA60-251D-0AF2-03AF-A471F258F60C} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Coebxeepi - {D058FD14-360D-1DC3-35FF-D360D714D36D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Kuesipoca - {F684DD54-763F-1CC0-22AF-F258F716A82A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Ciepipca - {D748AD03-358C-1FD3-25AC-D624A600D38F} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Evabh - {D714CC60-825A-4DF2-58AD-D252F368D72D} - (no file)
O21 - SSODL: Gapicray - {D146DA82-147C-6AF4-47CA-C032C147C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Ciweebx - {A606AC06-527C-5CD0-84DF-D740D741A74F} - C:\WINDOWS\System32\jmesiuppo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8805 bytes
cQuinc
Regular Member
 
Posts: 50
Joined: June 9th, 2008, 10:57 pm

Re: Please help remove spyware

Unread postby dan12 » June 23rd, 2008, 4:32 am

We need to reveal system folders
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options
  • After the new window appears select the View tab.
  • Place a checkmark in the checkbox labeled Display the contents of system folders
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
  • Remove the checkmark from the checkbox labeled Hide protected operating system files
  • Press the Apply and then the ok button and shut down my computer
  • Now your computer is configured to show all hidden files.
  • For you and the tools to be able to see appropriate files we need to Show Hidden Files


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.mcafee.com
O21 - SSODL: Gptog - {A471FF25-581D-0AF2-24CA-C603A247C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Etowej - {A471FD36-582D-1FF2-25CA-C603A257A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Poqwup - {C471AF71-547F-2DD3-35AD-F036D360A84A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Eaxnmcado - {A825DC14-463A-0AF4-47DA-F741D827A60A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Bciasuco - {A406FC16-521F-8FC3-28CD-A173A147C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Hkuesij - {D582CA47-603A-5FD8-71FD-F258A713F25A} - (no file)
O21 - SSODL: Upqapiup - {A460DC60-825D-2DC3-58FC-D360D871D03F} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Nmevjeev - {D527CF27-730D-7DA1-06FC-F052A638A47C} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Jlinepito - {D368DC14-460A-8FC4-46DA-D870A825A47C} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Eaxcopojm - {A825CA60-251D-0AF2-03AF-A471F258F60C} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Coebxeepi - {D058FD14-360D-1DC3-35FF-D360D714D36D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Kuesipoca - {F684DD54-763F-1CC0-22AF-F258F716A82A} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Ciepipca - {D748AD03-358C-1FD3-25AC-D624A600D38F} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Evabh - {D714CC60-825A-4DF2-58AD-D252F368D72D} - (no file)
O21 - SSODL: Gapicray - {D146DA82-147C-6AF4-47CA-C032C147C60D} - C:\WINDOWS\System32\jmesiuppo.dll
O21 - SSODL: Ciweebx - {A606AC06-527C-5CD0-84DF-D740D741A74F} - C:\WINDOWS\System32\jmesiuppo.dll
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit


Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\WINDOWS\System32\jmesiuppo.dll
C:\WINDOWS\web\related.htm

    

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2

Update Java Runtime Environment (JRE)

Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 6.

  1. Click on Start > Control Panel and double click on Add/Remove Programs. Locate Java(TM) 6 Update 3 and click on Change/Remove to uninstall it.
  2. Repeat for these old versions of JRE:
      < older versions to remove > Just as shown above
  3. Click here to visit Java's website.
  4. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  5. Select Windows from the drop-down list for Platform.
  6. Select Multi-language from the drop-down list for Language.
  7. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  8. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  9. Run this installation to update your Java.


1 - Kaspersky Online Scan
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image

  • Copy and paste the report in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Post otmoveit report
kaspersky report plus a new HJT log.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 86 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware