Jump to content


Photo

Looks like I picked up some buggies... - 2 Topics Merged...


  • This topic is locked This topic is locked
31 replies to this topic

#1 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 May 2007 - 11:52 PM

So at this point my Thinkpad T22 is behaving pretty normally after doubling the ram, but I've gone to some sites that might have exposed the laptop to viruses and trojans and/or all sorts of cooties. I remember the last time this happed some years ago I didn't realize the bad stuff was happening until it was almost too late (though I pulled my home computer back from the edge with the help of the forum). I've got good virus protection thanks to my workplace wireless network, use ad-aware, etc, but figure it can't hurt to run my computer's innards past y'all to see if it looks clean or not. So here we go, my hijackthis log and the AVG Anti-Spyware report:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:33:44 AM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43DE05EB-4F4B-4ED9-BE0D-09F3EA6B3936} - C:\WINDOWS\system32\hgghgfe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5688D2CD-5CF1-4C93-845B-A480359ECD5A} - C:\WINDOWS\system32\xxwtt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BoostSpeed] "C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe" /Q
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O20 - Winlogon Notify: hgghgfe - C:\WINDOWS\SYSTEM32\hgghgfe.dll
O20 - Winlogon Notify: xxwtt - C:\WINDOWS\system32\xxwtt.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 9963 bytes


And:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:28:49 AM 5/20/2007

+ Scan result:



Nothing found.



::Report end


Which sounds better than it is, as I could not connect to the work server to update it. The only toolbars i want are yahoo and google; any other toolbars are uninvited guests (and not visible on my browsers). Lemme know what you think. Thanks!

vic

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 22 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 30 May 2007 - 06:29 PM

Either I got lazy or they got more clever (probably a little of both) but in the last few days I've noticed a few problems with my laptop. Part may be due to the installation of Office 2007 (which I'm pplaning on getting rid of, as 2003 is more useful to me). I managed to clean up a few problems, among some of the things Spybot and ad-aware helpped me (I hope) get rid of were:

smitfraud-C toolbar
win32.agent.azt
adware.purityscan
statcounter

...and others. At some point in the next week or two I'm going to be swapping the old laptop hard drive for a bigger one. As the laptop is new to me and I have nothing really important on it, I always have the option of swapping the drive and reformatting it. But before I do this, figured I post my latest logs and see if anyone can find any problems. One thing: i notice in my WinXP system tray a little shield-shaped icon, red with a white "X" in it, and when I hover the curser over it I get a message that reads something like "problems detected." (I lost my note, and the laptop is at home while I am at work as I write this). If Iclick on it, it attempts to download something called "RegisteryCleanerSetup.exe." I obviously don't like this, as I'm not sure which program the icon or the .exe is associated with. Any advice is greatly appreciated! Thanks,

jeff

Logfile of HijackThis v1.99.1
Scan saved at 8:56:00 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\spoolvq0.exe
C:\WINDOWS\system32\ipmon.exe
C:\WINDOWS\system32\ipmon.exe
C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.303\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SvcManager] spoolvq0.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BoostSpeed] "C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe" /Q
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:41:29 PM 5/30/2007

+ Scan result:



C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\BigFix Enterprise\BES Client\__BESData\BES Support\KILL.EXE -> Trojan.KillApp.A : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP100\A0016364.EXE -> Trojan.KillApp.A : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP97\A0015967.EXE -> Trojan.KillApp.A : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP98\A0016072.EXE -> Trojan.KillApp.A : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP98\A0016203.EXE -> Trojan.KillApp.A : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP99\A0016265.EXE -> Trojan.KillApp.A : Cleaned with backup (quarantined).


::Report end

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 31 May 2007 - 10:00 AM

Hi,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SvcManager] spoolvq0.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold if found.
C:\WINDOWS\system32\spoolvq0.exe
C:\WINDOWS\system32\ipmon.exe

Restart the computer normally to reset the registry.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Let me know what problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 June 2007 - 12:11 PM

Okay, went through with the process. One note: ipmon was hard to get rid of, and I didn't get it deleted until fter te first run through the instructions. I was able to delete it whilin safe mode, then went through the instuctions a second time. So here are TWO logs for the price of one! First log before I got rid of ipmon, second one after.


SDFix: Version 1.85

Run by Administrator - Fri 06/01/2007 - 4:02:15.16

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\-99520~1 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win59.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win51.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win55.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win5B.tmp.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win5D.tmp.exe - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win*.tmp - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"c:\\windows\\system32\\spoolvq0.exe"="c:\\windows\\system32\\spoolvq0.exe:*:Enabled:spoolvq0"
"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\win4F.tmp.exe"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\win4F.tmp.exe:*:Enabled:win4F.tmp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\xxwtt.dll
C:\WINDOWS\system32\ttwxx.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL2974.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL2314.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL1751.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL3156.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL3467.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL3264.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL0003.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL2468.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL0005.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Drugs in hollywood, drink, et al\~WRL1981.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL1342.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL1093.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2734.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2636.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0797.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2065.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL1071.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0004.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2280.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0716.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL3772.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL3112.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2923.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0855.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0254.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0262.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL3915.tmp

Finished



SDFix: Version 1.85

Run by Administrator - Fri 06/01/2007 - 6:42:27.66

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found

C:\WINDOWS\Temp\win*.tmp - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"c:\\windows\\system32\\spoolvq0.exe"="c:\\windows\\system32\\spoolvq0.exe:*:Enabled:spoolvq0"
"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\win4F.tmp.exe"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\win4F.tmp.exe:*:Enabled:win4F.tmp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\xxwtt.dll
C:\WINDOWS\system32\ttwxx.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL2974.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL2314.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL1751.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL3156.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\~WRL3467.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL3264.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL0003.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL2468.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\~WRL0005.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Drugs in hollywood, drink, et al\~WRL1981.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL1342.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL1093.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2734.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2636.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0797.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2065.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL1071.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0004.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2280.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0716.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL3772.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL3112.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL2923.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0855.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0254.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL0262.tmp
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\~WRL3915.tmp

Finished

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 01 June 2007 - 01:07 PM

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Then delete the files in bold.

C:\WINDOWS\system32\xxwtt.dll
C:\WINDOWS\system32\ttwxx.tmp

Delete the files from these folders not the folders unless you do not need them anymore.

C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Drugs in hollywood, drink, et al\
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\

Submit a fresh HijackThis log and let me know what problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 June 2007 - 01:38 PM

I'll give it a shot tonight and let you know what happens. I need:

C:\Documents and Settings\Administrator\My Documents\colleen moore 2\hurricanes\
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Carthay Circle\
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Drugs in hollywood, drink, et al\
C:\Documents and Settings\Administrator\My Documents\colleen moore 2\Scrapbooks\

At least until I back them up to CD. Once they're backed up I'll delete them. Thanks for the help so far, much appreciated!

jeff

#8 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 June 2007 - 08:06 PM

Well I haven't been able to delete xxwtt.dll... every time I try I get a message that it's in use even when I turn everything off. And it's not visible in c:\windows\system32 when I try top delete it while in safe mode (I don't know how to make it visible). However I don't see it on the hijackthis log, which follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:00:49 AM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BoostSpeed] "C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe" /Q
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 02 June 2007 - 07:11 AM

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text in Bold contained in the code box below (including the first line, which is a command to the tool Files to delete: to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to Delete:

C:\WINDOWS\system32\xxwtt.dll
C:\WINDOWS\system32\ttwxx.tmp


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HijackThis log by using Add/Reply.

Let me know what problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2007 - 12:52 PM

Okay, here we go:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bnvvkhfi

*******************

Script file located at: cqjoglrf

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!


And:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:10 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BoostSpeed] "C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe" /Q
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

Jeff

#11 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2007 - 02:06 PM

And a followup: AVG antispyware has popped up with a warning that malware C:\WINDOWS\System32\hgghgfe.dll has been detected, and while AVG recommends I ignore it, the AVG screen keeps popping up until I clean it... and even then pops up again after a few minutes. This is the first time I've had the laptop connected to a wireless network for a while, so that might have something to do with it.

jeff

#12 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2007 - 02:28 PM

And now in addition: C:\WINDOWS\System32\winkzr.dll. It recommends I clean it, which I do, and AVG pops right back up with the same warning... although as i write this it hasn't popped up in a while... the previous warning continues though. Symantec has a removal tool I will try.

jeff

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 02 June 2007 - 03:33 PM

Download this file - combofix.exe

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe"

Boot into safe mode by tapping the F8 key just before Windows starts to load.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe"

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please include
  • new hijackthis log
  • combofix log


*use separate posts to ensure the logs don't get cut off!



Submit a fresh HijackThis log.


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2007 - 04:15 PM

I'll do that this evening. The Symantec fix did not detect it, was going to post that info and then I saw your reply.

jeff

#15 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2007 - 07:38 PM

Okay, here's one report:

"Administrator" - 2007-06-03 1:02:37 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmnkkhi.dll
C:\WINDOWS\system32\iifedda.dll
C:\WINDOWS\system32\opnnklk.dll
C:\WINDOWS\system32\gebxyvu.dll
C:\WINDOWS\system32\pmnnnmn.dll
C:\WINDOWS\system32\ssqqpqo.dll
C:\WINDOWS\system32\efcaxvv.dll
C:\WINDOWS\system32\fcccbbx.dll
C:\WINDOWS\system32\awtrqqq.dll
C:\WINDOWS\system32\ttwxx.ini
C:\WINDOWS\system32\ttwxx.tmp
C:\WINDOWS\system32\ttwxx.bak1
C:\WINDOWS\system32\ttwxx.bak2
C:\WINDOWS\system32\ttwxx.ini2
C:\WINDOWS\system32\ttwxx.ini
C:\WINDOWS\system32\ttwxx.tmp
C:\WINDOWS\system32\ttwxx.bak1
C:\WINDOWS\system32\ttwxx.bak2
C:\WINDOWS\system32\ttwxx.ini2
C:\WINDOWS\system32\ttwxx.ini
C:\WINDOWS\system32\ttwxx.tmp
C:\WINDOWS\system32\ttwxx.bak1
C:\WINDOWS\system32\ttwxx.bak2
C:\WINDOWS\system32\ttwxx.ini2
C:\WINDOWS\system32\xxwtt.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))


2007-06-02 19:04 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-02 18:39 <DIR> d-------- C:\avenger
2007-06-01 04:16 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-06-01 04:16 <DIR> d-------- C:\WINDOWS\srchasst
2007-06-01 04:16 <DIR> d-------- C:\WINDOWS\msagent
2007-06-01 04:16 <DIR> d-------- C:\Program Files\msn gaming zone
2007-06-01 04:16 <DIR> d-------- C:\Program Files\movie maker
2007-06-01 04:16 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-06-01 04:16 <DIR> d-------- C:\Program Files\Common Files\speechengines
2007-05-30 20:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-30 17:40 <DIR> d-------- C:\Program Files\BitTornado
2007-05-28 21:52 43,473 --a------ C:\ecri.exe
2007-05-28 21:47 61,088 C:\WINDOWS\system32\xpdx.sys
2007-05-28 21:47 48,128 --a------ C:\tcjlicw.exe
2007-05-28 21:46 1,536 --a------ C:\cwainda.exe
2007-05-28 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFix
2007-05-28 08:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-05-28 08:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-05-25 05:36 1,835,008 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2007-05-25 05:36 1,835,008 --a------ C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-05-15 08:36 <DIR> d-------- C:\Program Files\Microsoft Works
2007-05-15 08:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-05-15 08:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-05-15 02:41 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-05-15 02:40 <DIR> d-------- C:\Program Files\Norton Ghost
2007-05-15 02:38 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-15 02:37 <DIR> d-------- C:\Program Files\Support
2007-05-15 02:37 <DIR> d-------- C:\Program Files\Driver Validation
2007-05-11 19:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-05 20:01 <DIR> d-------- C:\Program Files\AusLogics BoostSpeed
2007-05-05 18:54 <DIR> d-------- C:\Program Files\iTunes
2007-05-05 18:54 <DIR> d-------- C:\Program Files\iPod
2007-05-05 18:51 <DIR> d-------- C:\Program Files\QuickTime
2007-05-05 18:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-12-21 11:00:00 994,304 ----a-w C:\WINDOWS\system32\msgina.dll
2012-12-21 11:00:00 99,840 ----a-w C:\WINDOWS\system32\mprmsg.dll
2012-12-21 11:00:00 99,328 ----a-w C:\WINDOWS\system32\winscard.dll
2012-12-21 11:00:00 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2012-12-21 11:00:00 984,576 ----a-w C:\WINDOWS\system32\syssetub.dll
2012-12-21 11:00:00 983,552 ----a-w C:\WINDOWS\system32\setupapi.dll
2012-12-21 11:00:00 98,304 ----a-w C:\WINDOWS\system32\verifier.exe
2012-12-21 11:00:00 98,304 ----a-w C:\WINDOWS\system32\slbiop.dll
2012-12-21 11:00:00 98,304 ----a-w C:\WINDOWS\system32\rtm.dll
2012-12-21 11:00:00 98,304 ----a-w C:\WINDOWS\system32\cscript.exe
2012-12-21 11:00:00 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
2012-12-21 11:00:00 97,965 ----a-w C:\WINDOWS\system32\eventquery.vbs
2012-12-21 11:00:00 97,792 ----a-w C:\WINDOWS\system32\comrepl.dll
2012-12-21 11:00:00 97,280 ----a-w C:\WINDOWS\system32\loadperf.dll
2012-12-21 11:00:00 96,768 ----a-w C:\WINDOWS\system32\srvsvc.dll
2012-12-21 11:00:00 96,768 ----a-w C:\WINDOWS\system32\psbase.dll
2012-12-21 11:00:00 96,768 ----a-w C:\WINDOWS\system32\dpcdll.dll
2012-12-21 11:00:00 96,256 ----a-w C:\WINDOWS\system32\drivers\scsiport.sys
2012-12-21 11:00:00 95,744 ----a-w C:\WINDOWS\system32\scardsvr.exe
2012-12-21 11:00:00 95,360 ----a-w C:\WINDOWS\system32\drivers\atapi.sys
2012-12-21 11:00:00 94,784 ----a-w C:\WINDOWS\twain.dll
2012-12-21 11:00:00 94,208 ----a-w C:\WINDOWS\system32\pskill.exe
2012-12-21 11:00:00 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2012-12-21 11:00:00 937,984 ----a-w C:\WINDOWS\system32\winbrand.dll
2012-12-21 11:00:00 93,696 ----a-w C:\WINDOWS\system32\tscfgwmi.dll
2012-12-21 11:00:00 924,432 ----a-w C:\WINDOWS\system32\mfc40.dll
2012-12-21 11:00:00 92,672 ----a-w C:\WINDOWS\system32\wlnotify.dll
2012-12-21 11:00:00 92,224 ----a-w C:\WINDOWS\system32\krnl386.exe
2012-12-21 11:00:00 92,168 ----a-w C:\WINDOWS\system32\rdpdd.dll
2012-12-21 11:00:00 92,032 ----a-w C:\WINDOWS\system32\drivers\ksecdd.sys
2012-12-21 11:00:00 91,776 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2012-12-21 11:00:00 91,648 ----a-w C:\WINDOWS\system32\xactsrv.dll
2012-12-21 11:00:00 91,136 ----a-w C:\WINDOWS\system32\ntprint.dll
2012-12-21 11:00:00 90,624 ----a-w C:\WINDOWS\system32\mydocs.dll
2012-12-21 11:00:00 90,112 ----a-w C:\WINDOWS\system32\rsvpsp.dll
2012-12-21 11:00:00 90,112 ----a-w C:\WINDOWS\system32\mycomput.dll
2012-12-21 11:00:00 9,936 ----a-w C:\WINDOWS\system32\lzexpand.dll
2012-12-21 11:00:00 9,728 ----a-w C:\WINDOWS\system32\sprestrt.exe
2012-12-21 11:00:00 9,728 ----a-w C:\WINDOWS\system32\sfc.exe
2012-12-21 11:00:00 9,728 ----a-w C:\WINDOWS\system32\reset.exe
2012-12-21 11:00:00 9,728 ----a-w C:\WINDOWS\system32\label.exe
2012-12-21 11:00:00 9,728 ----a-w C:\WINDOWS\system32\gpkrsrc.dll
2012-12-21 11:00:00 9,600 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2012-12-21 11:00:00 9,344 ----a-w C:\WINDOWS\system32\vga.dll
2012-12-21 11:00:00 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\wshatm.dll
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\winfax.dll
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\wifeman.dll
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\subst.exe
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\scrnsave.scr
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\print.exe
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\lprmonui.dll
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\iissuba.dll
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\find.exe
2012-12-21 11:00:00 9,216 ----a-w C:\WINDOWS\system32\diskcomp.com
2012-12-21 11:00:00 9,029 ----a-w C:\WINDOWS\system32\ansi.sys
2012-12-21 11:00:00 9,008 ----a-w C:\WINDOWS\system32\ver.dll
2012-12-21 11:00:00 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2012-12-21 11:00:00 89,088 ----a-w C:\WINDOWS\system32\rasauto.dll
2012-12-21 11:00:00 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2012-12-21 11:00:00 882 ----a-w C:\WINDOWS\system32\share.exe
2012-12-21 11:00:00 882 ----a-w C:\WINDOWS\system32\fastopen.exe
2012-12-21 11:00:00 88,064 ----a-w C:\WINDOWS\system32\p2pnetsh.dll
2012-12-21 11:00:00 875,008 ----a-w C:\WINDOWS\system32\netplwiz.dll
2012-12-21 11:00:00 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2012-12-21 11:00:00 87,040 ----a-w C:\WINDOWS\system32\mprapi.dll
2012-12-21 11:00:00 86,528 ----a-w C:\WINDOWS\system32\iassam.dll
2012-12-21 11:00:00 86,016 ----a-w C:\WINDOWS\system32\p2pgasvc.dll
2012-12-21 11:00:00 86,016 ----a-w C:\WINDOWS\system32\msapsspc.dll
2012-12-21 11:00:00 858,624 ----a-w C:\WINDOWS\system32\tapi3.dll
2012-12-21 11:00:00 85,504 ----a-w C:\WINDOWS\system32\makecab.exe
2012-12-21 11:00:00 85,504 ----a-w C:\WINDOWS\system32\diantz.exe
2012-12-21 11:00:00 85,504 ----a-w C:\WINDOWS\system32\catsrvps.dll
2012-12-21 11:00:00 84,992 ----a-w C:\WINDOWS\system32\avifil32.dll
2012-12-21 11:00:00 84,480 ----a-w C:\WINDOWS\system32\mciavi32.dll
2012-12-21 11:00:00 84,480 ----a-w C:\WINDOWS\system32\cabview.dll
2012-12-21 11:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
2012-12-21 11:00:00 83,456 ----a-w C:\WINDOWS\system32\olepro32.dll
2012-12-21 11:00:00 83,456 ----a-w C:\WINDOWS\system32\dpvsetup.exe
2012-12-21 11:00:00 825,344 ----a-w C:\WINDOWS\system32\d3dim700.dll
2012-12-21 11:00:00 82,944 ----a-w C:\WINDOWS\system32\ws2_32.dll
2012-12-21 11:00:00 82,944 ----a-w C:\WINDOWS\system32\olecli.dll
2012-12-21 11:00:00 82,432 ----a-w C:\WINDOWS\system32\ufat.dll
2012-12-21 11:00:00 82,432 ----a-w C:\WINDOWS\system32\dmscript.dll
2012-12-21 11:00:00 817 ----a-w C:\WINDOWS\system32\mscdexnt.exe
2012-12-21 11:00:00 815,104 ----a-w C:\WINDOWS\system32\mmc.exe
2012-12-21 11:00:00 81,408 ----a-w C:\WINDOWS\system32\fsusd.dll
2012-12-21 11:00:00 80,896 ----a-w C:\WINDOWS\system32\netui0.dll
2012-12-21 11:00:00 80,384 ----a-w C:\WINDOWS\system32\iccvid.dll
2012-12-21 11:00:00 80,384 ----a-w C:\WINDOWS\system32\faultrep.dll
2012-12-21 11:00:00 80,384 ----a-w C:\WINDOWS\system32\autodisc.dll
2012-12-21 11:00:00 80,128 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2012-12-21 11:00:00 8,832 ----a-w C:\WINDOWS\system32\drivers\rasacd.sys
2012-12-21 11:00:00 8,704 ----a-w C:\WINDOWS\system32\eventvwr.exe
2012-12-21 11:00:00 8,704 ----a-w C:\WINDOWS\system32\dciman32.dll
2012-12-21 11:00:00 8,704 ----a-w C:\WINDOWS\system32\batt.dll
2012-12-21 11:00:00 8,424 ----a-w C:\WINDOWS\system32\exe2bin.exe
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\winhlp32.exe
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\tsbyuv.dll
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\streamci.dll
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\ntlsapi.dll
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\mountvol.exe
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\mciole16.dll
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\igmpagnt.dll
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\d3d8thk.dll
2012-12-21 11:00:00 8,192 ----a-w C:\WINDOWS\system32\control.exe
2012-12-21 11:00:00 8,192 ----a-r C:\WINDOWS\system32\kbdhept.dll
2012-12-21 11:00:00 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2012-12-21 11:00:00 792,064 ----a-w C:\WINDOWS\system32\comres.dll
2012-12-21 11:00:00 79,744 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2012-12-21 11:00:00 78,848 ----a-w C:\WINDOWS\system32\tapiui.dll
2012-12-21 11:00:00 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
2012-12-21 11:00:00 78,336 ----a-w C:\WINDOWS\system32\browsewm.dll
2012-12-21 11:00:00 77,824 ----a-w C:\WINDOWS\system32\shrpubw.exe
2012-12-21 11:00:00 77,824 ----a-w C:\WINDOWS\system32\eventtriggers.exe
2012-12-21 11:00:00 77,824 ----a-w C:\WINDOWS\system32\cliconfg.dll
2012-12-21 11:00:00 77,312 ----a-w C:\WINDOWS\system32\sdbinst.exe
2012-12-21 11:00:00 77,312 ----a-w C:\WINDOWS\system32\browser.dll
2012-12-21 11:00:00 76,800 ----a-w C:\WINDOWS\system32\gcdef.dll
2012-12-21 11:00:00 75,776 ----a-w C:\WINDOWS\system32\wiascr.dll
2012-12-21 11:00:00 75,776 ----a-w C:\WINDOWS\system32\strmfilt.dll
2012-12-21 11:00:00 75,264 ----a-w C:\WINDOWS\system32\locator.exe
2012-12-21 11:00:00 75,264 ----a-w C:\WINDOWS\system32\inetpp.dll
2012-12-21 11:00:00 74,752 ----a-w C:\WINDOWS\system32\spoolss.dll
2012-12-21 11:00:00 74,752 ----a-w C:\WINDOWS\system32\olecli32.dll
2012-12-21 11:00:00 74,752 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2012-12-21 11:00:00 74,752 ----a-w C:\WINDOWS\system32\cryptdlg.dll
2012-12-21 11:00:00 74,240 ----a-w C:\WINDOWS\system32\unimdmat.dll
2012-12-21 11:00:00 74,240 ----a-w C:\WINDOWS\system32\dhcpsapi.dll
2012-12-21 11:00:00 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2012-12-21 11:00:00 73,802 ----a-w C:\WINDOWS\system32\msrclr40.dll
2012-12-21 11:00:00 73,728 ----a-w C:\WINDOWS\system32\mscms.dll
2012-12-21 11:00:00 73,728 ----a-w C:\WINDOWS\system32\fdeploy.dll
2012-12-21 11:00:00 73,728 ----a-w C:\WINDOWS\system32\csseqchk.dll
2012-12-21 11:00:00 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2012-12-21 11:00:00 723,456 ----a-w C:\WINDOWS\system32\userenv.dll
2012-12-21 11:00:00 72,704 ----a-w C:\WINDOWS\system32\msw3prt.dll
2012-12-21 11:00:00 72,192 ----a-w C:\WINDOWS\system32\tasklist.exe
2012-12-21 11:00:00 72,192 ----a-w C:\WINDOWS\system32\taskkill.exe
2012-12-21 11:00:00 713,728 ----a-w C:\WINDOWS\system32\opengl32.dll
2012-12-21 11:00:00 71,680 ----a-w C:\WINDOWS\system32\ssdpsrv.dll
2012-12-21 11:00:00 71,680 ----a-w C:\WINDOWS\system32\msacm32.dll
2012-12-21 11:00:00 71,680 ----a-w C:\WINDOWS\system32\dsdmoprp.dll
2012-12-21 11:00:00 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2012-12-21 11:00:00 71,040 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2012-12-21 11:00:00 708,096 ----a-w C:\WINDOWS\system32\ntdll.dll
2012-12-21 11:00:00 707 ----a-w C:\WINDOWS\_default.pif
2012-12-21 11:00:00 701,440 ----a-w C:\WINDOWS\system32\msxml2.dll
2012-12-21 11:00:00 70,656 ----a-w C:\WINDOWS\system32\mmcbase.dll
2012-12-21 11:00:00 70,656 ----a-w C:\WINDOWS\system32\ifsutil.dll
2012-12-21 11:00:00 70,656 ----a-w C:\WINDOWS\system32\amstream.dll
2012-12-21 11:00:00 70,144 ----a-w C:\WINDOWS\system32\sigverif.exe
2012-12-21 11:00:00 7,936 ----a-w C:\WINDOWS\system32\drivers\fs_rec.sys
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\vcdex.dll
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\ncxpnt.dll
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\mciole32.dll
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\kbdsmsno.dll
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\kbdsmsfi.dll
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\kbdcan.dll
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\hostname.exe
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\drivers\mcd.sys
2012-12-21 11:00:00 7,680 ----a-w C:\WINDOWS\system32\chcp.com
2012-12-21 11:00:00 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\wshnetbs.dll
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\recover.exe
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\mscat32.dll
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\kbdukx.dll
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\kbdno1.dll
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\kbdfi1.dll
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\forcedos.exe
2012-12-21 11:00:00 7,168 ----a-w C:\WINDOWS\system32\diskcopy.com
2012-12-21 11:00:00 7,168 ----a-r C:\WINDOWS\system32\kbdcz.dll
2012-12-21 11:00:00 7,052 ----a-w C:\WINDOWS\system32\nlsfunc.exe
2012-12-21 11:00:00 7,040 ----a-w C:\WINDOWS\system32\kdcom.dll
2012-12-21 11:00:00 69,632 ----a-w C:\WINDOWS\system32\scarddlg.dll
2012-12-21 11:00:00 69,632 ----a-w C:\WINDOWS\system32\raschap.dll
2012-12-21 11:00:00 69,632 ----a-w C:\WINDOWS\system32\odbcconf.exe
2012-12-21 11:00:00 69,584 ----a-w C:\WINDOWS\system32\avicap.dll
2012-12-21 11:00:00 69,120 ----a-w C:\WINDOWS\system32\olethk32.dll
2012-12-21 11:00:00 69,120 ----a-w C:\WINDOWS\system32\notepad.exe
2012-12-21 11:00:00 69,120 ----a-w C:\WINDOWS\system32\mprddm.dll
2012-12-21 11:00:00 69,120 ----a-w C:\WINDOWS\NOTEPAD.EXE
2012-12-21 11:00:00 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll
2012-12-21 11:00:00 68,608 ----a-w C:\WINDOWS\system32\digest.dll
2012-12-21 11:00:00 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2012-12-21 11:00:00 68,096 ----a-w C:\WINDOWS\system32\systeminfo.exe
2012-12-21 11:00:00 68,096 ----a-w C:\WINDOWS\system32\shgina.dll
2012-12-21 11:00:00 68,096 ----a-w C:\WINDOWS\system32\adsmsext.dll
2012-12-21 11:00:00 673,088 ----a-w C:\WINDOWS\system32\mlang.dat
2012-12-21 11:00:00 67,584 ----a-w C:\WINDOWS\system32\sti.dll
2012-12-21 11:00:00 67,584 ----a-w C:\WINDOWS\system32\srclient.dll
2012-12-21 11:00:00 67,584 ----a-w C:\WINDOWS\system32\osuninst.dll
2012-12-21 11:00:00 67,584 ----a-w C:\WINDOWS\system32\openfiles.exe
2012-12-21 11:00:00 67,584 ----a-w C:\WINDOWS\system32\drivers\sdbus.sys
2012-12-21 11:00:00 67,584 ------w C:\WINDOWS\system32\webclnt.dll
2012-12-21 11:00:00 67,072 ----a-w C:\WINDOWS\system32\rdshost.exe
2012-12-21 11:00:00 67,072 ----a-w C:\WINDOWS\system32\ntdsapi.dll
2012-12-21 11:00:00 66,560 ----a-w C:\WINDOWS\system32\console.dll
2012-12-21 11:00:00 66,560 ------w C:\WINDOWS\system32\mtxclu.dll
2012-12-21 11:00:00 66,176 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
2012-12-21 11:00:00 657,920 ----a-w C:\WINDOWS\system32\rasdlg.dll
2012-12-21 11:00:00 655,360 ----a-w C:\WINDOWS\system32\mstscax.dll
2012-12-21 11:00:00 65,536 ----a-w C:\WINDOWS\system32\wshext.dll
2012-12-21 11:00:00 65,536 ----a-w C:\WINDOWS\system32\wextract.exe
2012-12-21 11:00:00 65,536 ----a-w C:\WINDOWS\system32\shimeng.dll
2012-12-21 11:00:00 65,536 ----a-w C:\WINDOWS\system32\odbccu32.dll
2012-12-21 11:00:00 65,536 ----a-w C:\WINDOWS\system32\odbccr32.dll
2012-12-21 11:00:00 65,024 ----a-w C:\WINDOWS\system32\msaudite.dll
2012-12-21 11:00:00 65,024 ----a-w C:\WINDOWS\system32\asycfilt.dll
2012-12-21 11:00:00 640,000 ----a-w C:\WINDOWS\system32\dbghelp.dll
2012-12-21 11:00:00 64,896 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2012-12-21 11:00:00 64,512 ----a-w C:\WINDOWS\system32\acctres.dll
2012-12-21 11:00:00 64,000 ----a-w C:\WINDOWS\system32\samlib.dll
2012-12-21 11:00:00 64,000 ----a-w C:\WINDOWS\system32\avicap32.dll
2012-12-21 11:00:00 63,744 ----a-w C:\WINDOWS\system32\drivers\mf.sys
2012-12-21 11:00:00 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2012-12-21 11:00:00 63,488 ----a-w C:\WINDOWS\system32\cryptnet.dll
2012-12-21 11:00:00 63,488 ----a-w C:\WINDOWS\system32\cmstp.exe
2012-12-21 11:00:00 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2012-12-21 11:00:00 625,152 ----a-w C:\WINDOWS\system32\catsrvut.dll
2012-12-21 11:00:00 622,080 ----a-w C:\WINDOWS\system32\netcfgx.dll
2012-12-21 11:00:00 62,976 ----a-w C:\WINDOWS\system32\rsopprov.exe
2012-12-21 11:00:00 62,976 ----a-w C:\WINDOWS\system32\pautoenr.dll
2012-12-21 11:00:00 62,976 ----a-w C:\WINDOWS\system32\dsauth.dll
2012-12-21 11:00:00 62,464 ----a-w C:\WINDOWS\system32\rdpclip.exe
2012-12-21 11:00:00 62,464 ----a-w C:\WINDOWS\system32\iasnap.dll
2012-12-21 11:00:00 62,464 ----a-w C:\WINDOWS\system32\dpnmodem.dll
2012-12-21 11:00:00 62,464 ----a-w C:\WINDOWS\system32\authz.dll
2012-12-21 11:00:00 619,008 ----a-w C:\WINDOWS\system32\dx7vb.dll
2012-12-21 11:00:00 616,960 ----a-w C:\WINDOWS\system32\advapi32.dll
2012-12-21 11:00:00 614,912 ----a-w C:\WINDOWS\system32\h323msp.dll
2012-12-21 11:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
2012-12-21 11:00:00 61,952 ----a-w C:\WINDOWS\system32\dpnwsock.dll
2012-12-21 11:00:00 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2012-12-21 11:00:00 61,440 ----a-w C:\WINDOWS\system32\rasman.dll
2012-12-21 11:00:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2012-12-21 11:00:00 61,440 ----a-w C:\WINDOWS\system32\dmcompos.dll
2012-12-21 11:00:00 61,168 ----a-w C:\WINDOWS\system32\msacm.dll
2012-12-21 11:00:00 602,624 ----a-w C:\WINDOWS\system32\autoconv.exe
2012-12-21 11:00:00 60,928 ----a-w C:\WINDOWS\system32\ocmanage.dll
2012-12-21 11:00:00 60,928 ----a-w C:\WINDOWS\system32\dpnhupnp.dll
2012-12-21 11:00:00 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2012-12-21 11:00:00 60,416 ----a-w C:\WINDOWS\system32\remotepg.dll
2012-12-21 11:00:00 60,416 ----a-w C:\WINDOWS\system32\cryptsvc.dll
2012-12-21 11:00:00 60,416 ----a-w C:\WINDOWS\system32\colbact.dll
2012-12-21 11:00:00 6,784 ----a-w C:\WINDOWS\system32\drivers\parvdm.sys
2012-12-21 11:00:00 6,656 ----a-w C:\WINDOWS\system32\sensapi.dll
2012-12-21 11:00:00 6,656 ----a-w C:\WINDOWS\system32\routetab.dll
2012-12-21 11:00:00 6,656 ----a-w C:\WINDOWS\system32\msidle.dll
2012-12-21 11:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdsg.dll
2012-12-21 11:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdla.dll
2012-12-21 11:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdinmal.dll
2012-12-21 11:00:00 6,656 ----a-w C:\WINDOWS\system32\kbdinben.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdycl.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdsl1.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdsl.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdpl.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdhu.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdhela3.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdcz2.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdcz1.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\kbdcr.dll
2012-12-21 11:00:00 6,656 ----a-r C:\WINDOWS\system32\KBDAL.DLL
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\svcpack.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\msdtc.exe
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdusx.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdusr.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdusl.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdsw.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdsp.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdsf.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdpo.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdno.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdne.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdmlt48.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdmlt47.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdmac.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdinbe1.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdic.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdgr1.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdgr.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdfr.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdfo.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdfi.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdfc.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdes.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdda.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdca.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdbr.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdbene.dll
2012-12-21 11:00:00 6,144 ----a-w C:\WINDOWS\system32\kbdbe.dll
2012-12-21 11:00:00 6,144 ----a-r C:\WINDOWS\system32\kbdtuq.dll
2012-12-21 11:00:00 6,144 ----a-r C:\WINDOWS\system32\kbdtuf.dll
2012-12-21 11:00:00 6,144 ----a-r C:\WINDOWS\system32\kbdlv1.dll
2012-12-21 11:00:00 6,144 ----a-r C:\WINDOWS\system32\kbdlv.dll
2012-12-21 11:00:00 6,144 ----a-r C:\WINDOWS\system32\kbdhela2.dll
2012-12-21 11:00:00 6,144 ----a-r C:\WINDOWS\system32\kbdgkl.dll
2012-12-21 11:00:00 6,144 ----a-r C:\WINDOWS\system32\kbdest.dll
2012-12-21 11:00:00 597,504 ----a-w C:\WINDOWS\system32\crypt32.dll
2012-12-21 11:00:00 596,992 ----a-w C:\WINDOWS\system32\wsecedit.dll
2012-12-21 11:00:00 590,336 ----a-w C:\WINDOWS\system32\d3dramp.dll
2012-12-21 11:00:00 59,904 ----a-w C:\WINDOWS\system32\mpr.dll
2012-12-21 11:00:00 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2012-12-21 11:00:00 59,904 ----a-w C:\WINDOWS\system32\devenum.dll
2012-12-21 11:00:00 59,904 ----a-w C:\WINDOWS\system32\cabinet.dll
2012-12-21 11:00:00 59,392 ----a-w C:\WINDOWS\system32\logman.exe
2012-12-21 11:00:00 59,392 ----a-w C:\WINDOWS\system32\iassvcs.dll
2012-12-21 11:00:00 589,312 ----a-w C:\WINDOWS\system32\wiashext.dll
2012-12-21 11:00:00 588,800 ----a-w C:\WINDOWS\system32\autochk.exe
2012-12-21 11:00:00 586,240 ----a-w C:\WINDOWS\system32\mlang.dll
2012-12-21 11:00:00 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
2012-12-21 11:00:00 580,608 ----a-w C:\WINDOWS\system32\autofmt.exe
2012-12-21 11:00:00 58,880 ----a-w C:\WINDOWS\system32\resutils.dll
2012-12-21 11:00:00 58,880 ----a-w C:\WINDOWS\system32\rastapi.dll
2012-12-21 11:00:00 58,880 ----a-w C:\WINDOWS\system32\msdtclog.dll
2012-12-21 11:00:00 58,880 ----a-w C:\WINDOWS\system32\licwmi.dll
2012-12-21 11:00:00 58,880 ----a-w C:\WINDOWS\system32\atl.dll
2012-12-21 11:00:00 58,368 ----a-w C:\WINDOWS\system32\driverquery.exe
2012-12-21 11:00:00 574,592 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2012-12-21 11:00:00 57,856 ----a-w C:\WINDOWS\system32\ntlanui.dll
2012-12-21 11:00:00 57,856 ----a-w C:\WINDOWS\system32\clusapi.dll
2012-12-21 11:00:00 57,600 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
2012-12-21 11:00:00 57,344 ----a-w C:\WINDOWS\system32\msasn1.dll
2012-12-21 11:00:00 57,344 ----a-w C:\WINDOWS\system32\gpupdate.exe
2012-12-21 11:00:00 57,344 ----a-w C:\WINDOWS\system32\dpwsockx.dll
2012-12-21 11:00:00 566,784 ----a-w C:\WINDOWS\system32\gpedit.dll
2012-12-21 11:00:00 565,760 ----a-w C:\WINDOWS\system32\msvcp50.dll
2012-12-21 11:00:00 562,176 ----a-w C:\WINDOWS\system32\qedit.dll
2012-12-21 11:00:00 560,640 ----a-w C:\WINDOWS\system32\printui.dll
2012-12-21 11:00:00 56,832 ----a-w C:\WINDOWS\system32\sol.exe
2012-12-21 11:00:00 56,832 ----a-w C:\WINDOWS\system32\rasphone.exe
2012-12-21 11:00:00 56,320 ----a-w C:\WINDOWS\system32\servdeps.dll
2012-12-21 11:00:00 56,320 ----a-w C:\WINDOWS\system32\fsutil.exe
2012-12-21 11:00:00 56,320 ----a-w C:\WINDOWS\system32\cipher.exe
2012-12-21 11:00:00 553,472 ----a-w C:\WINDOWS\system32\oleaut32.dll
2012-12-21 11:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
2012-12-21 11:00:00 55,936 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2012-12-21 11:00:00 55,808 ----a-w C:\WINDOWS\system32\wmiscmgr.dll
2012-12-21 11:00:00 55,808 ----a-w C:\WINDOWS\system32\secur32.dll
2012-12-21 11:00:00 55,808 ----a-w C:\WINDOWS\system32\eventlog.dll
2012-12-21 11:00:00 55,296 ----a-w C:\WINDOWS\system32\sendmail.dll
2012-12-21 11:00:00 55,296 ----a-w C:\WINDOWS\system32\getmac.exe
2012-12-21 11:00:00 55,296 ----a-w C:\WINDOWS\system32\freecell.exe
2012-12-21 11:00:00 55,296 ----a-w C:\WINDOWS\system32\dvdplay.exe
2012-12-21 11:00:00 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2012-12-21 11:00:00 540,160 ----a-w C:\WINDOWS\system32\comuid.dll
2012-12-21 11:00:00 54,784 ----a-w C:\WINDOWS\system32\msvcirt.dll
2012-12-21 11:00:00 54,784 ----a-w C:\WINDOWS\system32\icmui.dll
2012-12-21 11:00:00 54,272 ----a-w C:\WINDOWS\system32\stclient.dll
2012-12-21 11:00:00 538,624 ----a-w C:\WINDOWS\system32\spider.exe
2012-12-21 11:00:00 53,840 ----a-w C:\WINDOWS\system32\dosx.exe
2012-12-21 11:00:00 53,760 ----a-w C:\WINDOWS\system32\winsta.dll
2012-12-21 11:00:00 53,760 ----a-w C:\WINDOWS\system32\cryptext.dll
2012-12-21 11:00:00 53,520 ----a-w C:\WINDOWS\system32\dpserial.dll
2012-12-21 11:00:00 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2012-12-21 11:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
2012-12-21 11:00:00 53,248 ----a-w C:\WINDOWS\system32\ipv6.exe
2012-12-21 11:00:00 526,848 ----a-w C:\WINDOWS\system32\p2psvc.dll
2012-12-21 11:00:00 52,736 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2012-12-21 11:00:00 52,736 ----a-w C:\WINDOWS\system32\basesrv.dll
2012-12-21 11:00:00 52,224 ----a-w C:\WINDOWS\system32\tsappcmp.dll
2012-12-21 11:00:00 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
2012-12-21 11:00:00 514,560 ----a-w C:\WINDOWS\system32\logonui.exe
2012-12-21 11:00:00 512,512 ----a-w C:\WINDOWS\system32\cryptui.dll
2012-12-21 11:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
2012-12-21 11:00:00 51,712 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2012-12-21 11:00:00 51,712 ----a-w C:\WINDOWS\system32\vdmredir.dll
2012-12-21 11:00:00 51,712 ----a-w C:\WINDOWS\system32\msident.dll
2012-12-21 11:00:00 51,456 ----a-w C:\WINDOWS\system32\vga256.dll
2012-12-21 11:00:00 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2012-12-21 11:00:00 51,200 ----a-w C:\WINDOWS\system32\dssec.dll
2012-12-21 11:00:00 506,368 ----a-w C:\WINDOWS\system32\msxml.dll
2012-12-21 11:00:00 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2012-12-21 11:00:00 50,688 ----a-w C:\WINDOWS\twain_32.dll
2012-12-21 11:00:00 50,688 ----a-w C:\WINDOWS\system32\wstdecod.dll
2012-12-21 11:00:00 50,688 ----a-w C:\WINDOWS\system32\smss.exe
2012-12-21 11:00:00 50,688 ----a-w C:\WINDOWS\system32\mmcshext.dll
2012-12-21 11:00:00 50,688 ----a-w C:\WINDOWS\system32\camocx.dll
2012-12-21 11:00:00 50,688 ----a-w C:\WINDOWS\system32\btpanui.dll
2012-12-21 11:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
2012-12-21 11:00:00 50,176 ----a-w C:\WINDOWS\system32\xmlprovi.dll
2012-12-21 11:00:00 50,176 ----a-w C:\WINDOWS\system32\reg.exe
2012-12-21 11:00:00 50,176 ----a-w C:\WINDOWS\system32\mdhcp.dll
2012-12-21 11:00:00 50,176 ----a-w C:\WINDOWS\system32\loghours.dll
2012-12-21 11:00:00 50,176 ----a-w C:\WINDOWS\system32\eventcreate.exe
2012-12-21 11:00:00 5,888 ----a-w C:\WINDOWS\system32\drivers\rootmdm.sys
2012-12-21 11:00:00 5,888 ----a-w C:\WINDOWS\system32\drivers\dmload.sys
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\write.exe
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\winver.exe
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\tapiperf.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\softpub.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\security.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\kbdus.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\kbduk.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\kbdmaori.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\kbdit142.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\kbdit.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\kbdir.dll
2012-12-21 11:00:00 5,632 ----a-w C:\WINDOWS\system32\kbdgae.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdro.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdpl1.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdmon.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdlt1.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdlt.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdkyr.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdhu1.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdhe319.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdhe220.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdhe.dll
2012-12-21 11:00:00 5,632 ----a-r C:\WINDOWS\system32\kbdazel.dll
2012-12-21 11:00:00 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys
2012-12-21 11:00:00 5,120 ----a-w C:\WINDOWS\system32\winnls.dll
2012-12-21 11:00:00 5,120 ----a-w C:\WINDOWS\system32\shell.dll
2012-12-21 11:00:00 5,120 ----a-w C:\WINDOWS\system32\sfc.dll
2012-12-21 11:00:00 5,120 ----a-w C:\WINDOWS\system32\lodctr.exe
2012-12-21 11:00:00 5,120 ----a-w C:\WINDOWS\system32\kbddv.dll
2012-12-21 11:00:00 5,120 ----a-w C:\WINDOWS\system32\dcomcnfg.exe
2012-12-21 11:00:00 5,120 ----a-w C:\WINDOWS\system32\bootvrfy.exe
2012-12-21 11:00:00 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll
2012-12-21 11:00:00 498,205 ----a-w C:\WINDOWS\system32\dxmasf.dll
2012-12-21 11:00:00 49,680 ----a-w C:\WINDOWS\twunk_16.exe
2012-12-21 11:00:00 49,664 ----a-w C:\WINDOWS\system32\w32tm.exe
2012-12-21 11:00:00 49,664 ----a-w C:\WINDOWS\system32\regapi.dll
2012-12-21 11:00:00 49,664 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2012-12-21 11:00:00 49,536 ----a-w C:\WINDOWS\system32\drivers\cdrom.sys
2012-12-21 11:00:00 49,179 ----a-w C:\WINDOWS\system32\sqlwoa.dll
2012-12-21 11:00:00 49,152 ----a-w C:\WINDOWS\system32\wdigest.dll
2012-12-21 11:00:00 49,152 ----a-w C:\WINDOWS\system32\powercfg.exe
2012-12-21 11:00:00 49,152 ----a-w C:\WINDOWS\system32\mprdim.dll
2012-12-21 11:00:00 48,640 ----a-w C:\WINDOWS\system32\pnrpnsp.dll
2012-12-21 11:00:00 48,640 ----a-w C:\WINDOWS\system32\drivers\stream.sys
2012-12-21 11:00:00 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2012-12-21 11:00:00 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2012-12-21 11:00:00 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2012-12-21 11:00:00 48,128 ----a-w C:\WINDOWS\system32\docprop2.dll
2012-12-21 11:00:00 47,872 ----a-w C:\WINDOWS\system32\user.exe
2012-12-21 11:00:00 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
2012-12-21 11:00:00 47,616 ----a-w C:\WINDOWS\system32\d3dxof.dll
2012-12-21 11:00:00 47,104 ----a-w C:\WINDOWS\system32\ssmypics.scr
2012-12-21 11:00:00 47,104 ----a-w C:\WINDOWS\system32\mprui.dll
2012-12-21 11:00:00 47,104 ----a-w C:\WINDOWS\system32\cmdl32.exe
2012-12-21 11:00:00 463,360 ----a-w C:\WINDOWS\system32\wiadefui.dll
2012-12-21 11:00:00 46,592 ----a-w C:\WINDOWS\system32\pmspl.dll
2012-12-21 11:00:00 46,258 ----a-w C:\WINDOWS\system32\mib.bin
2012-12-21 11:00:00 46,080 ----a-w C:\WINDOWS\system32\docprop.dll
2012-12-21 11:00:00 457,728 ----a-w C:\WINDOWS\system32\certmgr.dll
2012-12-21 11:00:00 45,568 ----a-w C:\WINDOWS\system32\tcpmonui.dll
2012-12-21 11:00:00 45,568 ----a-w C:\WINDOWS\system32\tcpmon.dll
2012-12-21 11:00:00 45,568 ----a-w C:\WINDOWS\system32\extrac32.exe
2012-12-21 11:00:00 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2012-12-21 11:00:00 45,083 ----a-w C:\WINDOWS\system32\dispex.dll
2012-12-21 11:00:00 442,368 ----a-w C:\WINDOWS\system32\sqlsrv32.dll
2012-12-21 11:00:00 44,544 ----a-w C:\WINDOWS\system32\tscupgrd.exe
2012-12-21 11:00:00 44,032 ----a-w C:\WINDOWS\system32\twext.dll
2012-12-21 11:00:00 44,032 ----a-w C:\WINDOWS\system32\rtutils.dll
2012-12-21 11:00:00 44,032 ----a-w C:\WINDOWS\system32\ipsec6.exe
2012-12-21 11:00:00 44,032 ----a-w C:\WINDOWS\system32\dimap.dll
2012-12-21 11:00:00 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2012-12-21 11:00:00 438,272 ----a-w C:\WINDOWS\system32\shimgvw.dll
2012-12-21 11:00:00 436,224 ----a-w C:\WINDOWS\system32\d3dim.dll
2012-12-21 11:00:00 435,712 ----a-w C:\WINDOWS\system32\shellstyle.dll
2012-12-21 11:00:00 433,664 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
2012-12-21 11:00:00 430,592 ----a-w C:\WINDOWS\system32\vssapi.dll
2012-12-21 11:00:00 43,520 ----a-w C:\WINDOWS\system32\pstorec.dll
2012-12-21 11:00:00 43,520 ----a-w C:\WINDOWS\system32\ntlanman.dll
2012-12-21 11:00:00 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2012-12-21 11:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
2012-12-21 11:00:00 42,809 ----a-w C:\WINDOWS\system32\key01.sys
2012-12-21 11:00:00 42,768 ----a-w C:\WINDOWS\system32\dpwsock.dll
2012-12-21 11:00:00 42,537 ----a-w C:\WINDOWS\system32\keyboard.sys
2012-12-21 11:00:00 42,496 ----a-w C:\WINDOWS\system32\wsnmp32.dll
2012-12-21 11:00:00 42,496 ----a-w C:\WINDOWS\system32\shmgrate.exe
2012-12-21 11:00:00 42,496 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2012-12-21 11:00:00 42,496 ----a-w C:\WINDOWS\system32\audiosrv.dll
2012-12-21 11:00:00 42,240 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2012-12-21 11:00:00 419,840 ----a-w C:\WINDOWS\system32\ntvdm.exe
2012-12-21 11:00:00 415,744 ----a-w C:\WINDOWS\system32\samsrv.dll
2012-12-21 11:00:00 414,208 ----a-w C:\WINDOWS\system32\setupdll.dll
2012-12-21 11:00:00 413,696 ----a-w C:\WINDOWS\system32\msvcp60.dll
2012-12-21 11:00:00 41,984 ----a-w C:\WINDOWS\system32\msports.dll
2012-12-21 11:00:00 41,984 ----a-w C:\WINDOWS\system32\htui.dll
2012-12-21 11:00:00 41,856 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2012-12-21 11:00:00 41,472 ----a-w C:\WINDOWS\system32\iasads.dll
2012-12-21 11:00:00 41,472 ----a-w C:\WINDOWS\system32\hhsetup.dll
2012-12-21 11:00:00 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2012-12-21 11:00:00 407,552 ----a-w C:\WINDOWS\system32\mstsc.exe
2012-12-21 11:00:00 407,040 ----a-w C:\WINDOWS\system32\netlogon.dll
2012-12-21 11:00:00 406,528 ----a-w C:\WINDOWS\system32\usp10.dll
2012-12-21 11:00:00 40,960 ----a-w C:\WINDOWS\system32\ntmsapi.dll
2012-12-21 11:00:00 40,448 ----a-w C:\WINDOWS\system32\osuninst.exe
2012-12-21 11:00:00 4,768 ----a-w C:\WINDOWS\system32\himem.sys
2012-12-21 11:00:00 4,736 ----a-w C:\WINDOWS\system32\drivers\usbd.sys
2012-12-21 11:00:00 4,656 ----a-w C:\WINDOWS\system32\ds16gt.dLL
2012-12-21 11:00:00 4,608 ----a-w C:\WINDOWS\system32\vjoy.dll
2012-12-21 11:00:00 4,608 ----a-w C:\WINDOWS\system32\regwiz.exe
2012-12-21 11:00:00 4,608 ----a-w C:\WINDOWS\system32\mssip32.dll
2012-12-21 11:00:00 4,608 ----a-w C:\WINDOWS\system32\msimg32.dll
2012-12-21 11:00:00 4,608 ----a-w C:\WINDOWS\system32\mchgrcoi.dll
2012-12-21 11:00:00 4,608 ----a-w C:\WINDOWS\system32\dllhst3g.exe
2012-12-21 11:00:00 4,608 ----a-w C:\WINDOWS\system32\bootok.exe
2012-12-21 11:00:00 4,569 ----a-w C:\WINDOWS\system32\secupd.dat
2012-12-21 11:00:00 4,463 ----a-w C:\WINDOWS\system32\oembios.dat
2012-12-21 11:00:00 4,352 ----a-w C:\WINDOWS\system32\drivers\wmilib.sys
2012-12-21 11:00:00 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2012-12-21 11:00:00 4,224 ----a-w C:\WINDOWS\system32\drivers\rdpcdd.sys
2012-12-21 11:00:00 4,208 ----a-w C:\WINDOWS\system32\storage.dll
2012-12-21 11:00:00 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2012-12-21 11:00:00 4,096 ----a-w C:\WINDOWS\system32\unlodctr.exe
2012-12-21 11:00:00 4,096 ----a-w C:\WINDOWS\system32\rdpcfgex.dll
2012-12-21 11:00:00 4,096 ----a-w C:\WINDOWS\system32\mtxex.dll
2012-12-21 11:00:00 4,096 ----a-w C:\WINDOWS\system32\iprtprio.dll
2012-12-21 11:00:00 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2012-12-21 11:00:00 4,096 ----a-w C:\WINDOWS\system32\actmovie.exe
2012-12-21 11:00:00 398,336 ----a-w C:\WINDOWS\system32\rpcss.dll
2012-12-21 11:00:00 397,824 ----a-w C:\WINDOWS\system32\regwizc.dll
2012-12-21 11:00:00 394,240 ----a-w C:\WINDOWS\system32\diactfrm.dll
2012-12-21 11:00:00 39,936 ----a-w C:\WINDOWS\system32\rshx32.dll
2012-12-21 11:00:00 39,936 ----a-w C:\WINDOWS\system32\perfctrs.dll
2012-12-21 11:00:00 39,936 ----a-w C:\WINDOWS\system32\cmutil.dll
2012-12-21 11:00:00 39,936 ----a-w C:\WINDOWS\system32\cmmon32.exe
2012-12-21 11:00:00 39,744 ----a-w C:\WINDOWS\system32\ole2.dll
2012-12-21 11:00:00 39,424 ----a-w C:\WINDOWS\system32\grpconv.exe
2012-12-21 11:00:00 39,424 ----a-w C:\WINDOWS\system32\esentutl.exe
2012-12-21 11:00:00 39,424 ----a-w C:\WINDOWS\system32\ddeml.dll
2012-12-21 11:00:00 39,274 ----a-w C:\WINDOWS\system32\mem.exe
2012-12-21 11:00:00 388,608 ----a-w C:\WINDOWS\system32\cmd.exe
2012-12-21 11:00:00 385,536 ----a-w C:\WINDOWS\system32\themeui.dll
2012-12-21 11:00:00 385,024 ----a-w C:\WINDOWS\system32\qdvd.dll
2012-12-21 11:00:00 384,000 ----a-w C:\WINDOWS\system32\ipsmsnap.dll
2012-12-21 11:00:00 382,976 ----a-w C:\WINDOWS\system32\fontext.dll
2012-12-21 11:00:00 380,957 ----a-w C:\WINDOWS\system32\expsrv.dll
2012-12-21 11:00:00 38,912 ----a-w C:\WINDOWS\system32\sens.dll
2012-12-21 11:00:00 38,912 ----a-w C:\WINDOWS\system32\cfgbkend.dll
2012-12-21 11:00:00 38,016 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2012-12-21 11:00:00 378,368 ----a-w C:\WINDOWS\system32\wzcdlg.dll
2012-12-21 11:00:00 375,296 ----a-w C:\WINDOWS\system32\dpnet.dll
2012-12-21 11:00:00 37,916 ----a-w C:\WINDOWS\system32\msxml2r.dll
2012-12-21 11:00:00 37,376 ----a-w C:\WINDOWS\system32\olecnv32.dll
2012-12-21 11:00:00 37,376 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2012-12-21 11:00:00 367,616 ----a-w C:\WINDOWS\system32\dsound.dll
2012-12-21 11:00:00 363,008 ----a-w C:\WINDOWS\system32\smlogcfg.dll
2012-12-21 11:00:00 362,496 ----a-w C:\WINDOWS\system32\jet500.dll
2012-12-21 11:00:00 36,992 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2012-12-21 11:00:00 36,864 ----a-w C:\WINDOWS\system32\ntsdexts.dll
2012-12-21 11:00:00 36,864 ----a-w C:\WINDOWS\system32\mscpxl32.dLL
2012-12-21 11:00:00 36,480 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2012-12-21 11:00:00 36,352 ----a-w C:\WINDOWS\system32\typeperf.exe
2012-12-21 11:00:00 36,352 ----a-w C:\WINDOWS\system32\ncobjapi.dll
2012-12-21 11:00:00 36,352 ----a-w C:\WINDOWS\system32\drivers\disk.sys
2012-12-21 11:00:00 36,224 ----a-w C:\WINDOWS\system32\drivers\hidclass.sys
2012-12-21 11:00:00 36,096 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2012-12-21 11:00:00 359,936 ----a-w C:\WINDOWS\system32\wzcsvc.dll
2012-12-21 11:00:00 359,936 ----a-w C:\WINDOWS\system32\cards.dll
2012-12-21 11:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
2012-12-21 11:00:00 358,400 ----a-w C:\WINDOWS\system32\termmgr.dll
2012-12-21 11:00:00 352,256 ----a-w C:\WINDOWS\system32\drivers\atmuni.sys
2012-12-21 11:00:00 351,232 ----a-w C:\WINDOWS\system32\winhttp.dll
2012-12-21 11:00:00 350,208 ----a-w C:\WINDOWS\system32\d3drm.dll
2012-12-21 11:00:00 35,840 ----a-w C:\WINDOWS\system32\rcimlby.exe
2012-12-21 11:00:00 35,840 ----a-w C:\WINDOWS\system32\mssign32.dll
2012-12-21 11:00:00 35,840 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2012-12-21 11:00:00 35,840 ----a-w C:\WINDOWS\system32\dmloader.dll
2012-12-21 11:00:00 35,755 ----a-w C:\WINDOWS\system32\prncnfg.vbs
2012-12-21 11:00:00 35,648 ----a-w C:\WINDOWS\system32\ntio411.sys
2012-12-21 11:00:00 35,424 ----a-w C:\WINDOWS\system32\ntio412.sys
2012-12-21 11:00:00 35,328 ----a-w C:\WINDOWS\system32\pifmgr.dll
2012-12-21 11:00:00 35,328 ----a-w C:\WINDOWS\system32\pid.dll
2012-12-21 11:00:00 35,328 ----a-w C:\WINDOWS\system32\mciqtz32.dll
2012-12-21 11:00:00 35,328 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2012-12-21 11:00:00 35,328 ----a-w C:\WINDOWS\system32\dpnhpast.dll
2012-12-21 11:00:00 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2012-12-21 11:00:00 349,696 ----a-w C:\WINDOWS\system32\ipsecsnp.dll
2012-12-21 11:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
2012-12-21 11:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
2012-12-21 11:00:00 344,064 ----a-w C:\WINDOWS\system32\hnetcfg.dll
2012-12-21 11:00:00 343,040 ----a-w C:\WINDOWS\system32\msvcrt.dll
2012-12-21 11:00:00 343,040 ----a-w C:\WINDOWS\system32\mspaint.exe
2012-12-21 11:00:00 343,040 ----a-w C:\WINDOWS\system32\cmdial32.dll
2012-12-21 11:00:00 341,504 ----a-w C:\WINDOWS\system32\localspl.dll
2012-12-21 11:00:00 34,944 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2012-12-21 11:00:00 34,816 ----a-w C:\WINDOWS\system32\ssdpapi.dll
2012-12-21 11:00:00 34,816 ----a-w C:\WINDOWS\system32\perfproc.dll
2012-12-21 11:00:00 34,816 ----a-w C:\WINDOWS\system32\d3dpmesh.dll
2012-12-21 11:00:00 34,816 ----a-w C:\WINDOWS\system32\atmpvcno.dll
2012-12-21 11:00:00 34,560 ----a-w C:\WINDOWS\system32\ntio804.sys
2012-12-21 11:00:00 34,560 ----a-w C:\WINDOWS\system32\ntio404.sys
2012-12-21 11:00:00 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2012-12-21 11:00:00 34,560 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2012-12-21 11:00:00 34,432 ----a-w C:\WINDOWS\system32\drivers\rawwan.sys
2012-12-21 11:00:00 34,304 ----a-w C:\WINDOWS\system32\pstorsvc.dll
2012-12-21 11:00:00 337,920 ----a-w C:\WINDOWS\system32\zipfldr.dll
2012-12-21 11:00:00 337,920 ----a-w C:\WINDOWS\system32\filemgmt.dll
2012-12-21 11:00:00 331,264 ----a-w C:\WINDOWS\system32\ipnathlp.dll
2012-12-21 11:00:00 330,752 ----a-w C:\WINDOWS\system32\hnetwiz.dll
2012-12-21 11:00:00 330,752 ----a-w C:\WINDOWS\system32\dmconfig.dll
2012-12-21 11:00:00 33,840 ----a-w C:\WINDOWS\system32\ntio.sys
2012-12-21 11:00:00 33,792 ----a-w C:\WINDOWS\system32\regini.exe
2012-12-21 11:00:00 33,280 ----a-w C:\WINDOWS\system32\rundll32.exe
2012-12-21 11:00:00 33,280 ----a-w C:\WINDOWS\system32\ping6.exe
2012-12-21 11:00:00 33,280 ----a-w C:\WINDOWS\system32\msobjs.dll
2012-12-21 11:00:00 33,280 ----a-w C:\WINDOWS\system32\inetmib1.dll
2012-12-21 11:00:00 33,280 ----a-w C:\WINDOWS\system32\cryptdll.dll
2012-12-21 11:00:00 33,040 ----a-w C:\WINDOWS\system32\dplay.dll
2012-12-21 11:00:00 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2012-12-21 11:00:00 326,656 ----a-w C:\WINDOWS\system32\cscui.dll
2012-12-21 11:00:00 32,896 ----a-w C:\WINDOWS\system32\drivers\ipfltdrv.sys
2012-12-21 11:00:00 32,816 ----a-w C:\WINDOWS\system32\commdlg.dll
2012-12-21 11:00:00 32,768 ----a-w C:\WINDOWS\system32\winipsec.dll
2012-12-21 11:00:00 32,768 ----a-w C:\WINDOWS\system32\relog.exe
2012-12-21 11:00:00 32,768 ----a-w C:\WINDOWS\system32\odbcad32.exe
2012-12-21 11:00:00 32,768 ----a-w C:\WINDOWS\system32\csrsrv.dll
2012-12-21 11:00:00 32,768 ----a-w C:\WINDOWS\system32\cnetcfg.dll
2012-12-21 11:00:00 32,768 ----a-w C:\WINDOWS\system32\asr_pfu.exe
2012-12-21 11:00:00 32,546 ----a-w C:\WINDOWS\system32\prnmngr.vbs
2012-12-21 11:00:00 32,256 ----a-w C:\WINDOWS\system32\wupdmgr.exe
2012-12-21 11:00:00 32,256 ----a-w C:\WINDOWS\system32\wpnpinst.exe
2012-12-21 11:00:00 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
2012-12-21 11:00:00 32,256 ----a-w C:\WINDOWS\system32\iashlpr.dll
2012-12-21 11:00:00 32,256 ----a-w C:\WINDOWS\system32\asr_ldm.exe
2012-12-21 11:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
2012-12-21 11:00:00 316,416 ----a-w C:\WINDOWS\system32\untfs.dll
2012-12-21 11:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
2012-12-21 11:00:00 313,856 ----a-w C:\WINDOWS\system32\scesrv.dll
2012-12-21 11:00:00 312,320 ----a-w C:\WINDOWS\system32\p2pgraph.dll
2012-12-21 11:00:00 31,744 ----a-w C:\WINDOWS\system32\rtipxmib.dll
2012-12-21 11:00:00 31,744 ----a-w C:\WINDOWS\system32\ntsd.exe
2012-12-21 11:00:00 31,360 ----a-w C:\WINDOWS\system32\drivers\atmepvc.sys
2012-12-21 11:00:00 31,232 ----a-w C:\WINDOWS\system32\traffic.dll
2012-12-21 11:00:00 31,232 ----a-w C:\WINDOWS\system32\sc.exe
2012-12-21 11:00:00 308,224 ----a-w C:\WINDOWS\system32\netui2.dll
2012-12-21 11:00:00 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll
2012-12-21 11:00:00 304,128 ----a-w C:\WINDOWS\system32\duser.dll
2012-12-21 11:00:00 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys
2012-12-21 11:00:00 30,749 ----a-w C:\WINDOWS\system32\vbajet32.dll
2012-12-21 11:00:00 30,720 ----a-w C:\WINDOWS\system32\plustab.dll
2012-12-21 11:00:00 30,720 ----a-w C:\WINDOWS\system32\mkdir.exe
2012-12-21 11:00:00 30,720 ----a-w C:\WINDOWS\system32\iologmsg.dll
2012-12-21 11:00:00 30,208 ----a-w C:\WINDOWS\system32\mspatcha.dll
2012-12-21 11:00:00 30,208 ----a-w C:\WINDOWS\system32\dplaysvr.exe
2012-12-21 11:00:00 30,208 ----a-w C:\WINDOWS\system32\atmlib.dll
2012-12-21 11:00:00 30,208 ----a-w C:\WINDOWS\system32\asr_fmt.exe
2012-12-21 11:00:00 30,160 ----a-w C:\WINDOWS\system32\compobj.dll
2012-12-21 11:00:00 30,080 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2012-12-21 11:00:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2012-12-21 11:00:00 3,708 ----a-w C:\WINDOWS\system32\pubprn.vbs
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\riched32.dll
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\regedt32.exe
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\iprop.dll
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\icmp.dll
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\dpnlobby.dll
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\dpnaddr.dll
2012-12-21 11:00:00 3,584 ----a-w C:\WINDOWS\system32\comcat.dll
2012-12-21 11:00:00 3,456 ----a-w C:\WINDOWS\system32\drivers\oprghdlr.sys
2012-12-21 11:00:00 3,338 ----a-w C:\WINDOWS\system32\redir.exe
2012-12-21 11:00:00 3,328 ----a-w C:\WINDOWS\system32\drivers\dxgthk.sys
2012-12-21 11:00:00 3,253 ----a-w C:\WINDOWS\system32\eXPerience.dll
2012-12-21 11:00:00 3,072 ----a-w C:\WINDOWS\system32\systray.exe
2012-12-21 11:00:00 3,072 ----a-w C:\WINDOWS\system32\rnr20.dll
2012-12-21 11:00:00 3,072 ----a-w C:\WINDOWS\system32\fixmapi.exe
2012-12-21 11:00:00 295,936 ----a-w C:\WINDOWS\system32\appmgr.dll
2012-12-21 11:00:00 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2012-12-21 11:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
2012-12-21 11:00:00 29,696 ----a-w C:\WINDOWS\system32\lights.exe
2012-12-21 11:00:00 29,454 ----a-w C:\WINDOWS\system32\prnport.vbs
2012-12-21 11:00:00 29,370 ----a-w C:\WINDOWS\system32\ntdos411.sys
2012-12-21 11:00:00 29,274 ----a-w C:\WINDOWS\system32\ntdos412.sys
2012-12-21 11:00:00 29,184 ----a-w C:\WINDOWS\system32\sendcmsg.dll
2012-12-21 11:00:00 29,146 ----a-w C:\WINDOWS\system32\ntdos804.sys
2012-12-21 11:00:00 29,146 ----a-w C:\WINDOWS\system32\ntdos404.sys
2012-12-21 11:00:00 29,056 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2012-12-21 11:00:00 285,696 ----a-w C:\WINDOWS\system32\objsel.dll
2012-12-21 11:00:00 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2012-12-21 11:00:00 285,184 ----a-w C:\WINDOWS\system32\glmf32.dll
2012-12-21 11:00:00 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2012-12-21 11:00:00 283,648 ----a-w C:\WINDOWS\system32\pdh.dll
2012-12-21 11:00:00 282,624 ----a-w C:\WINDOWS\system32\devmgr.dll
2012-12-21 11:00:00 28,746 ----a-w C:\WINDOWS\system32\msrecr40.dll
2012-12-21 11:00:00 28,672 ----a-w C:\WINDOWS\system32\wshcon.dll
2012-12-21 11:00:00 28,672 --

#16 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2007 - 07:39 PM

Wow, that last one was a doozy! Here's the second:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:16 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BoostSpeed] "C:\Program Files\AusLogics BoostSpeed\BoostSpeed.exe" /Q
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: hgghgfe - hgghgfe.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winkzr32 - winkzr32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe


Jeff

#17 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2007 - 08:16 PM

And one more observation: while in the sustem configuration utility (trying to cut down on the number of items running at startup, since it was taking for ever for the laptop to start up) I noticed that "ipmon.exe" was one of the items listed in startup, though unchecked. I have no plans to check it, so can it stay there or are we hoping to get rid of it?

jeff

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 03 June 2007 - 07:33 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.


The log was long because you installed a program (probably windows) when you time clock was set to 2012
All items are showing in the 3M report from the tools.
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2012-12-21 11:00:00 994,304 ----a-w C:\WINDOWS\system32\msgina.dll
....



Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O20 - Winlogon Notify: hgghgfe - hgghgfe.dll (file missing)
O20 - Winlogon Notify: winkzr32 - winkzr32.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

Restart the computer to reset the registry.

Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)


In the dialog that opens enter the following:
ipmon.exe


Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

This ipmon.exe is known to come from a TROJAN. Run this scan.

TrendMicro HouseCall Java Scan[list]
[*]Please go HERE to run the Trend Micro HouseCall Scan.
[*]Click Scan now. It's free!
[*]Read and put a Check next to Yes I accept the terms of use.
[*]Click the Launching HouseCall>> button.
[*]If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
[*]You may receive a Security Warning about the TrendMicro Java applet, click YES.
[*]Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
[*]Please be patient while it installs, updates, and scans your system.
[*]Once the scan is complete, it will take you to the summary page.
[*]Under Cleanup options, choose clean all detected infections automatically.
[*]Click the Clean now>> button.
[*]If anything was found you may be prompted to run the scan again, you can just close the browser window.[/list
]
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 04 June 2007 - 12:18 AM

Okay, here's the latest:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "ipmon.exe" 6/4/2007 2:31:23 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ipmon]
"command"="ipmon.exe"

jeff

#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 04 June 2007 - 07:46 AM

; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ipmon]



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

If you need help on "How to Make a .Reg File"
See:
http://www.nellie2.co.uk/file.htm

Submit a fresh HijackThis log.

Let me know what problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#21 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 04 June 2007 - 04:52 PM

Here's the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:11 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

I've noticed no problems so far, though I haven't used the computer much while clearing it out of nasties.

jeff

#22 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 05 June 2007 - 06:35 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#23 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 05 June 2007 - 12:25 PM

Okay, thanks; next time I'll be more careful.

jeff

#24 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 05 June 2007 - 01:17 PM

Glad we could help.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#25 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 16 June 2007 - 07:39 AM

Glad we could help. :)

[Reopened]

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#26 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 25 June 2007 - 06:08 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#27 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 26 June 2007 - 07:07 AM

vicvalis

The topic is open.

If any problems please explain and submit a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#28 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 26 June 2007 - 02:27 PM

Had to reinstall Office 2003 from a file of dubious origin, and knew I'd better start taking care of any problems now. Norton antivirus spotted some stuff and quarentined it. AVG did too. Did some housecleaning myself. Here's the latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:12 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

Thanks,

jeff

#29 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 27 June 2007 - 06:18 AM

The last HijackThis log is clean.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#30 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 27 June 2007 - 12:10 PM

Wow, that was easy! Thanks for the peace of mind.

jeff

#31 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 28 June 2007 - 06:37 AM

Glad we could help. :wave:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#32 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 09 July 2007 - 08:07 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button