Jump to content
Sign in to follow this  
Kimmie

Aaflec...HELPPPPPP lol

Recommended Posts

I am LOADED with WIN32 trojans. I just had you help me get rid of this crap a few weeks ago and more is back. I think I have most of my system cleaned up but there are a few things lingering that I cant seem to get rid of.

 

In my WINNT folder, there are APP files that avast and SUPERAntispyware both keep finding - it goes through the motions of deleting them, but in actuality they dont get deleted. The file names are simply #'s except for one. They are calling them: Win32:Small-EPJ. The file names are:

 

104750.exe

99046.exe

99093.exe

1078590.exe

startdrv.exe

 

The minute I try to manually delete any of these Avast pops up saying ANOTHER one has been found. :pullhair:.

 

There are also entried in my System32 folder that are causing issues (BHO's). I already ran VundoFix - it found these exact files, and claimed to delete them - they are still there..lol. Tried to have HJT fix them, nogo. they keep showing back up.

 

Here is my HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:22:46 AM, on 5/13/2007

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\LEXPPS.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Browser MOUSE\mouse32a.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Alwil Software\Avast4\ashLogV.exe

C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE

C:\Documents and Settings\new user\Desktop\House Cleaning\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {6D125317-C54E-45EF-B816-B1F248E6FF33} - C:\WINNT\System32\vtutr.dll (file missing)

O2 - BHO: (no name) - {76D3BB21-CB03-4CEB-A9E9-4E0BF7D69C45} - (no file)

O2 - BHO: (no name) - {8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1} - C:\WINNT\System32\pmnnnol.dll

O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\System32\cyvvxguh.dll

O2 - BHO: (no name) - {E666AA1E-2E93-466B-B4B7-EEABD025F778} - C:\WINNT\System32\vtsqq.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\System32\whwgtvhr.dll",realset

O4 - HKCU\..\Run: [uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30acbc57336159...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176325425234

O20 - Winlogon Notify: pmnnnol - C:\WINNT\SYSTEM32\pmnnnol.dll

O20 - Winlogon Notify: vtutr - C:\WINNT\System32\vtutr.dll (file missing)

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

Share this post


Link to post
Share on other sites

SUPERAntispyware log:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 05/13/2007 at 08:40 PM

 

Application Version : 3.7.1018

 

Core Rules Database Version : 3223

Trace Rules Database Version: 1234

 

Scan type : Complete Scan

Total Scan Time : 01:31:32

 

Memory items scanned : 313

Memory threats detected : 5

Registry items scanned : 4059

Registry threats detected : 42

File items scanned : 21322

File threats detected : 80

 

Trojan.Net-Partnership/WL-Resident

C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\PARTNERSHIP.DLL

C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\PARTNERSHIP.DLL

C:\WINNT\TEMP\PAR1A75.TMP

C:\WINNT\TEMP\PAR1A75.TMP

 

Adware.Vundo Variant

C:\WINNT\SYSTEM32\VTUTR.DLL

C:\WINNT\SYSTEM32\VTUTR.DLL

HKLM\Software\Classes\CLSID\{35473C24-2956-4E9C-82BB-FDDB45AE21C0}

HKCR\CLSID\{35473C24-2956-4E9C-82BB-FDDB45AE21C0}

HKCR\CLSID\{35473C24-2956-4E9C-82BB-FDDB45AE21C0}\InprocServer32

HKCR\CLSID\{35473C24-2956-4E9C-82BB-FDDB45AE21C0}\InprocServer32#ThreadingModel

HKLM\Software\Classes\CLSID\{E666AA1E-2E93-466B-B4B7-EEABD025F778}

HKCR\CLSID\{E666AA1E-2E93-466B-B4B7-EEABD025F778}

HKCR\CLSID\{E666AA1E-2E93-466B-B4B7-EEABD025F778}\InprocServer32

HKCR\CLSID\{E666AA1E-2E93-466B-B4B7-EEABD025F778}\InprocServer32#ThreadingModel

C:\WINNT\SYSTEM32\VTSQQ.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35473C24-2956-4E9C-82BB-FDDB45AE21C0}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vtutr

C:\WINNT\SYSTEM32\VTURS.DLL

 

Trojan.Downloader-SVCHOTS

C:\WINNT\TEMP\SVCHOTS.EXE

C:\WINNT\TEMP\SVCHOTS.EXE

[Restore Operation] C:\WINNT\TEMP\SVCHOTS.EXE

 

Trojan.IP6FW/Rootkit-Installer

C:\WINNT\SYSTEM32\UPDATE92774612.EXE

C:\WINNT\SYSTEM32\UPDATE92774612.EXE

C:\WINNT\SYSTEM32\UPDATE01809019.EXE

C:\WINNT\SYSTEM32\UPDATE02580498.EXE

C:\WINNT\SYSTEM32\UPDATE06281259.EXE

C:\WINNT\SYSTEM32\UPDATE08619119.EXE

C:\WINNT\SYSTEM32\UPDATE11441057.EXE

C:\WINNT\SYSTEM32\UPDATE19301856.EXE

C:\WINNT\SYSTEM32\UPDATE23224742.EXE

C:\WINNT\SYSTEM32\UPDATE23870810.EXE

C:\WINNT\SYSTEM32\UPDATE27541234.EXE

C:\WINNT\SYSTEM32\UPDATE28354053.EXE

C:\WINNT\SYSTEM32\UPDATE28678585.EXE

C:\WINNT\SYSTEM32\UPDATE30555214.EXE

C:\WINNT\SYSTEM32\UPDATE32407496.EXE

C:\WINNT\SYSTEM32\UPDATE36285409.EXE

C:\WINNT\SYSTEM32\UPDATE38418056.EXE

C:\WINNT\SYSTEM32\UPDATE40879481.EXE

C:\WINNT\SYSTEM32\UPDATE42068334.EXE

C:\WINNT\SYSTEM32\UPDATE46784346.EXE

C:\WINNT\SYSTEM32\UPDATE47406131.EXE

C:\WINNT\SYSTEM32\UPDATE60488296.EXE

C:\WINNT\SYSTEM32\UPDATE62074855.EXE

C:\WINNT\SYSTEM32\UPDATE64837560.EXE

C:\WINNT\SYSTEM32\UPDATE64977311.EXE

C:\WINNT\SYSTEM32\UPDATE65020841.EXE

C:\WINNT\SYSTEM32\UPDATE70289231.EXE

C:\WINNT\SYSTEM32\UPDATE74025176.EXE

C:\WINNT\SYSTEM32\UPDATE77431841.EXE

C:\WINNT\SYSTEM32\UPDATE86153193.EXE

C:\WINNT\SYSTEM32\UPDATE88028614.EXE

C:\WINNT\SYSTEM32\UPDATE89892398.EXE

C:\WINNT\SYSTEM32\UPDATE93084374.EXE

C:\WINNT\SYSTEM32\UPDATE97003829.EXE

C:\WINNT\TEMP\STARTDRV.EXE

 

Trojan.Downloader-Gen/Rootkit-M7

HKLM\System\ControlSet001\Services\EXAMPLE

C:\WINNT\SYSTEM32\MAIN.SYS

HKLM\System\CurrentControlSet\Services\EXAMPLE

 

Adware.Tracking Cookie

C:\Documents and Settings\new user\Cookies\[email protected][1].txt

C:\Documents and Settings\new user\Cookies\[email protected][2].txt

C:\Documents and Settings\new user\Cookies\[email protected][1].txt

C:\Documents and Settings\new user\Cookies\[email protected][1].txt

 

Trojan.Net-Partnership/WL

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#DllName

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#Startup

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#Impersonate

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#Asynchronous

 

Trojan.Downloader-Gen/SVCHost-Fake

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000#DeviceDesc

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000\Control

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_IEUPDATER2\0000\Control#ActiveService

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2#Type

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2#Start

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2#ErrorControl

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2#ImagePath

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2#DisplayName

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2#ObjectName

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2\Security

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2\Security#Security

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2\Enum

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2\Enum#0

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2\Enum#Count

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft IEUpdater2\Enum#NextInstance

 

Malware.DriveCleaner

C:\DOCUMENTS AND SETTINGS\NEW USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WDY7KTYF\INSTALLDRIVECLEANERSTART[1].EXE

 

Trojan.Downloader-Gen/Upd-NoEM

C:\WINNT\SYSTEM32\UPDATE03284046.EXE

C:\WINNT\SYSTEM32\UPDATE04080293.EXE

C:\WINNT\SYSTEM32\UPDATE05401733.EXE

C:\WINNT\SYSTEM32\UPDATE05724457.EXE

C:\WINNT\SYSTEM32\UPDATE10358547.EXE

C:\WINNT\SYSTEM32\UPDATE15952796.EXE

C:\WINNT\SYSTEM32\UPDATE19684843.EXE

C:\WINNT\SYSTEM32\UPDATE23297389.EXE

C:\WINNT\SYSTEM32\UPDATE26583367.EXE

C:\WINNT\SYSTEM32\UPDATE28749101.EXE

C:\WINNT\SYSTEM32\UPDATE30381083.EXE

C:\WINNT\SYSTEM32\UPDATE34881247.EXE

C:\WINNT\SYSTEM32\UPDATE35771947.EXE

C:\WINNT\SYSTEM32\UPDATE37068039.EXE

C:\WINNT\SYSTEM32\UPDATE37736545.EXE

C:\WINNT\SYSTEM32\UPDATE45701855.EXE

C:\WINNT\SYSTEM32\UPDATE48014295.EXE

C:\WINNT\SYSTEM32\UPDATE51570396.EXE

C:\WINNT\SYSTEM32\UPDATE51898474.EXE

C:\WINNT\SYSTEM32\UPDATE57724978.EXE

C:\WINNT\SYSTEM32\UPDATE58614410.EXE

C:\WINNT\SYSTEM32\UPDATE61903845.EXE

C:\WINNT\SYSTEM32\UPDATE63659190.EXE

C:\WINNT\SYSTEM32\UPDATE64165389.EXE

C:\WINNT\SYSTEM32\UPDATE68731342.EXE

C:\WINNT\SYSTEM32\UPDATE68791722.EXE

C:\WINNT\SYSTEM32\UPDATE71687270.EXE

C:\WINNT\SYSTEM32\UPDATE73006745.EXE

C:\WINNT\SYSTEM32\UPDATE75287561.EXE

C:\WINNT\SYSTEM32\UPDATE91754238.EXE

C:\WINNT\SYSTEM32\UPDATE93443189.EXE

C:\WINNT\SYSTEM32\UPDATE93503116.EXE

C:\WINNT\SYSTEM32\UPDATE97103777.EXE

 

Trojan.WinFixer

C:\WINNT\SYSTEM32\VTSQN.DLL

Share this post


Link to post
Share on other sites

Please download SDFix and save it to the Desktop.

 

Right click the SDFix.zip folder

Select: Extract All to extract it to its own folder on the Desktop.

Close the program for now.

 

~~~~

Next, download AVG Anti-Spyware:

http://www.ewido.net/en/download/

Locate the icon on the Desktop and double-click it to launch the program.

 

Now, update the definition files:

On the main screen select Update, and then select the Update Now link.

Next, select the Start Update button

(The update starts and a progress bar shows the updates installed.)

 

Once the update completes select: Scanner (the top of the screen)

Select the Settings tab

Once in the Settings screen click on: Recommended actions

Select: Quarantine

Under: Reports, select: Automatically generate report after every scan

Un-Select: Only if threats were found

Close AVG AS for now.

 

~~~~

Also download ATF Cleaner:

http://www.atribune.org/ccount/click.php?id=1

We will use this later.

 

~~~~

Next, run HijackThis, Scan

Check box for:

 

O2 - BHO: (no name) - {6D125317-C54E-45EF-B816-B1F248E6FF33} - C:\WINNT\System32\vtutr.dll (file missing)

O2 - BHO: (no name) - {76D3BB21-CB03-4CEB-A9E9-4E0BF7D69C45} - (no file)

O2 - BHO: (no name) - {8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1} - C:\WINNT\System32\pmnnnol.dll

O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\System32\cyvvxguh.dll

O2 - BHO: (no name) - {E666AA1E-2E93-466B-B4B7-EEABD025F778} - C:\WINNT\System32\vtsqq.dll (file missing)

 

O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\System32\whwgtvhr.dll",realset

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30acbc57336159...ip/RdxIE601.cab

 

O20 - Winlogon Notify: pmnnnol - C:\WINNT\SYSTEM32\pmnnnol.dll

O20 - Winlogon Notify: vtutr - C:\WINNT\System32\vtutr.dll (file missing)

 

Select: Fix checked

 

~~~~

Reboot to Safe Mode :

-Restart your computer.

-When the machine first starts again, tap the F8 key before Windows starts

-You are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

~~~~

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

 

When done a prompt appears informing of such.

 

~~~~

Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

 

Press any key to restart the PC.

When the PC restarts the SDFix will run again and complete the removal process

It then displays Finished

Press any key to end the script and load the Desktop icons.

 

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

 

~~~~

Still in Safe Mode, launch AVG AS once again

Select: Scanner (at the top)

Select the Scan tab

Click on: Complete System Scan

AVG AS begins the scanning process, and it may take a while.

Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

 

Once the scan is complete, AVG AS lists any infections found.

It also automatically sets the recommended action.

Click: Apply all actions

AVG AS will then display: All actions have been applied

 

Next select: Reports (at the top)

Select: Save report as (lower left of the screen)

Save the report to a text file in a location where you can find it!

Close AVG AS.

 

~~~~

Restart the computer.

 

~~~~

Please download

ComboFix.exe

Save it to the Desktop.

 

Double-click combofix.exe to run the program.

Follow the prompts.

(Please don't click on the window while the program is running.)

 

A log, combofix.txt is produced.

 

~~~~

Please provide the following in you reply:

The SDFix Report.txt

The AVG AS report

The ComboFix.txt

A new HijackThis log

Edited by Aaflac

Share this post


Link to post
Share on other sites

the link you gave me for SDFix was broken and sent me to a page that said this:

 

Multiple Choices

The document name you requested (/RemovalTools/SDFix.zip) could not be found on this server. However, we found documents with names similar to the one you requested.

 

Available documents:

/RemovalTools/SDFix.exe (common basename)

Please consider informing the owner of the referring page about the broken link.

 

 

Is it ok to click on the above link? lol. I'm afraid to click on anything at this point..haha.

 

[edit: was able to get the program downloaded]

Edited by Kimmie

Share this post


Link to post
Share on other sites

Unfortunately, I am having to reply to you via safemode w/ networking. Once I finished the AVG scan and rebooted. my normal desktop no longer loads properly. What is happening is: my background image loads, the taskbar loads up, after a minute or so, my avast icons appear by the clock, then my screen starts flashing really fast between that screen, and the big white "Active Recovery Desktop" screen. It wont let me click on the button to reactivate it. I have tried rebooting 3 times and it happens every time.

 

So...on that note..lol, here is what I am actually able to give you at the moment:

 

~~~~~~~~~~~~~~~~~~~

 

SDFix Report.txt:

 

 

SDFix: Version 1.83

 

Run by kimmie - Sun 05/13/2007 - 23:19:30.32

 

Microsoft Windows 2000 [Version 5.00.2195]

 

Running From: C:\DOCUME~1\NEWUSE~1\Desktop\HOUSEC~1\SDFix

 

Safe Mode:

Checking Services:

 

Name:

kprof

NDnet1

poof

Runtime

 

ImagePath:

\??\C:\WINNT\System32\kprof

\??\C:\WINNT\System32\ksys.sys

\??\C:\WINNT\System32\poof

\??\C:\WINNT\System32\drivers\runtime.sys

 

kprof - Deleted

NDnet1 - Deleted

poof - Deleted

 

Killing PID 144 'smss.exe'

Killing PID 196 'winlogon.exe'

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

C:\Documents and Settings\All Users\Documents\Settings\partnership.dll~ - Deleted

C:\WINNT\bot.exe - Deleted

C:\WINNT\system32\6_exception.nls - Deleted

C:\WINNT\system32\form.txt - Deleted

C:\WINNT\system32\info.txt - Deleted

C:\WINNT\system32\koos.exe - Deleted

C:\WINNT\system32\kprof - Deleted

C:\WINNT\system32\ksys.sys - Deleted

C:\WINNT\system32\poof - Deleted

C:\WINNT\system32\RunOnce2.t__ - Deleted

C:\WINNT\system32\RunOnce2.tm_ - Deleted

C:\WINNT\Temp\removalfile.bat - Deleted

 

 

Folder C:\Program Files\InetGet2 - Removed

 

Removing Temp Files

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINNT\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINNT\system32\svchost.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\DOCUME~1\NEWUSE~1\Desktop\HOUSEC~1\SDFix\backups\backups.zip

 

Checking For Files with Hidden Attributes:

 

C:\WINNT\system32\awvtt.dll

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

C:\Program Files\Nero\data\Nero PhotoShow Express.exe

C:\WINNT\uccspecc.sys

C:\WINNT\system32\nqtwa.tmp

C:\WINNT\system32\rtutv.tmp

 

Finished

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

AVG AS report:

 

Unavailable - I selected the option to create a report after each scan, but when I went to the reports section it said there were "No Reports Available". I can tell you what it found and deleted though:

 

Adware.Virtumundo - c:\WINNT\System32\pmnnnol.dll = 10 entries

Logger.BZup.ip - adv007.exe - 1 entry

Proxy.Wopla.ag - found in SDFix backup.zip - 1 entry

Downloader.Murlo.fd - 2 entries (1 in SDFIX backup.zip, 1 in a prior HJT backup file)

Proxy.small - 1 entry found in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

ComboFix.exe Report:

 

Unavailable - 404 Error on the link you provided. I tried doing a google search for that file, but I got the same error when I tried downloading it from techguy forums and bleeping computer. (edit: I was able to actually ge this program downloaded. See next post for log. Warning: ts HUGE..lol)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

HJT Log:

 

unavailable - I can run the "scan only", but when I tell it to run the "scan and save log file", it runs the scan then my computer reboots all by itself..lol. (tried this twice before replying here). I CAN however tell you that the instances you had me fix are no longer appearing in the log. (I know you dont like screenshots but I can do one if you need me to :P )

 

(edit#1 : I also cant use IE in safemode anymore. It wont stay open..lol. Good thing I have FF and Opera here huh? :P

 

Edit #2 - I now have my desktop back after completing the ComboFix.exe scan, however, now, whenever I run IE, or open a folder that uses IE, AVG pops up saying it has found Adware.Virtumonde - C:\WINNT\system32\pmnnnol.dll)

Edited by Kimmie

Share this post


Link to post
Share on other sites

"kimmie" - 05/14/2007 0:59:13 Service Pack 3 [sAFE MODE]

ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\new user\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINNT\system32\cyvvxguh.dll

C:\WINNT\system32\dvpvlwpd.dll

C:\WINNT\system32\edhsxsrl.dll

C:\WINNT\system32\ifusmucs.dll

C:\WINNT\system32\objkoxjg.dll

C:\WINNT\system32\twwcnemw.dll

C:\WINNT\system32\whwgtvhr.dll

C:\WINNT\system32\awtrrrq.dll

C:\WINNT\system32\iifcyxu.dll

C:\WINNT\system32\iifdbxv.dll

C:\WINNT\system32\khfddbb.dll

C:\WINNT\system32\ljjghih.dll

C:\WINNT\system32\ljjkljg.dll

C:\WINNT\system32\nnnligg.dll

C:\WINNT\system32\nnnmnol.dll

C:\WINNT\system32\opnollk.dll

C:\WINNT\system32\pmnmjki.dll

C:\WINNT\system32\pmnmnom.dll

C:\WINNT\system32\pmnnnlj.dll

C:\WINNT\system32\qomlkij.dll

C:\WINNT\system32\rqrommj.dll

C:\WINNT\system32\rqrrsro.dll

C:\WINNT\system32\ssqnmjh.dll

C:\WINNT\system32\ssqpqpp.dll

C:\WINNT\system32\tuvutqo.dll

C:\WINNT\system32\tuvutqq.dll

C:\WINNT\system32\vtutust.dll

C:\WINNT\system32\wvuspqo.dll

C:\WINNT\system32\wvuttqr.dll

C:\WINNT\system32\yayabby.dll

C:\WINNT\system32\yaywxuu.dll

C:\WINNT\system32\yayywxv.dll

C:\WINNT\system32\ttvwa.bak1

C:\WINNT\system32\ttvwa.ini

C:\WINNT\system32\dpwlvpvd.ini

C:\WINNT\system32\rhvtgwhw.ini

C:\WINNT\system32\awvtt.dll

C:\WINNT\system32\pmnnnol.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

C:\WINNT\system32\awvtt.dll

C:\WINNT\system32\pmnnnol.dll

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINNT\system32\pfxzmtaim.dll

C:\WINNT\system32\pfxzmtgtal.dll

C:\WINNT\system32\pfxzmticq.dll

C:\WINNT\system32\pfxzmtymsg.dll

C:\WINNT\system32\sfxzmtforum.dll

C:\WINNT\system32\sfxzmtsmt.dll

C:\WINNT\system32\sfxzmtsmtspm.dll

C:\WINNT\system32\sfxzmtwbmail.dll

C:\Documents and Settings\All Users.\documents\settings\desktop.ini

C:\Documents and Settings\All Users.\documents\settings

C:\WINNT\system32\rpcc1.dll . . . . failed to delete

 

Infected copy of C:\WINNT\system32\winlogon.exe was found & disinfected

Restored copy from - "c:\WINNT\ServicePackFiles\i386\winlogon.exe"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 ))))))))))))))))))))))))))))))))))

 

 

2007-05-14 01:03 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_260.dat

2007-05-13 22:50 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys

2007-05-13 21:17 262,708 --------- C:\WINNT\system32\awvtt.dll

2007-05-13 20:51 1,012 --a------ C:\WINNT\system32\tmp.reg

2007-05-13 20:25 1,474,706 ---hs---- C:\WINNT\system32\rtutv.ini2

2007-05-13 18:38 30,720 --------- C:\WINNT\system32\rpcc1.dll

2007-05-13 18:38 10,000 --a------ C:\WINNT\system32\fs6ehnf8jd.dll

2007-05-13 17:18 <DIR> d-------- C:\Program Files\XoftSpySE

2007-05-13 11:00 1,465,752 ---hs---- C:\WINNT\system32\rtutv.bak1

2007-05-13 10:10 1,468,444 ---hs---- C:\WINNT\system32\nqtwa.ini2

2007-05-13 09:22 1,465,712 ---hs---- C:\WINNT\system32\nqtwa.bak1

2007-05-13 09:01 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Real

2007-05-13 09:00 29,206 --------- C:\WINNT\system32\pmnnnol.dll

2007-05-13 08:27 <DIR> d-------- C:\DOCUME~1\Jeanne\APPLIC~1\SUPERAntiSpyware.com

2007-05-13 08:24 <DIR> d-------- C:\DOCUME~1\Jeanne\APPLIC~1\AdobeUM

2007-05-13 07:19 201,360 --a------ C:\WINNT\system32\update30728908.exe

2007-05-13 07:06 1,466,609 ---hs---- C:\WINNT\system32\klkkj.bak1

2007-05-13 00:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MumboJumbo

2007-05-12 18:28 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\DiVision Studios - Escaping Atlantis

2007-05-12 00:00 <DIR> d-------- C:\Program Files\bfgclient

2007-05-12 00:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache

2007-05-09 02:01 31 --ah----- C:\WINNT\uccspecc.sys

2007-05-09 02:01 <DIR> d-------- C:\WINNT\Cache

2007-05-09 02:01 <DIR> d-------- C:\Program Files\Coupons

2007-05-08 02:51 <DIR> d-------- C:\Program Files\Ghost Hunter Demo

2007-05-07 17:42 <DIR> d-------- C:\Program Files\Big City Adventure SF

2007-05-07 03:51 <DIR> d-------- C:\Program Files\Private Eye - Greatest Unsolved Mysteries

2007-05-05 23:43 3,840 --a------ C:\WINNT\system32\drivers\BANTExt.sys

2007-05-05 23:43 <DIR> d-------- C:\Program Files\Belarc

2007-05-05 22:39 <DIR> d-------- C:\Program Files\CCleaner

2007-05-05 18:36 <DIR> d--h----- C:\WINNT\PIF

2007-05-05 03:25 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\FloodLightGames

2007-05-05 03:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FloodLightGames

2007-05-03 21:26 278,528 --a------ C:\WINNT\system32\livesnth.dll

2007-04-30 05:28 <DIR> d-------- C:\DOCUME~1\Jeanne\APPLIC~1\Real

2007-04-30 03:36 <DIR> d-------- C:\Program Files\Fishing Trip

2007-04-30 00:28 <DIR> d-------- C:\Program Files\Common Files\xing shared

2007-04-30 00:28 <DIR> d-------- C:\My Music

2007-04-30 00:26 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Real

2007-04-30 00:23 <DIR> d-------- C:\My Downloads

2007-04-28 20:01 <DIR> d-------- C:\Program Files\Alawar

2007-04-28 18:45 0 --a------ C:\temp\svcipa.exe

2007-04-28 18:45 0 --a------ C:\svcipa.exe

2007-04-26 00:43 4,096 --a------ C:\WINNT\d3dx.dat

2007-04-25 16:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear

2007-04-25 16:41 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Magic Academy

2007-04-24 01:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-04-24 01:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-04-24 01:45 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-04-24 01:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-04-23 23:37 <DIR> d-------- C:\VundoFix Backups

2007-04-23 16:22 <DIR> d-------- C:\Program Files\Brave Dwarves BFT Expansion Pack #4

2007-04-21 02:08 <DIR> d-------- C:\Program Files\SpeedFan

2007-04-19 23:54 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Alien Skin

2007-04-18 19:16 <DIR> d-------- C:\Program Files\Web Publish

2007-04-18 19:15 53,760 --a------ C:\WINNT\system32\LTFIL70N.DLL

2007-04-18 19:15 349,696 --a------ C:\WINNT\system32\LTKRN70N.DLL

2007-04-18 19:15 32,768 --a------ C:\WINNT\system32\LFGIF70N.DLL

2007-04-18 19:15 24,576 --a------ C:\WINNT\system32\LFBMP70N.DLL

2007-04-18 19:15 21,504 --a------ C:\WINNT\system32\LFWMF70N.DLL

2007-04-18 19:15 20,992 --a------ C:\WINNT\system32\LFTGA70N.DLL

2007-04-18 19:15 19,456 --a------ C:\WINNT\system32\LFPCD70N.DLL

2007-04-18 19:15 186,880 --a------ C:\WINNT\system32\LFCMP70N.DLL

2007-04-18 19:15 156,160 --a------ C:\WINNT\system32\fplayer.dll

2007-04-18 19:14 212,480 --a------ C:\WINNT\PCDLIB32.DLL

2007-04-18 19:14 <DIR> d-------- C:\WINNT\Bbstore

2007-04-18 19:13 96,768 --a------ C:\WINNT\system32\Ptsacx40.dll

2007-04-18 19:13 50,048 --a------ C:\WINNT\system32\PTSAABDB.DLL

2007-04-18 19:13 5,632 --a------ C:\WINNT\system32\MFCUIA32.DLL

2007-04-18 19:13 4,280 --a------ C:\WINNT\system32\WBT32RES.DLL

2007-04-18 19:13 4,128 --a------ C:\WINNT\system32\WBTRVRES.DLL

2007-04-18 19:13 317,116 --a------ C:\WINNT\system32\WBTR32.EXE

2007-04-18 19:13 30,080 --a------ C:\WINNT\system32\Ptabimp3.exe

2007-04-18 19:13 21,840 --a------ C:\WINNT\system32\PTSAAB30.DLL

2007-04-18 19:13 17,704 --a------ C:\WINNT\system32\WBTRLOCL.DLL

2007-04-18 19:13 16,496 --a------ C:\WINNT\system32\WBTRCALL.DLL

2007-04-18 19:13 133,904 --a------ C:\WINNT\system32\MFCANS32.DLL

2007-04-18 19:13 116,640 --a------ C:\WINNT\system32\Ptsaci40.dll

2007-04-18 19:13 101,376 --a------ C:\WINNT\system32\Ptsaab32.dll

2007-04-17 12:42 24,901 --a------ C:\WINNT\zzz.exe

2007-04-16 14:33 82,432 --a------ C:\WINNT\system32\msxml4r.dll

2007-04-16 14:33 44,544 --a------ C:\WINNT\system32\msxml4a.dll

2007-04-16 14:33 421,888 --a------ C:\WINNT\Nero PhotoShow.scr

2007-04-16 14:33 1,233,920 --a------ C:\WINNT\system32\msxml4.dll

2007-04-16 14:33 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Simple Star

2007-04-16 14:33 <DIR> d-------- C:\Demo Album

2007-04-16 14:31 2,670,592 --------- C:\WINNT\UNNMP.exe

2007-04-16 14:31 <DIR> d-------- C:\Program Files\Nero

2007-04-16 14:31 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Ahead

2007-04-16 14:28 155,648 --a------ C:\WINNT\system32\NeroCheck.exe

2007-04-16 14:28 <DIR> d-------- C:\Program Files\Common Files\Nero

2007-04-16 14:26 2,916,352 --------- C:\WINNT\UNNeroVision.exe

2007-04-16 14:25 476,320 --a------ C:\WINNT\system32\ImagXpr7.dll

2007-04-16 14:25 471,040 --a------ C:\WINNT\system32\ImagXRA7.dll

2007-04-16 14:25 38,912 --a------ C:\WINNT\system32\picn20.dll

2007-04-16 14:25 364,544 --a------ C:\WINNT\system32\TwnLib4.dll

2007-04-16 14:25 262,144 --a------ C:\WINNT\system32\ImagXR7.dll

2007-04-16 14:25 106,496 --a------ C:\WINNT\system32\TwnLib20.dll

2007-04-16 14:25 1,568,768 --a------ C:\WINNT\system32\ImagX7.dll

2007-04-16 14:25 <DIR> d-------- C:\Program Files\Common Files\Ahead

2007-04-16 14:25 <DIR> d-------- C:\Program Files\Ahead

2007-04-16 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead

2007-04-16 14:21 71,168 --a------ C:\WINNT\system32\Camapi32.dll

2007-04-16 14:21 63,488 --a------ C:\WINNT\system32\PICN1111.DLL

2007-04-16 14:21 522,752 --a------ C:\WINNT\system32\DC120fc7_32.dll

2007-04-16 14:21 5,632 --a------ C:\WINNT\system32\HELLUT32.DLL

2007-04-16 14:21 332,800 --a------ C:\WINNT\system32\FPXLIB.DLL

2007-04-16 14:21 329,216 --a------ C:\WINNT\system32\opccli32.dll

2007-04-16 14:21 29,184 --a------ C:\WINNT\system32\PICN11.DLL

2007-04-16 14:21 29,184 --a------ C:\WINNT\system32\Comm32.dll

2007-04-16 14:21 254,976 --a------ C:\WINNT\system32\SFWIUDLL.DLL

2007-04-16 14:21 24,576 --a------ C:\WINNT\system32\SFWUTS20.DLL

2007-04-16 14:21 212,480 --a------ C:\WINNT\system32\PCDLIB32.DLL

2007-04-16 14:21 20,480 --a------ C:\WINNT\system32\MGIIpl2.dll

2007-04-16 14:21 19,968 --a------ C:\WINNT\system32\CPUINF32.DLL

2007-04-16 14:21 122,880 --a------ C:\WINNT\system32\JPEGLIB.DLL

2007-04-16 14:21 1,265,664 --a------ C:\WINNT\system32\MGIIpl2A6.dll

2007-04-16 14:21 1,228,800 --a------ C:\WINNT\system32\MGIIpl2M6.dll

2007-04-16 14:21 1,200,128 --a------ C:\WINNT\system32\MGIIpl2M5.dll

2007-04-16 14:21 1,073,152 --a------ C:\WINNT\system32\MGIIpl2P6.dll

2007-04-16 14:21 1,064,960 --a------ C:\WINNT\system32\MGIIpl2PX.dll

2007-04-16 14:21 1,028,096 --a------ C:\WINNT\system32\MGIIpl2P5.dll

2007-04-16 14:20 <DIR> d-------- C:\Program Files\Broderbund

2007-04-16 11:37 87,040 --a------ C:\WINNT\system32\drmstor.dll

2007-04-16 11:37 36,528 --------- C:\WINNT\system32\drivers\PxHelp20.sys

2007-04-16 11:37 306,424 --a------ C:\WINNT\system32\drmclien.dll

2007-04-16 11:37 129,784 --------- C:\WINNT\system32\pxafs.dll

2007-04-16 11:37 115,880 --------- C:\WINNT\system32\pxinsi64.exe

2007-04-16 11:36 <DIR> d-------- C:\Program Files\Winamp

2007-04-16 03:54 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\AdobeUM

2007-04-16 03:46 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Jasc

2007-04-15 14:36 90,896 --a------ C:\WINNT\system32\trkwks.dll

2007-04-15 14:36 89,872 --a------ C:\WINNT\system32\smlogsvc.exe

2007-04-15 14:36 83,888 --a------ C:\WINNT\system32\vga.dll

2007-04-15 14:36 81,168 --a------ C:\WINNT\system32\stobject.dll

2007-04-15 14:36 80,144 --a------ C:\WINNT\system32\telnet.exe

2007-04-15 14:36 8,464 --a------ C:\WINNT\system32\wshirda.dll

2007-04-15 14:36 74,000 --a------ C:\WINNT\system32\wmicore.dll

2007-04-15 14:36 69,392 --a------ C:\WINNT\system32\shim.dll

2007-04-15 14:36 68,368 --a------ C:\WINNT\system32\ws2_32.dll

2007-04-15 14:36 68,368 --a------ C:\WINNT\system32\unimdmat.dll

2007-04-15 14:36 62,736 --a------ C:\WINNT\system32\sstext3d.scr

2007-04-15 14:36 61,712 --a------ C:\WINNT\system32\stisvc.exe

2007-04-15 14:36 56,592 --a------ C:\WINNT\system32\w32tm.exe

2007-04-15 14:36 55,568 --a------ C:\WINNT\system32\wlnotify.dll

2007-04-15 14:36 55,056 --a------ C:\WINNT\system32\tlntsess.exe

2007-04-15 14:36 50,960 --a------ C:\WINNT\system32\w32time.dll

2007-04-15 14:36 47,888 --a------ C:\WINNT\system32\ssbezier.scr

2007-04-15 14:36 42,768 --a------ C:\WINNT\system32\webhits.dll

2007-04-15 14:36 419,600 --a------ C:\WINNT\system32\ssmaze.scr

2007-04-15 14:36 41,744 --a------ C:\WINNT\system32\tcpmon.dll

2007-04-15 14:36 41,744 --a------ C:\WINNT\system32\ssflwbox.scr

2007-04-15 14:36 392,464 --a------ C:\WINNT\system32\txfaux.dll

2007-04-15 14:36 39,696 --a------ C:\WINNT\system32\wsnmp32.dll

2007-04-15 14:36 38,672 --a------ C:\WINNT\system32\ssmarque.scr

2007-04-15 14:36 375,568 --a------ C:\WINNT\system32\tapi3.dll

2007-04-15 14:36 37,648 --a------ C:\WINNT\system32\winsta.dll

2007-04-15 14:36 36,624 --a------ C:\WINNT\system32\ssmyst.scr

2007-04-15 14:36 35,600 --a------ C:\WINNT\system32\storprop.dll

2007-04-15 14:36 33,040 --a------ C:\WINNT\system32\ssstars.scr

2007-04-15 14:36 315,664 --a------ C:\WINNT\system32\usp10.dll

2007-04-15 14:36 30,992 --a------ C:\WINNT\system32\vbajet32.dll

2007-04-15 14:36 30,992 --a------ C:\WINNT\system32\shmgrate.exe

2007-04-15 14:36 287,504 --a------ C:\WINNT\system32\vmhelper.dll

2007-04-15 14:36 285,456 --a------ C:\WINNT\system32\smlogcfg.dll

2007-04-15 14:36 28,944 --a------ C:\WINNT\system32\svcpack.dll

2007-04-15 14:36 28,400 --a------ C:\WINNT\system32\wupdinfo.dll

2007-04-15 14:36 270,608 --a------ C:\WINNT\winhlp32.exe

2007-04-15 14:36 27,920 --a------ C:\WINNT\system32\umandlg.dll

2007-04-15 14:36 246,544 --a------ C:\WINNT\system32\strmdll.dll

2007-04-15 14:36 24,848 --a------ C:\WINNT\system32\sqlwid.dll

2007-04-15 14:36 22,800 --a------ C:\WINNT\system32\utilman.exe

2007-04-15 14:36 214,288 --a------ C:\WINNT\system32\snmpsnap.dll

2007-04-15 14:36 21,776 --a------ C:\WINNT\system32\wsock32.dll

2007-04-15 14:36 193,296 --a------ C:\WINNT\winrep.exe

2007-04-15 14:36 187,664 --a------ C:\WINNT\system32\thumbvw.dll

2007-04-15 14:36 187,024 --a------ C:\WINNT\system32\spcmdcon.sys

2007-04-15 14:36 186,128 --a------ C:\WINNT\system32\tlntsvr.exe

2007-04-15 14:36 178,960 --a------ C:\WINNT\system32\winlogon.exe

2007-04-15 14:36 173,328 --a------ C:\WINNT\system32\tapisrv.dll

2007-04-15 14:36 171,792 --a------ C:\WINNT\system32\wjview.exe

2007-04-15 14:36 17,680 --a------ C:\WINNT\system32\wshtcpip.dll

2007-04-15 14:36 17,680 --a------ C:\WINNT\system32\tftp.exe

2007-04-15 14:36 17,680 --a------ C:\WINNT\system32\SNMPAPI.DLL

2007-04-15 14:36 166,160 --a------ C:\WINNT\system32\WINTRUST.DLL

2007-04-15 14:36 165,744 --a------ C:\WINNT\system32\XENROLL.DLL

2007-04-15 14:36 162,576 --a------ C:\WINNT\system32\WLDAP32.DLL

2007-04-15 14:36 155,920 --a------ C:\WINNT\system32\wavemsp.dll

2007-04-15 14:36 15,120 --a------ C:\WINNT\system32\sisbkup.dll

2007-04-15 14:36 14,608 --a------ C:\WINNT\system32\uniplat.dll

2007-04-15 14:36 138,000 --a------ C:\WINNT\system32\ss3dfo.scr

2007-04-15 14:36 13,072 --a------ C:\WINNT\system32\tcpmib.dll

2007-04-15 14:36 11,536 --a------ C:\WINNT\system32\usbmon.dll

2007-04-15 14:36 102,160 --a------ C:\WINNT\system32\sspipes.scr

2007-04-15 14:36 10,000 --a------ C:\WINNT\system32\wshatm.dll

2007-04-15 14:35 991,504 --a------ C:\WINNT\system32\OLE32.DLL

2007-04-15 14:35 974,096 --a------ C:\WINNT\system32\sfcfiles.dll

2007-04-15 14:35 97,040 --a------ C:\WINNT\system32\rtm.dll

2007-04-15 14:35 97,040 --a------ C:\WINNT\system32\polagent.dll

2007-04-15 14:35 945,936 --a------ C:\WINNT\system32\msjava.dll

2007-04-15 14:35 94,208 --------- C:\WINNT\system32\iuctl.dll

2007-04-15 14:35 91,408 --a------ C:\WINNT\system32\netman.dll

2007-04-15 14:35 91,136 --a------ C:\WINNT\system32\nlhtml.dll

2007-04-15 14:35 90,112 --a------ C:\WINNT\system32\odbcint.dll

2007-04-15 14:35 9,488 --a------ C:\WINNT\system32\spiisupd.exe

2007-04-15 14:35 85,776 --a------ C:\WINNT\system32\ntsdexts.dll

2007-04-15 14:35 831,760 --a------ C:\WINNT\system32\mswdat10.dll

2007-04-15 14:35 80,144 --a------ C:\WINNT\system32\ntdskcc.dll

2007-04-15 14:35 8,704 --------- C:\WINNT\system32\wuauserv.dll

2007-04-15 14:35 77,584 --a------ C:\WINNT\system32\scripto.dll

2007-04-15 14:35 77,072 --a------ C:\WINNT\system32\rsvpsp.dll

2007-04-15 14:35 76,560 --a------ C:\WINNT\system32\msw3prt.dll

2007-04-15 14:35 72,464 --a------ C:\WINNT\system32\netui0.dll

2007-04-15 14:35 70,928 --a------ C:\WINNT\system32\olethk32.dll

2007-04-15 14:35 7,440 --a------ C:\WINNT\system32\msswchx.exe

2007-04-15 14:35 692,496 --a------ C:\WINNT\system32\OPENGL32.DLL

2007-04-15 14:35 67,344 --a------ C:\WINNT\system32\ntdsetup.dll

2007-04-15 14:35 66,832 --a------ C:\WINNT\system32\regsvc.exe

2007-04-15 14:35 65,601 --a------ C:\WINNT\system32\servdeps.dll

2007-04-15 14:35 64,272 --a------ C:\WINNT\system32\mswsock.dll

2007-04-15 14:35 63,248 --a------ C:\WINNT\system32\RASSCRPT.DLL

2007-04-15 14:35 614,672 --a------ C:\WINNT\system32\mswstr10.dll

2007-04-15 14:35 61,440 --------- C:\WINNT\system32\sp3res.dll

2007-04-15 14:35 6,928 --a------ C:\WINNT\system32\schmupd.exe

2007-04-15 14:35 57,616 --a------ C:\WINNT\system32\ntdsapi.dll

2007-04-15 14:35 57,104 --a------ C:\WINNT\system32\ocmanage.dll

2007-04-15 14:35 56,592 --a------ C:\WINNT\system32\mydocs.dll

2007-04-15 14:35 553,232 --a------ C:\WINNT\system32\msrepl40.dll

2007-04-15 14:35 547,600 --a------ C:\WINNT\system32\netcfgx.dll

2007-04-15 14:35 53,520 --a------ C:\WINNT\system32\odbcji32.dll

2007-04-15 14:35 53,520 --a------ C:\WINNT\system32\ntmsapi.dll

2007-04-15 14:35 53,520 --a------ C:\WINNT\system32\msjter40.dll

2007-04-15 14:35 53,008 --a------ C:\WINNT\system32\packager.exe

2007-04-15 14:35 52,496 --a------ C:\WINNT\system32\mtxclu.dll

2007-04-15 14:35 505,616 --a------ C:\WINNT\system32\msxml.dll

2007-04-15 14:35 48,912 --a------ C:\WINNT\system32\rastls.dll

2007-04-15 14:35 48,400 --a------ C:\WINNT\system32\secur32.dll

2007-04-15 14:35 468,752 --a------ C:\WINNT\system32\netshell.dll

2007-04-15 14:35 450,832 --a------ C:\WINNT\system32\rpcrt4.dll

2007-04-15 14:35 45,840 --------- C:\WINNT\system32\msmqprop.exe

2007-04-15 14:35 444,176 --a------ C:\WINNT\system32\oieng400.dll

2007-04-15 14:35 422,160 --a------ C:\WINNT\system32\msrd2x40.dll

2007-04-15 14:35 41,232 --a------ C:\WINNT\system32\odbcconf.exe

2007-04-15 14:35 41,232 --a------ C:\WINNT\system32\odbcconf.dll

2007-04-15 14:35 401,168 --a------ C:\WINNT\system32\ntmssvc.dll

2007-04-15 14:35 40,720 --a------ C:\WINNT\system32\RESUTILS.DLL

2007-04-15 14:35 391,440 --a------ C:\WINNT\system32\oakley.dll

2007-04-15 14:35 371,472 --a------ C:\WINNT\system32\NETLOGON.DLL

2007-04-15 14:35 37,136 --a------ C:\WINNT\system32\ODBCAD32.exe

2007-04-15 14:35 36,624 --a------ C:\WINNT\system32\RNR20.DLL

2007-04-15 14:35 36,112 --a------ C:\WINNT\system32\regapi.dll

2007-04-15 14:35 35,600 --a------ C:\WINNT\system32\RASCHAP.DLL

2007-04-15 14:35 35,088 --a------ C:\WINNT\system32\MSSIGN32.DLL

2007-04-15 14:35 348,432 --a------ C:\WINNT\system32\mspbde40.dll

2007-04-15 14:35 348,432 --a------ C:\WINNT\system32\msjetoledb40.dll

2007-04-15 14:35 344,336 --a------ C:\WINNT\system32\msxbde40.dll

2007-04-15 14:35 34,816 --------- C:\WINNT\system32\msiregmv.exe

2007-04-15 14:35 32,016 --a------ C:\WINNT\system32\ntdsatq.dll

2007-04-15 14:35 315,664 --a------ C:\WINNT\system32\msrd3x40.dll

2007-04-15 14:35 310,272 --------- C:\WINNT\system32\winhttp.dll

2007-04-15 14:35 290,869 --a------ C:\WINNT\system32\msvcrt.dll

2007-04-15 14:35 28,944 --a------ C:\WINNT\system32\perfproc.dll

2007-04-15 14:35 28,432 --a------ C:\WINNT\system32\scrnsave.scr

2007-04-15 14:35 28,432 --a------ C:\WINNT\system32\ntdsbsrv.dll

2007-04-15 14:35 270,608 --a------ C:\WINNT\system32\odbcjt32.dll

2007-04-15 14:35 27,920 --a------ C:\WINNT\system32\ntdsbcli.dll

2007-04-15 14:35 26,624 --a------ C:\WINNT\system32\msxmlr.dll

2007-04-15 14:35 254,224 --a------ C:\WINNT\system32\mstext40.dll

2007-04-15 14:35 25,360 --a------ C:\WINNT\system32\rsfsaps.dll

2007-04-15 14:35 25,360 --a------ C:\WINNT\system32\rapilib.dll

2007-04-15 14:35 248,592 --a------ C:\WINNT\system32\scesrv.dll

2007-04-15 14:35 242,688 --a------ C:\WINNT\system32\qmgr.dll

2007-04-15 14:35 241,936 --a------ C:\WINNT\system32\msjtes40.dll

2007-04-15 14:35 24,848 --a------ C:\WINNT\system32\odbcbcp.dll

2007-04-15 14:35 24,848 --a------ C:\WINNT\system32\ODBC32GT.dll

2007-04-15 14:35 24,336 --a------ C:\WINNT\system32\rpcns4.dll

2007-04-15 14:35 24,336 --a------ C:\WINNT\system32\perfdisk.dll

2007-04-15 14:35 24,336 --------- C:\WINNT\system32\ftpqfe.exe

2007-04-15 14:35 236,816 --a------ C:\WINNT\system32\rpcss.dll

2007-04-15 14:35 23,824 --a------ C:\WINNT\system32\mtxdm.dll

2007-04-15 14:35 221,456 --a------ C:\WINNT\system32\osk.exe

2007-04-15 14:35 219,408 --a------ C:\WINNT\system32\mstask.dll

2007-04-15 14:35 217,360 --a------ C:\WINNT\system32\ODBC32.dll

2007-04-15 14:35 213,264 --a------ C:\WINNT\system32\msltus40.dll

2007-04-15 14:35 21,264 --a------ C:\WINNT\system32\msjdbc10.dll

2007-04-15 14:35 207,632 --a------ C:\WINNT\system32\objsel.dll

2007-04-15 14:35 200,976 --a------ C:\WINNT\system32\odbccu32.dll

2007-04-15 14:35 20,752 --a------ C:\WINNT\system32\odtext32.dll

2007-04-15 14:35 20,752 --a------ C:\WINNT\system32\odpdx32.dll

2007-04-15 14:35 20,752 --a------ C:\WINNT\system32\odfox32.dll

2007-04-15 14:35 20,752 --a------ C:\WINNT\system32\odexl32.dll

2007-04-15 14:35 20,752 --a------ C:\WINNT\system32\oddbse32.dll

2007-04-15 14:35 20,208 --------- C:\WINNT\system32\drivers\msircomm.sys

2007-04-15 14:35 197,904 --a------ C:\WINNT\system32\rasppp.dll

2007-04-15 14:35 196,880 --a------ C:\WINNT\system32\odbccr32.dll

2007-04-15 14:35 186,880 --------- C:\WINNT\system32\wuaueng.dll

2007-04-15 14:35 18,432 --a------ C:\WINNT\system32\qmgrprxy.dll

2007-04-15 14:35 173,840 --a------ C:\WINNT\system32\netplwiz.dll

2007-04-15 14:35 173,328 --a------ C:\WINNT\system32\ntmsdba.dll

2007-04-15 14:35 17,680 --a------ C:\WINNT\system32\seclogon.dll

2007-04-15 14:35 169,984 --------- C:\WINNT\system32\iuengine.dll

2007-04-15 14:35 164,112 --a------ C:\WINNT\system32\OLEPRO32.DLL

2007-04-15 14:35 16,144 --a------ C:\WINNT\system32\NDDEAPI.DLL

2007-04-15 14:35 155,920 --a------ C:\WINNT\system32\ODBCTRAC.dll

2007-04-15 14:35 155,920 --a------ C:\WINNT\system32\msorcl32.dll

2007-04-15 14:35 154,896 --a------ C:\WINNT\system32\rasmontr.dll

2007-04-15 14:35 152,848 --a------ C:\WINNT\system32\pdh.dll

2007-04-15 14:35 151,824 --a------ C:\WINNT\system32\msjint40.dll

2007-04-15 14:35 146,192 --a------ C:\WINNT\system32\dssenh.dll

2007-04-15 14:35 145,168 --a------ C:\WINNT\system32\polstore.dll

2007-04-15 14:35 140,800 --------- C:\WINNT\system32\wuauclt.exe

2007-04-15 14:35 14,608 --a------ C:\WINNT\system32\RASSAPI.DLL

2007-04-15 14:35 14,608 --a------ C:\WINNT\system32\msswch.dll

2007-04-15 14:35 139,536 --a------ C:\WINNT\system32\regedt32.exe

2007-04-15 14:35 133,904 --a------ C:\WINNT\system32\rsaenh.dll

2007-04-15 14:35 131,344 --a------ C:\WINNT\system32\RSABASE.DLL

2007-04-15 14:35 131,344 --a------ C:\WINNT\system32\netid.dll

2007-04-15 14:35 13,584 --a------ C:\WINNT\system32\powrprof.dll

2007-04-15 14:35 118,544 --a------ C:\WINNT\system32\mstask.exe

2007-04-15 14:35 114,448 --a------ C:\WINNT\system32\PSBASE.DLL

2007-04-15 14:35 113,936 --a------ C:\WINNT\system32\newdev.dll

2007-04-15 14:35 111,888 --a------ C:\WINNT\system32\scecli.dll

2007-04-15 14:35 108,816 --a------ C:\WINNT\system32\NETDDE.EXE

2007-04-15 14:35 108,304 --a------ C:\WINNT\system32\rsnotify.exe

2007-04-15 14:35 106,256 --a------ C:\WINNT\system32\mtxoci.dll

2007-04-15 14:35 105,232 --a------ C:\WINNT\system32\rend.dll

2007-04-15 14:35 104,960 --a------ C:\WINNT\system32\offfilt.dll

2007-04-15 14:35 102,672 --a------ C:\WINNT\system32\odbccp32.dll

2007-04-15 14:35 102,160 --a------ C:\WINNT\system32\NTMARTA.DLL

2007-04-15 14:35 10,512 --a------ C:\WINNT\system32\runas.exe

2007-04-15 14:35 10,512 --------- C:\WINNT\system32\sptsupd.exe

2007-04-15 14:35 10,288 --------- C:\WINNT\system32\drivers\irenum.sys

2007-04-15 14:35 1,503,504 --a------ C:\WINNT\system32\msjet40.dll

2007-04-15 14:35 1,424,144 --a------ C:\WINNT\system32\query.dll

2007-04-15 14:35 1,026,320 --a------ C:\WINNT\system32\ntdsa.dll

2007-04-15 14:34 99,088 --a------ C:\WINNT\system32\modemui.dll

2007-04-15 14:34 88,848 --a------ C:\WINNT\system32\msdtclog.dll

2007-04-15 14:34 835,856 --a------ C:\WINNT\system32\mmcndmgr.dll

2007-04-15 14:34 76,048 --a------ C:\WINNT\system32\mdhcp.dll

2007-04-15 14:34 700,176 --a------ C:\WINNT\system32\msdtcprx.dll

2007-04-15 14:34 69,904 --a------ C:\WINNT\system32\mprddm.dll

2007-04-15 14:34 66,320 --a------ C:\WINNT\system32\LOADPERF.DLL

2007-04-15 14:34 603,408 --a------ C:\WINNT\system32\mmc.exe

2007-04-15 14:34 56,080 --a------ C:\WINNT\system32\mprui.dll

2007-04-15 14:34 55,056 --a------ C:\WINNT\system32\mpr.dll

2007-04-15 14:34 512,272 --a------ C:\WINNT\system32\msexch40.dll

2007-04-15 14:34 48,400 --a------ C:\WINNT\system32\loghours.dll

2007-04-15 14:34 47,376 --a------ C:\WINNT\system32\mprdim.dll

2007-04-15 14:34 4,368 --a------ C:\WINNT\system32\msdxmlc.dll

2007-04-15 14:34 319,760 --a------ C:\WINNT\system32\msexcl40.dll

2007-04-15 14:34 25,872 --a------ C:\WINNT\system32\LODCTR.EXE

2007-04-15 14:34 24,848 --a------ C:\WINNT\system32\msdart32.dll

2007-04-15 14:34 236,304 --a------ C:\WINNT\system32\msclus.dll

2007-04-15 14:34 235,792 --a------ C:\WINNT\system32\localsec.dll

2007-04-15 14:34 20,240 --a------ C:\WINNT\system32\lpk.dll

2007-04-15 14:34 19,216 --a------ C:\WINNT\system32\mimefilt.dll

2007-04-15 14:34 168,720 --a------ C:\WINNT\system32\mobsync.dll

2007-04-15 14:34 154,384 --a------ C:\WINNT\system32\msawt.dll

2007-04-15 14:34 146,192 --a------ C:\WINNT\system32\msdtcui.dll

2007-04-15 14:34 130,832 --a------ C:\WINNT\system32\logon.scr

2007-04-15 14:34 13,824 --a------ C:\WINNT\system32\mscpxl32.dLL

2007-04-15 14:34 105,744 --a------ C:\WINNT\system32\msafd.dll

2007-04-15 14:34 102,160 --a------ C:\WINNT\system32\mdminst.dll

2007-04-15 14:34 1,128,208 --a------ C:\WINNT\system32\msdtctm.dll

2007-04-15 14:33 97,040 --a------ C:\WINNT\system32\iasrad.dll

2007-04-15 14:33 96,016 --a------ C:\WINNT\system32\imm32.dll

2007-04-15 14:33 81,978 --a------ C:\WINNT\system32\hlink.dll

2007-04-15 14:33 79,632 --a------ C:\WINNT\system32\irmon.dll

2007-04-15 14:33 76,560 --a------ C:\WINNT\system32\hotplug.dll

2007-04-15 14:33 75,536 --a------ C:\WINNT\system32\iasads.dll

2007-04-15 14:33 72,464 --a------ C:\WINNT\system32\isign32.dll

2007-04-15 14:33 65,808 --a------ C:\WINNT\system32\inetpp.dll

2007-04-15 14:33 63,248 --a------ C:\WINNT\system32\javaprxy.dll

2007-04-15 14:33 60,176 --a------ C:\WINNT\system32\iassvcs.dll

2007-04-15 14:33 60,176 --a------ C:\WINNT\system32\iasnap.dll

2007-04-15 14:33 6,928 --a------ C:\WINNT\system32\KBDCA.DLL

2007-04-15 14:33 57,296 --a------ C:\WINNT\system32\drivers\irda.sys

2007-04-15 14:33 49,936 --a------ C:\WINNT\system32\ixsso.dll

2007-04-15 14:33 441,616 --a------ C:\WINNT\system32\ipnathlp.dll

2007-04-15 14:33 42,809 --a------ C:\WINNT\system32\key01.sys

2007-04-15 14:33 42,537 --a------ C:\WINNT\system32\KEYBOARD.SYS

2007-04-15 14:33 404,752 --a------ C:\WINNT\system32\javart.dll

2007-04-15 14:33 4,368 --a------ C:\WINNT\system32\IPROP.DLL

2007-04-15 14:33 374,032 --a------ C:\WINNT\system32\JET500.DLL

2007-04-15 14:33 304,912 --a------ C:\WINNT\system32\gpedit.dll

2007-04-15 14:33 29,456 --a------ C:\WINNT\system32\INETMIB1.DLL

2007-04-15 14:33 28,944 --a------ C:\WINNT\system32\iasacct.dll

2007-04-15 14:33 269,584 --a------ C:\WINNT\system32\iassdo.dll

2007-04-15 14:33 26,896 --a------ C:\WINNT\hh.exe

2007-04-15 14:33 21,776 --a------ C:\WINNT\system32\HTICONS.DLL

2007-04-15 14:33 207,632 --a------ C:\WINNT\system32\kerberos.dll

2007-04-15 14:33 206,096 --a------ C:\WINNT\system32\infosoft.dll

2007-04-15 14:33 20,752 --a------ C:\WINNT\system32\iasperf.dll

2007-04-15 14:33 19,728 --a------ C:\WINNT\system32\hidserv.exe

2007-04-15 14:33 187,152 --a------ C:\WINNT\system32\javacypt.dll

2007-04-15 14:33 18,192 --a------ C:\WINNT\system32\hid.dll

2007-04-15 14:33 172,304 --a------ C:\WINNT\system32\jview.exe

2007-04-15 14:33 171,280 --a------ C:\WINNT\system32\jit.dll

2007-04-15 14:33 163,088 --a------ C:\WINNT\system32\h323msp.dll

2007-04-15 14:33 158,992 --a------ C:\WINNT\system32\iprtrmgr.dll

2007-04-15 14:33 138,000 --a------ C:\WINNT\system32\INITPKI.DLL

2007-04-15 14:33 121,104 --a------ C:\WINNT\system32\idq.dll

2007-04-15 14:33 118,544 --a------ C:\WINNT\system32\gptext.dll

2007-04-15 14:33 100,624 --a------ C:\WINNT\system32\iassam.dll

2007-04-15 14:32 96,016 --a------ C:\WINNT\system32\clbcatex.dll

2007-04-15 14:32 92,944 --a------ C:\WINNT\system32\dskquota.dll

2007-04-15 14:32 91,920 --a------ C:\WINNT\system32\dnsrslvr.dll

2007-04-15 14:32 89,872 --a------ C:\WINNT\system32\CRYPTDLG.DLL

2007-04-15 14:32 82,704 --a------ C:\WINNT\system32\cmnquery.dll

2007-04-15 14:32 78,096 --a------ C:\WINNT\system32\aclui.dll

2007-04-15 14:32 75,024 --a------ C:\WINNT\system32\cryptsvc.dll

2007-04-15 14:32 74,810 --a------ C:\WINNT\system32\atl.dll

2007-04-15 14:32 74,512 --a------ C:\WINNT\system32\dsauth.dll

2007-04-15 14:32 7,440 --a------ C:\WINNT\system32\control.exe

2007-04-15 14:32 625,936 --a------ C:\WINNT\system32\comuid.dll

2007-04-15 14:32 62,736 --a------ C:\WINNT\system32\adsmsext.dll

2007-04-15 14:32 61,712 --a------ C:\WINNT\system32\dfrgfat.exe

2007-04-15 14:32 591,120 --a------ C:\WINNT\system32\catsrvut.dll

2007-04-15 14:32 552,208 --a------ C:\WINNT\system32\autofmt.exe

2007-04-15 14:32 55,568 --a------ C:\WINNT\system32\esentutl.exe

2007-04-15 14:32 55,568 --a------ C:\WINNT\system32\CLUSAPI.DLL

2007-04-15 14:32 509,712 --a------ C:\WINNT\system32\clbcatq.dll

2007-04-15 14:32 50,620 --a------ C:\WINNT\system32\command.com

2007-04-15 14:32 50,448 --a------ C:\WINNT\system32\fdeploy.dll

2007-04-15 14:32 5,904 --a------ C:\WINNT\system32\dllhst3g.exe

2007-04-15 14:32 49,936 --a------ C:\WINNT\system32\browser.dll

2007-04-15 14:32 475,408 --a------ C:\WINNT\system32\CRYPT32.DLL

2007-04-15 14:32 45,328 --a------ C:\WINNT\system32\EVENTLOG.DLL

2007-04-15 14:32 45,328 --a------ C:\WINNT\system32\cmstp.exe

2007-04-15 14:32 442,640 --a------ C:\WINNT\system32\CRYPTUI.DLL

2007-04-15 14:32 43,280 --a------ C:\WINNT\system32\dmutil.dll

2007-04-15 14:32 422,160 --a------ C:\WINNT\system32\certmgr.dll

2007-04-15 14:32 42,768 --a------ C:\WINNT\system32\dfrgsnap.dll

2007-04-15 14:32 42,768 --a------ C:\WINNT\system32\CRYPTNET.DLL

2007-04-15 14:32 41,744 --a------ C:\WINNT\system32\dsfolder.dll

2007-04-15 14:32 402,704 --a------ C:\WINNT\system32\cdonts.dll

2007-04-15 14:32 380,688 --a------ C:\WINNT\system32\expsrv.dll

2007-04-15 14:32 37,648 --a------ C:\WINNT\system32\colbact.dll

2007-04-15 14:32 36,112 --a------ C:\WINNT\system32\cipher.exe

2007-04-15 14:32 33,040 --a------ C:\WINNT\system32\dbmsspxn.dll

2007-04-15 14:32 33,040 --a------ C:\WINNT\system32\dbmsadsn.dll

2007-04-15 14:32 316,176 --a------ C:\WINNT\system32\dmconfig.dll

2007-04-15 14:32 31,504 --a------ C:\WINNT\system32\atmlib.dll

2007-04-15 14:32 306,448 --a------ C:\WINNT\system32\dhcpmon.dll

2007-04-15 14:32 3,856 --a------ C:\WINNT\system32\COMCAT.DLL

2007-04-15 14:32 297,232 --a------ C:\WINNT\system32\dsprop.dll

2007-04-15 14:32 294,160 --a------ C:\WINNT\system32\filemgmt.dll

2007-04-15 14:32 287,856 --a------ C:\WINNT\system32\atmfd.dll

2007-04-15 14:32 28,432 --a------ C:\WINNT\system32\dssec.dll

2007-04-15 14:32 265,488 --a------ C:\WINNT\system32\dxmrtp.dll

2007-04-15 14:32 25,872 --a------ C:\WINNT\system32\conime.exe

2007-04-15 14:32 242,960 --a------ C:\WINNT\explorer.exe

2007-04-15 14:32 24,848 --a------ C:\WINNT\system32\ds32gt.dll

2007-04-15 14:32 239,376 --a------ C:\WINNT\system32\cscui.dll

2007-04-15 14:32 230,672 --a------ C:\WINNT\system32\es.dll

2007-04-15 14:32 23,824 --a------ C:\WINNT\system32\at.exe

2007-04-15 14:32 226,576 --a------ C:\WINNT\system32\avtapi.dll

2007-04-15 14:32 221,968 --a------ C:\WINNT\system32\devmgr.dll

2007-04-15 14:32 22,288 --a------ C:\WINNT\system32\cmutil.dll

2007-04-15 14:32 219,920 --a------ C:\WINNT\system32\confmsp.dll

2007-04-15 14:32 200,976 --a------ C:\WINNT\system32\FONTEXT.DLL

2007-04-15 14:32 200,976 --a------ C:\WINNT\system32\adsnt.dll

2007-04-15 14:32 20,752 --a------ C:\WINNT\system32\batmeter.dll

2007-04-15 14:32 2,524,944 --a------ C:\WINNT\system32\cdosys.dll

2007-04-15 14:32 193,808 --a------ C:\WINNT\system32\cmdial32.dll

2007-04-15 14:32 187,152 --a------ C:\WINNT\system32\eudcedit.exe

2007-04-15 14:32 185,616 --a------ C:\WINNT\system32\faxt30.dll

2007-04-15 14:32 179,472 --a------ C:\WINNT\system32\activeds.dll

2007-04-15 14:32 174,864 --a------ C:\WINNT\system32\dmdlgs.dll

2007-04-15 14:32 166,160 --a------ C:\WINNT\system32\catsrv.dll

2007-04-15 14:32 164,112 --a------ C:\WINNT\system32\adsnds.dll

2007-04-15 14:32 163,600 --a------ C:\WINNT\system32\dmdskmgr.dll

2007-04-15 14:32 163,088 --a------ C:\WINNT\system32\dbghelp.dll

2007-04-15 14:32 16,144 --a------ C:\WINNT\system32\diskcopy.dll

2007-04-15 14:32 159,807 --a------ C:\WINNT\system32\cmprops.dll

2007-04-15 14:32 157,456 --a------ C:\WINNT\system32\els.dll

2007-04-15 14:32 156,944 --a------ C:\WINNT\system32\dsquery.dll

2007-04-15 14:32 156,944 --a------ C:\WINNT\system32\ciadmin.dll

2007-04-15 14:32 15,120 --a------ C:\WINNT\system32\faxdrv.dll

2007-04-15 14:32 147,728 --a------ C:\WINNT\system32\dmadmin.exe

2007-04-15 14:32 146,192 --a------ C:\WINNT\system32\dskquoui.dll

2007-04-15 14:32 144,144 --a------ C:\WINNT\system32\DSSBASE.DLL

2007-04-15 14:32 143,632 --a------ C:\WINNT\system32\ASYCFILT.DLL

2007-04-15 14:32 14,096 --a------ C:\WINNT\system32\diskperf.exe

2007-04-15 14:32 138,000 --a------ C:\WINNT\system32\faxui.dll

2007-04-15 14:32 133,392 --a------ C:\WINNT\system32\certcli.dll

2007-04-15 14:32 130,832 --a------ C:\WINNT\system32\CLUSTER.EXE

2007-04-15 14:32 130,832 --a------ C:\WINNT\system32\adsldpc.dll

2007-04-15 14:32 13,072 --a------ C:\WINNT\system32\dmintf.dll

2007-04-15 14:32 13,072 --a------ C:\WINNT\system32\CHKNTFS.EXE

2007-04-15 14:32 123,152 --a------ C:\WINNT\system32\adsldp.dll

2007-04-15 14:32 122,368 --a------ C:\WINNT\system32\dmdskres.dll

2007-04-15 14:32 12,560 --a------ C:\WINNT\system32\dmserver.dll

2007-04-15 14:32 119,568 --a------ C:\WINNT\system32\appmgmts.dll

2007-04-15 14:32 113,936 --a------ C:\WINNT\system32\DCOMCNFG.EXE

2007-04-15 14:32 112,400 --a------ C:\WINNT\system32\adsnw.dll

2007-04-15 14:32 112,336 --a------ C:\WINNT\system32\cdm.dll

2007-04-15 14:32 110,352 --a------ C:\WINNT\system32\dsuiext.dll

2007-04-15 14:32 101,136 --a------ C:\WINNT\system32\cscdll.dll

2007-04-15 14:32 10,512 --a------ C:\WINNT\system32\dmremote.exe

2007-04-15 14:32 10,000 --a------ C:\WINNT\system32\autolfn.exe

2007-04-15 14:32 1,776,456 -ra------ C:\WINNT\system32\dtcsetup.exe

2007-04-15 14:32 1,439,504 --a------ C:\WINNT\system32\comsvcs.dll

2007-04-15 14:32 1,137,936 --a------ C:\WINNT\system32\esent.dll

2007-04-15 13:59 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Uniblue

2007-04-15 03:35 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Google

2007-04-15 03:34 <DIR> d-------- C:\Program Files\Google

2007-04-14 17:28 <DIR> d-------- C:\DOCUME~1\Jeanne\APPLIC~1\Intuit

2007-04-14 13:32 <DIR> d-------- C:\Program Files\Alien Skin

2007-04-14 01:53 <DIR> d-------- C:\Program Files\Jasc Software Inc

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-05-13 01:28:00 -------- d-----w C:\Program Files\Oberon Media

2007-05-13 00:25:31 -------- d-----w C:\Program Files\SmileyPad

2007-05-06 07:19:53 -------- d-----w C:\Program Files\microsoft frontpage

2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AVASTSS.scr

2007-04-30 07:27:55 -------- d-----w C:\Program Files\Common Files\Real

2007-04-30 07:27:15 -------- d-----w C:\Program Files\Real

2007-04-20 09:11:17 -------- d-----w C:\Program Files\Mystery Case Files - Ravenhearst

2007-04-15 21:41:29 -------- d-----w C:\Program Files\Windows NT

2007-04-15 10:34:51 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-15 08:41:51 -------- d-----w C:\Program Files\Opera

2007-04-13 21:51:37 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\Help

2007-04-13 03:49:13 90,624 ----a-w C:\WINNT\system32\ecFCI.dll

2007-04-13 03:49:13 104,448 ----a-w C:\WINNT\system32\ecFDI.dll

2007-04-12 22:33:34 8,704 ----a-w C:\WINNT\system32\sporder.dll

2007-04-12 22:00:19 -------- d--ha-w C:\Program Files\WindowsUpdate

2007-04-12 06:11:50 -------- d-----w C:\Program Files\Browser MOUSE

2007-04-11 21:16:03 50,688 ----a-w C:\WINNT\system32\rpcrt3.dll

2007-04-10 19:42:36 -------- d--h--w C:\Program Files\QMgr

2007-04-10 19:42:23 -------- d-----w C:\Program Files\MSN Messenger

2007-04-10 19:42:20 -------- d-----w C:\Program Files\Messenger

2007-04-09 21:20:56 -------- d-----w C:\Program Files\Ares

2007-04-09 21:02:57 57,344 ----a-w C:\WINNT\uneng.exe

2007-04-09 21:02:57 -------- d-----w C:\Program Files\Common Files\Adaptec Shared

2007-04-09 21:02:56 49,152 ----a-w C:\WINNT\system32\cdrtc.dll

2007-04-09 21:02:55 45,056 ----a-w C:\WINNT\system32\cdral.dll

2007-04-09 09:43:01 -------- d-----w C:\Program Files\Common Files\Sandlot Shared

2007-04-09 09:01:35 1,636 ----a-w C:\WINNT\system32\d3d9caps.dat

2007-04-08 05:49:40 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\Opera

2007-04-08 01:41:50 -------- d-----w C:\Program Files\BFG

2007-04-08 00:37:06 1,933,312 ----a-w C:\WINNT\system32\Tropix.scr

2007-04-08 00:32:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll

2007-04-08 00:28:14 -------- d-----w C:\Program Files\Sierra On-Line

2007-04-08 00:28:13 -------- d-----w C:\Program Files\WON

2007-04-08 00:20:54 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\Intuit

2007-04-08 00:20:32 -------- d-----w C:\Program Files\ItsDeductible2006

2007-04-08 00:19:59 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0

2007-04-08 00:19:52 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-04-08 00:17:21 -------- d-----w C:\Program Files\Common Files\Intuit

2007-04-08 00:15:59 -------- d-----w C:\Program Files\TurboTax

2007-04-08 00:15:40 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\InstallShield

2007-04-07 23:01:34 -------- d-----w C:\Program Files\Alwil Software

2007-04-07 22:49:49 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\FastStone

2007-04-07 22:49:45 -------- d-----w C:\Program Files\FastStone Capture

2007-04-07 22:45:03 -------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint

2007-04-07 22:44:30 -------- d-----w C:\Program Files\ABBYY FineReader 6.0

2007-04-07 22:44:03 -------- d-----w C:\Program Files\FaxTools

2007-04-07 22:41:38 -------- d-----w C:\Program Files\Lexmark 1200 Series

2007-04-07 21:21:31 -------- d-----w C:\Program Files\BroadJump

2007-04-07 21:21:30 -------- d-----w C:\Program Files\Common Files\Motive

2007-04-07 21:20:37 4,504,130 ----a-w C:\BellSouthIW.reg

2007-03-09 21:51:27 2,818 ----a-w C:\WINNT\mozver.dat

2007-03-07 00:14:07 -------- d-----w C:\Program Files\Creative

2007-02-06 23:35:38 0 ----a-w C:\WINNT\nsreg.dat

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1}=C:\WINNT\system32\pmnnnol.dll [07-05-13 09:00 ]

{CEC128C2-095E-4AFA-8B3D-1CD8BCCEE5DC}=C:\WINNT\System32\awvtt.dll [07-05-13 21:17 ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser MOUSE\\mouse32a.exe"

"Synchronization Manager"="mobsync.exe /logon"

"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-04-30 08:42 ]

"FLMOFFICE4DMOUSE"="C:\Program Files\Browser MOUSE\mouse32a.exe" [07-04-11 23:11 ]

"Synchronization Manager"="mobsync.exe" [01-05-08 05:00 C:\WINNT\system32\mobsync.exe])

"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 ]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-04-30 00:27 ]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06-10-07 05:20 ]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" []

"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [05-02-25 17:28 ]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Uniblue Registry Booster2"="C:\\Program Files\\Uniblue\\RegistryBooster2\\RegistryBooster.exe /S"

"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [06-12-20 12:55 ]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [06-09-28 07:13 ]

"{8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1}"="C:\WINNT\system32\pmnnnol.dll" [07-05-13 09:00 ]

 

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtt

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnnol

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc1

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages msv1_0\0\0

Security Packages kerberos\0msv1_0\0schannel\0\0

Notification Packages scecli\0\0

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\runtime2.sys

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk

C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^winzip quick pick.lnk

C:\PROGRA~1\WinZip\WZQKPICK.EXE

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bjcfd

C:\Program Files\BroadJump\Client Foundation\CFD.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotkeyscmds

C:\WINNT\System32\hkcmd.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray

C:\WINNT\System32\igfxtray.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lexmark 1200 series

"C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loadqm

loadqm.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\promon.exe

PROMon.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched

"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\synchronization manager

mobsync.exe /logon

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Messenger"=dword:00000002

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

rpcss RpcSs\0\0

wugroup wuauserv\0\0

BITSgroup BITS\0\0

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

WmdmPmSN

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070513-230951-491

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30acbc57336159...ip/RdxIE601.cab

backup-20070513-230951-915

O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\System32\dvpvlwpd.dll",realset

backup-20070513-210030-977

O20 - Winlogon Notify: rpcc1 - C:\WINNT\System32\rpcc1.dll

backup-20070513-210030-246

O20 - Winlogon Notify: pmnnnol - C:\WINNT\SYSTEM32\pmnnnol.dll

backup-20070513-210030-454

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

backup-20070513-205826-115

O2 - BHO: (no name) - {8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1} - C:\WINNT\system32\pmnnnol.dll

backup-20070513-205815-232

O20 - Winlogon Notify: vtutr - C:\WINNT\System32\vtutr.dll (file missing)

backup-20070513-205815-355

O20 - Winlogon Notify: rpcc1 - C:\WINNT\System32\rpcc1.dll

backup-20070513-205815-366

O20 - Winlogon Notify: pmnnnol - C:\WINNT\SYSTEM32\pmnnnol.dll

backup-20070513-205815-587

O2 - BHO: C:\WINNT\System32\fs6ehnf8jd.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINNT\System32\fs6ehnf8jd.dll

backup-20070513-205815-201

O2 - BHO: (no name) - {8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1} - C:\WINNT\System32\pmnnnol.dll

backup-20070513-102529-725

O20 - Winlogon Notify: pmnnnol - C:\WINNT\SYSTEM32\pmnnnol.dll

backup-20070513-102512-141

O20 - Winlogon Notify: rqrommj - C:\WINNT\SYSTEM32\rqrommj.dll

backup-20070513-102512-579

O20 - Winlogon Notify: pmnnnol - C:\WINNT\SYSTEM32\pmnnnol.dll

backup-20070513-102512-747

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

backup-20070513-102512-905

O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - (no file)

backup-20070513-102512-864

O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)

backup-20070513-095221-867

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

backup-20070513-095152-298

O4 - HKLM\..\Run: [startdrv] C:\WINNT\Temp\startdrv.exe

backup-20070513-090719-761

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

backup-20070513-090435-770

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

backup-20070513-090434-428

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

backup-20070513-090434-998

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

backup-20070513-085716-527

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

backup-20070513-085716-382

O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.1.23/worl...class-en_US.cab

backup-20070513-085716-566

O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Jeanne\Start Menu\Programs\Startup\MSWin--1213653088.exe

backup-20070513-085716-640

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

backup-20070513-085716-691

O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-8.0.2.32/whac...kdown-en_US.cab

backup-20070513-085716-497

O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-8.0.2.32/word...homp2-en_US.cab

backup-20070513-085716-915

O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-8.0.1.32/memo...ories-en_US.cab

backup-20070513-085716-830

O16 - DPF: Vaults of Atlantis Slots by pogo - http://game1.

Share this post


Link to post
Share on other sites

Please download RootChk:

http://www.uploads.ejvindh.net/rootchk.exe

Save it to the Desktop

Run the program

After a short time a log-file appears.

Please provide the contents of the log in your reply.

 

~~~~

Next, launch Notepad, (Start > Run, type in: notepad)

Copy/paste all the blue REGEDIT below to it

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CEC128C2-095E-4AFA-8B3D-1CD8BCCEE5DC}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1}"=-

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtt]

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnnol]

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc1]

 

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\runtime2.sys]

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: delete.reg

Save as Type: All files

Click: Save

Exit out of Notepad.

 

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

 

~~~~

Next, download Avenger:

http://swandog46.geekstogo.com/avenger.zip

Save the program to the Desktop

Click on Avenger.zip to open the file

Then, extract avenger.exe to the Desktop

 

Copy all the blue text below by highlighting it and pressing Ctrl+C:

 

Drivers to unload:

runtime2.sys

 

Files to delete:

C:\WINNT\system32\pmnnnol.dll

C:\WINNT\System32\awvtt.dll

C:\WINNT\system32\rpcc1.dll

C:\WINNT\system32\drivers\runtime2.sys

C:\WINNT\system32\nqtwa.tmp

C:\WINNT\system32\rtutv.tmp

C:\WINNT\system32\rtutv.ini2

C:\WINNT\system32\fs6ehnf8jd.dll

C:\WINNT\system32\rtutv.bak1

C:\WINNT\system32\nqtwa.ini2

C:\WINNT\system32\nqtwa.bak1

C:\WINNT\system32\update30728908.exe

C:\WINNT\system32\klkkj.bak1

C:\WINNT\system32\rpcrt3.dll

 

Start The Avenger program by clicking on its icon on the Desktop.

Under: Script file to execute, select: Input Script Manually

Now click on the Magnifying Glass icon

It opens a new window titled: View/edit script

Paste the text copied to clipboard into this window by pressing (Ctrl+V).

Click Done

 

Now click on the Green Light to begin the execution of the script

Answer Yes twice when prompted.

 

The Avenger will automatically do the following:

Restart the computer.

On reboot, it will briefly open a black command window on the Desktop, and this is normal.

 

After the restart, it creates a log file that opens with the results of Avenger’s actions.

This log file will be located at C:\avenger.txt

 

~~~~

Please post the contents of:

The RootChk log

The C:\avenger.txt

A new HijackThis log

Edited by Aaflac

Share this post


Link to post
Share on other sites

RootChk Log:

 

********************************* ROOTCHK-(02-05-07)-LOG, by ejvindh

Mon 05/14/2007 15:17:22.54

 

The rootkits that are detected by this tool were not found.

 

********************************* ROOTCHK-LOG-end

 

 

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-14 15:17:23

Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\ACPI80n5

HKLM\SYSTEM\CurrentControlSet\Services\ACPIECn5

HKLM\SYSTEM\CurrentControlSet\Services\AFDu160m

HKLM\SYSTEM\CurrentControlSet\Services\Aha154xm

HKLM\SYSTEM\CurrentControlSet\Services\aic116xm

HKLM\SYSTEM\CurrentControlSet\Services\aic78u2m

HKLM\SYSTEM\CurrentControlSet\Services\aic78xxm

HKLM\SYSTEM\CurrentControlSet\Services\Alerterm

HKLM\SYSTEM\CurrentControlSet\Services\ami0ntrm

HKLM\SYSTEM\CurrentControlSet\Services\amsintrm

HKLM\SYSTEM\CurrentControlSet\Services\AppMgmtm

HKLM\SYSTEM\CurrentControlSet\Services\ascsChatServer

HKLM\SYSTEM\CurrentControlSet\Services\asc3350pServer

HKLM\SYSTEM\CurrentControlSet\Services\asc3550pServer

HKLM\SYSTEM\CurrentControlSet\Services\aswMon0pServer

HKLM\SYSTEM\CurrentControlSet\Services\aswRdr0pServer

HKLM\SYSTEM\CurrentControlSet\Services\aswTdi0pServer

HKLM\SYSTEM\CurrentControlSet\Services\aswUpdSvServer

HKLM\SYSTEM\CurrentControlSet\Services\AsyncMacServer

HKLM\SYSTEM\CurrentControlSet\Services\atapiMacServer

HKLM\SYSTEM\CurrentControlSet\Services\AtdiskacServer

HKLM\SYSTEM\CurrentControlSet\Services\AtmarpccServer

HKLM\SYSTEM\CurrentControlSet\Services\audstubcServer

HKLM\SYSTEM\CurrentControlSet\Services\AVG Anti-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\AvgAsCln-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\BANTExtn-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\BeepExtn-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\BITSExtn-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Browsern-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\BusLogic-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\CCDECODE-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\cd20xrnt-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Cdaudiot-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Cdfsdiot-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Cdr4_2Kt-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Cdralw2k-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Cdromw2k-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Changerk-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\cisvcerk-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\ClipSrvk-Spyware Guardr

HKLM\SYSTEM\CurrentControlSet\Services\ContentFilterare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\ContentIndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Cpqarrayndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\cpqarry2ndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\cpqfcalmndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\cpqfws2endexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\cs429x2endexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\dac960ntndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\deckzpsxndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Dhcpzpsxndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Diskzpsxndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Diskperfndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\dmadminfndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\dmbootnfndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\dmiootnfndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\dmloadnfndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\dmserverndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\DMusicerndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Dnscachendexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\E100Bchendexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\EFS0Bchendexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Eventlogndexrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\EventSystemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Fastfatstemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Faxtfatstemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Fd16_700temxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Fdc6_700temxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Fips_700temxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\fireporttemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\flashpnttemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Flpydisktemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Fs_Recsktemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Ftdisksktemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\gameenumtemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\giveioumtemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Gpceioumtemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\HidServmtemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\HidUsbvmtemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\i8042prttemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\i81x2prttemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\IASx2prttemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\inetaccstemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\ini910ustemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Inportustemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\IntelIdetemxrare Guardr

HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\IpInIperDriverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\IpNatperDriverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\IPSECperDriverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\ipsraidnDriverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\IRENUMdnDriverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\ISAPISearchverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\isapnpearchverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\Kbdclassrchverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\kbdhidssrchverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\kmixerssrchverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\KSecDDssrchverre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\lanmanservererre Guardr

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\lbrtfdcorkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\LexBceSorkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\LmHostsorkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\lp6nds35rkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MessengerkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\mnmddngerkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvcerkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ModemvcerkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MouclassrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MountMgrrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MPEntMgrrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\mraid35xrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb5xrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MSDTCb5xrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MsfsCb5xrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MSIServerkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MSKSSRVerkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MSPCLOCKrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MSPQMOCKrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MSTEEOCKrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\MupEEOCKrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NABTSFECrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\Ncrc710CrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NDIS710CrkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NdisTapirkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NdisWanirkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NDProxyirkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NetBIOSirkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NetBTOSirkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NetDDESirkstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NetDDEdsdmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NetDetectmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NetlogontmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NetmanontmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NMSCFGontmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NMSSvcontmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NpfsvcontmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NtfsvcontmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NtLmSspntmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvcntmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NullSvcntmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFlttmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFwdtmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ParalleltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ParportltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PartMgrltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ParVdmrltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PCIVdmrltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PCIDumpltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PCIIdepltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PcmciapltmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PerfDisktmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetktmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PerfOStktmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PerfProctmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PfModNTctmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PlugPlaytmstationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgenttationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PptpMiniportationGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PtilinkedStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\PxHelp20dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ql108020dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\Ql10wnt0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ql1240t0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ql2100t0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RasAcdt0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RasAuto0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\Rasl2tp0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RasManp0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\Rasptip0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RCAptip0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssip0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\redbook0dStoragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccessragenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscatorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\RSVPscatorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SamSsme2orstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SASDIFSVorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SASENUMVorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SASKUTILorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\sbpciTILorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SCardDrvorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SCardSvrorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ScheduleorstrygenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SchedulingAgentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\seclogonngAgentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SENSogonngAgentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\serenumnngAgentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SerialmnngAgentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SfloppynngAgentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\sglfbpynngAgentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SimbadAccessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SLIPadAccessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\smwdmdAccessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SparrowccessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\speedfancessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SpoolerncessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\srescanncessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SrvscanncessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\StiSvcnncessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\streamipcessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\swenumipcessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\swmidiipcessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\symc810pcessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\symc8xxpcessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\sym_hixpcessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\sysaudiocessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\SysmonLogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\TcpiprvogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\tgaiprvogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvrogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\TrkWksrogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\UdfsksrogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\uhcdksrogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\ultra66ogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\Update6ogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\UPSate6ogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\usbhub6ogessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\usbprintgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\usbscantgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\USBSTORtgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\UtilMantgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\VgaSavetgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\vsdatantgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\vsmonantgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\VxDonantgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\W32TimetgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCmetgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WanarpetgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\wdmaudetgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WebPosttgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WinMgmttgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WinsocktgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2gessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WinTrustgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSNgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLNgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\WSTCODECgessentenGuardr

HKLM\SYSTEM\CurrentControlSet\Services\wuauservgessentenGuardr

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\drivers\runtime2.sys

scan completed successfully

hidden processes: 0

hidden services: 244

hidden files: 1

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Avenger.txt Log:

 

Is empty (??). Scan completed, my system rebooted. Scan finished - In "black dos looking window" it said it could not find Avenger.txt did I want to crate a new one. I said no. Went to C:\Avenger.txt. The file is there but its empty.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

****NOTE****

 

After installing that avenger script, my system rebooted - right before windows loaded it rebooted itself, then kept looking for a disc in Drive A:. Now I have a constant box on my screen wanting me to insert a disk in Drive A:. Three options on box: CANCEL TRY AGAIN CONTINUE. Canceling out doesn't work - I had to reboot again to fix it.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

HJT Log:

 

Still cannot do "scan and save log file. In Reg Windows my pc reboots itself. Tried it in safemode: Error: HJT has caused an error and will now close (this happens when it tries to create the log file). Screenshot attached.

 

Posted Image

Share this post


Link to post
Share on other sites

From what is seen of the HijackThis log, it does not appear to contain malware entries.

 

~~~~

My apology, I made an error in the previous Registry merge. Did not place a minus sign next to the first two entries, and did not add a couple others. Senior moment!!!

 

Please launch Notepad, (Start > Run, type in: notepad)

Copy/paste all the blue REGEDIT below to it

 

REGEDIT4

 

[-HKEY_CLASSES_ROOT\CLSID\{8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1}]

 

[-HKEY_CLASSES_ROOT\CLSID\{CEC128C2-095E-4AFA-8B3D-1CD8BCCEE5DC}]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BE3050F-AD0F-4AB2-BB9A-83AF2E0E70F1}]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CEC128C2-095E-4AFA-8B3D-1CD8BCCEE5DC}]

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: delete2.reg

Save as Type: All files

Click: Save

Exit out of Notepad.

 

Back on the Desktop, double-click on the delete2.reg file just saved and click on Yes when asked to merge the information into the Registry.

 

~~~~

Please run Avenger once again using the following text:

 

Drivers to unload:

runtime2.sys

 

Files to delete:

C:\WINNT\system32\drivers\runtime2.sys

 

~~~~

Now, please remove the current version of ComboFix you have, and download the following:

 

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

It is important to save ComboFix directly to the Desktop

 

Next, close any open browsers.

 

Double click on combofix.exe and follow the prompts.

When it's finished it produces C:\ComboFix.txt

 

~~~~

Please post the new C:\ComboFix.txt in your reply.

Share this post


Link to post
Share on other sites

Getting ready to do the combofix part but thought you should see this. I reran avenger with the other script and after my system rebooted twice, this appeared in notepad:

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\krdbxcrc

 

*******************

 

 

Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

 

Could not open script file! Status: 0xc0000034 Abort!

Share this post


Link to post
Share on other sites

The notice means there was some error/corruption in the data Avenger writes to the Registry when it registers itself to run on boot.

 

Try running Avenger once again.

Share this post


Link to post
Share on other sites

hi..my name is Sandy and I am a friend of kimmies'...she has asked me to send this to you due to the fact that she can no longer log into windowa..I am currently on the phone with her now and she is telling me exactly what to put down concerning her issues with her computer.

 

 

She uninstalled ComboFix and reinstalled the second one you gave her...when the scan first started it staed it could not access the file due to it being used by another process. She let the scan continue and it came back and said the same thing again. she continued to let the scan finish, the system rebooted, the scan finished and came back with the error, but it went so fast and rebooted the stem she didn't catch the error. When the system rebooted again she got the BSOD.

 

 

STOP: C00002c UNABLE TO LOAD DEVICE DRIVER

error status:0xc000012f

\SystemRoot\System32\drivers\runtime.sys

device driver could not be loaded

 

 

She rebooted her system and got the same STOP message. Rebooted system again, attempted to access safemode w/networking-same STOP message..rebooted system again, attempted regular safemode-same STOP message. rebooted again, attempted THE LAST KNOWN GOOD CONFIGURATION-same STOP message..also attempted safemode with command prompt to attemp to run system restore-same STOP message

 

 

she needs to know what to do to fix this problem..she wants to know if there's a number where she can call you. If so, could you please send it to me, or I can send you her number in a private message..my email address is (deleted).

 

 

Kimmie said that from working at Dell she's familiar with STOP messages in general and nine times out of ten they require the re-installation of the operating system, however she bought the computer refurbished and did not have time to make a recovery CD

Edited by Aaflac

Share this post


Link to post
Share on other sites

In essence, you are saying there is no Windows 2000 CD?

 

Let me do some consulting with colleagues, and will get back with you here, since we do not do this by phone.

 

However, it may not be this evening.

 

PS: I edited your email address. It is not a good idea to post it.

Edited by Aaflac

Share this post


Link to post
Share on other sites

hi..this is kimmie's friend again..I am still talking to Kimmie and this is what she says

 

she has another harddrive running windows millenium on a computer she used to use..she has installed that harddrive in place of the one you two have been working on..with this harddrive she now has access to the internet and wants to know, since she has no windows 2000 CD, can she correct the driver error via the internet and if so, how can she do it

Share this post


Link to post
Share on other sites

In essence, you are saying there is no Windows 2000 CD?

 

Let me do some consulting with colleagues, and will get back with you here, since we do not do this by phone.

 

However, it may not be this evening.

 

PS: I edited your email address. It is not a good idea to post it.

 

Hi its actually Kimmie this time :adios:

 

Sorry to be so much trouble hehe. Please dont scorn me for not having a recovery cd..lol. I bought this computer really REALLY cheap. I just hadn't had time to make one yet. I installed another HD that I used on an old computer (the MOBO is shot on it), but its running Windows ME. I have found on Microsofts website where I can download/put on floppys or burn to cd.."Setup Disks for Floppy Boot Install" that includes Recovery Console and will work with Win 2K. http://www.microsoft.com/downloads/details...55-BD5AFEE126D8

 

From experience, running chkdsk /r, in most cases, fixes these types of issues. It will take me a few days to get the above files downloaded so if you have another "easier" suggestion PLEASE---by all means let me know..lol.

Share this post


Link to post
Share on other sites

Kimmie,

 

I regret you are experiencing an unfortunate circumstance. However, the actions and consequences of a heavily infected system are unpredictable, since that is the nature of malware.

 

Using the Recovery Console (RC) is the way to go.

 

There is malware loaded into memory as a device driver (runtime.sys runtime2.sys), and it is a nasty one.

 

One of our colleagues, Jintan, is going to work with you here, and provide you some info on what you are looking at, as well as the options. I do not have a W2000 machine.

 

Please proceed with your plans to install the RC.

Edited by Aaflac

Share this post


Link to post
Share on other sites

Kimmie,

 

I regret you are experiencing an unfortunate circumstance. However, the actions and consequences of a heavily infected system are unpredictable, since that is the nature of malware.

 

Using the Recovery Console (RC) is the way to go.

 

There is malware loaded into memory as a device driver (runtime.sys runtime2.sys), and it is a nasty one.

 

One of our colleagues, Jintan, is going to work with you here, and provide you some info on what you are looking at, as well as the options. I do not have a W2000 machine.

 

Please proceed with your plans to install the RC.

 

Thanks for all your help Aaflac!!

 

As I stated, it will take me some time to get recovery console downloaded. (probably a few days). I will post back here as soon as I have it. In the meantime, Jintan, if you have any other suggestions, feel free to throw em at me! :)

 

I may end up just going out and purchasing XP - if anything - just to have it as a backup os..lol. I hate to though..I dont like the NTFS filesystem. Fat32 is easier to control/maintain - atleast for me. I ran Windows ME on my other system for 8+ years and NEVER had this much trouble with trojans, etc..lol. I get a pc with WIN2k on it - put the same protection on it as I had on the other system.. and within the first month I have already had MASSIVE problems. :pullhair: (I just ran a superantispyware scan AND an Avast scan on this ME hd and it found "nada..nothing...zilch" (not even a tracking cookie) :) ). Poor Microsoft...some things they should have just left alone..lol. Yeah I know, Fat32 doesnt support most of the new technology out today..hehe. I just hate the fact that I cant even go into my local pc store and buy anything but VISTA now :(. They have even takin XP off most store shelves here - not sure why... VISTA has MAJOR issues..lol.

 

Ok I am done ranting..lol. Thanks again for all your help Aaflac. Keep up the great work! :clap:

Share this post


Link to post
Share on other sites

Howdy Kimmie. I am one of the folks who has been reviewing your situation with our teammate Aaflac, and would like to follow up with you on some steps to return your 2K system to operations there. Your computer's security processes have been severely compromised, but as it hadn't yet been updated with the last Service Pack (SP4 rollup) and those security upgrades it was very vulnerable to what eventually has occurred.

 

I admit if this were my system I would be doing what you mention doing - making a decision on a newer OS and reformatting while upgrading. You can opt for FAT32 with XP still, but NTFS is just a more vibrant, faster and leaner file management system. I think you will find fewer reasons to keep a FAT based system than you think.

 

 

But for our efforts with your 2K drive, we will need to go through with using the disks and the Recovery Console to access that damaged system, so continue with creating those, then post back when you have them available.

Share this post


Link to post
Share on other sites

Thanks for all your help (both of you)! :). I tried using recovery console but it was unsuccessful. I went and purchased XP last night and tried to do a parallel install to retreive my data. That too, was unsuccessful so I went ahead and just wiped everything out and did a clean install.

 

Thanks again for the help :)

 

-Kimmie

 

 

 

 

Howdy Kimmie. I am one of the folks who has been reviewing your situation with our teammate Aaflac, and would like to follow up with you on some steps to return your 2K system to operations there. Your computer's security processes have been severely compromised, but as it hadn't yet been updated with the last Service Pack (SP4 rollup) and those security upgrades it was very vulnerable to what eventually has occurred.

 

I admit if this were my system I would be doing what you mention doing - making a decision on a newer OS and reformatting while upgrading. You can opt for FAT32 with XP still, but NTFS is just a more vibrant, faster and leaner file management system. I think you will find fewer reasons to keep a FAT based system than you think.

But for our efforts with your 2K drive, we will need to go through with using the disks and the Recovery Console to access that damaged system, so continue with creating those, then post back when you have them available.

 

Share this post


Link to post
Share on other sites

Thank you for keeping us informed.

 

Sometimes the best solution is to format and reinstall Windows. You will have the reassurance that the system is clean after you do.

 

After the OS is on board, make sure you install an Antivirus program and a Firewall (if you have a CD for them), reboot, then connect to the Internet, and install Service Pack 2.

 

~~~~

If you do not have a CD, and need to download an AntiVirus program and a Firewall from the Internet, let that be the first step so that the system is protected right after the Operating System is installed.

 

There are free AntiVirus programs you can download:

 

Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

 

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

 

AntiVir Personal Edition: http://www.free-av.com/

 

 

Some free Firewall choices are:

 

ZoneAlarm:

http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za

 

Sunbelt Kerio:

http://www.sunbelt-software.com/Kerio.cfm

 

OutPost:

http://www.agnitum.com/products/outpostfree/download.php

 

Then, make sure that the AntiVirus program installed in your system is always kept up to date!

 

~~~~

Every so often, also perform an online virus scan.

AntiVirus scanners use databases which are not identical, and one may find malware that another does not.

 

Some online scanners:

TrendMicro HouseCall:

http://uk.trendmicro-europe.com/consumer/h...call_launch.php

 

Panda ActiveScan:

http://www.pandasoftware.com/products/activescan.htm

 

Kaspersky Online Scanner (using Internet Explorer):

http://www.kaspersky.com/virusscanner

 

BitDefender:

http://www.bitdefender.com/scan8/

 

~~~~

Finally, some of the best suggestions and programs to remain malware free are contained in the following:

Tony Klein’s article 'How Did I Get Infected In The First Place'

http://forums.spywareinfo.com/index.php?showtopic=60955

 

 

Good luck, Kimmie!!

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...