Is it safe to remove these - MBAM scan attached

Hi there,

I performed a full scan on my husband's work computer with MBAM.
I've pasted the results of the scan below:

Malwarebytes' Anti-Malware 1.26
Database version: 1125
Windows 5.1.2600 Service Pack 2

9/7/2008 1:56:29 PM
mbam-log-2008-09-07 (13-56-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 69969
Time elapsed: 26 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zordisa.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\roytctm (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noytcyr (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\noytcyr (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\soxpeca (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdydowkc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wsldoekd (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wsldoekd (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.3929.cn?tn=102720) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\dcbdcatys32_080906a.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\Temp\dwbins.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\inf\sppdcrs080906.scr (Trojan.Agent) -> No action taken.
C:\WINDOWS\system\sgcxcxxaspf080906.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\zordisa.dll (Trojan.Agent) -> No action taken.


Is it safe to remove everything that MBAM found. He is going on a business trip tomorrow so I don't want to take the chance of crashing his computer.
Please let me know.

Thanks in advance,

 

Hi
Yes. all those are safe to remove.

There may be other problems as well. Do you have HJT installed?

I would post the logs requested in this link.


Please download and install HijackThis (let it install to the default location) and Run a scan then close HJT, then run RSIT.exe and post the log.txt log here.
Links and instructions here.

Geri

 

I don'thave HJT installed on this computer but will do and then will post the logs.

 

Hi
Run MBAM and let it clean those infections.

Thanks
Geri

 

O.K.
I ran MBAM and let them clean.....his computer would not shut down normally (it just sat on the shutting down screen) so I had to press the power button to reboot.. It's a laptop.
I then downloaded HJT after MBAM ran.
I "ve pasted the HJT results below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:22 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe "
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\RunOnce: [GcBK] %systemroot%\system32\rundll32.exe %systemroot%\system32\8Tqj6I.dll,DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1216320355663
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\Software\..\Telephony: DomainName = teleperformanceca.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6722 bytes

Sorry, what is RSIT.exe?
O.K. I searched on this forum...I'll download RSIT and post the results

 

Here is the RSIT log.txt

Logfile of random's system information tool (written by random/random)
Run by jhamilton2 at 2008-09-07 14:48:49
Microsoft Windows XP Professional Service Pack 2
System drive C: has 22 GB (76%) free of 29 GB
Total RAM: 503 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:51 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jhamilton2\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\jhamilton2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe "
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\RunOnce: [GcBK] %systemroot%\system32\rundll32.exe %systemroot%\system32\8Tqj6I.dll,DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1216320355663
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\Software\..\Telephony: DomainName = teleperformanceca.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6616 bytes

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13 118842]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-07-24 2549368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-08-13 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-07-24 2549368]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent "=C:\WINDOWS\system32\bthprops.cpl [2004-08-04 110592]
" "= []
"IntelWireless "=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2004-10-30 385024]
"IgfxTray "=C:\WINDOWS\system32\igfxtray.exe [2004-11-02 155648]
"HotKeysCmds "=C:\WINDOWS\system32\hkcmd.exe [2004-11-02 126976]
"Dell QuickSet "=C:\Program Files\Dell\QuickSet\quickset.exe [2005-02-03 606208]
"dla "=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-13 122939]
"UpdateManager "=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2004-01-07 110592]
"PDVDDXSrv "=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]
"Realtime Monitor "=C:\Program Files\CA\eTrustITM\realmon.exe [2007-01-16 407632]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"GcBK "=C:\WINDOWS\system32\8Tqj6I.dll [2004-08-04 45056]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6 "= []
"MSMSGS "=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-24 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-11-02 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2004-09-07 110592]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe "= "C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe:*:Enabled:igateway "
"C:\Program Files\Common Files\AOL\Loader\aolload.exe "= "C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader "
"C:\Program Files\AIM6\aim6.exe "= "C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM "

 

File associations

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

List of files/folders created in the last three months

2008-09-07 14:48:49 ----D---- C:\rsit
2008-09-07 14:33:25 ----D---- C:\Program Files\Trend Micro
2008-09-07 12:47:48 ----D---- C:\WINDOWS\system32\inf
2008-09-07 12:47:48 ----A---- C:\WINDOWS\tawisys.ini
2008-08-16 21:58:42 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-16 21:58:28 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-16 21:57:32 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-16 21:56:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-16 21:56:05 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-16 21:54:27 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-16 21:53:30 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-08-05 11:30:52 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Malwarebytes
2008-08-05 11:30:41 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 11:30:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 09:34:19 ----D---- C:\WINDOWS\Minidump
2008-07-28 16:03:23 ----D---- C:\Program Files\MSECache
2008-07-28 15:53:25 ----D---- C:\Program Files\Common Files\Adobe
2008-07-28 15:53:25 ----D---- C:\Program Files\Adobe
2008-07-28 15:43:07 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Adobe
2008-07-28 15:26:37 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-27 01:38:29 ----D---- C:\WINDOWS\system32\LogFiles
2008-07-25 10:35:15 ----D---- C:\Program Files\Audacity
2008-07-25 10:17:28 ----D---- C:\Program Files\CallCopy
2008-07-24 10:44:58 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Google
2008-07-24 10:44:52 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-07-24 10:44:27 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-24 10:44:24 ----D---- C:\Program Files\Google
2008-07-18 15:46:08 ----SHD---- C:\RECYCLER
2008-07-17 22:48:34 ----HDC---- C:\WINDOWS\$NtUninstallKB925454$
2008-07-17 22:48:08 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-07-17 22:47:04 ----A---- C:\WINDOWS\system32\MRT.exe
2008-07-17 22:46:50 ----HDC---- C:\WINDOWS\$NtUninstallKB937894$
2008-07-17 22:46:40 ----HDC---- C:\WINDOWS\$NtUninstallKB931784$
2008-07-17 22:46:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-07-17 22:46:07 ----HDC---- C:\WINDOWS\$NtUninstallKB923689$
2008-07-17 22:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB910437$
2008-07-17 22:45:30 ----HDC---- C:\WINDOWS\$NtUninstallKB930178$
2008-07-17 22:45:24 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-07-17 22:44:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2008-07-17 22:44:33 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2008-07-17 22:44:27 ----HDC---- C:\WINDOWS\$NtUninstallKB943485$
2008-07-17 22:44:21 ----HDC---- C:\WINDOWS\$NtUninstallKB886185$
2008-07-17 22:44:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-07-17 22:43:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-07-17 22:43:38 ----HDC---- C:\WINDOWS\$NtUninstallKB944653$
2008-07-17 22:04:45 ----HDC---- C:\WINDOWS\$NtUninstallKB942763$
2008-07-17 22:04:12 ----HDC---- C:\WINDOWS\$NtUninstallKB930916$
2008-07-17 22:02:54 ----D---- C:\Documents and Settings\jhamilton2\Application Data\acccore
2008-07-17 18:31:39 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2008-07-17 16:51:47 ----N---- C:\WINDOWS\system32\tzchange.exe
2008-07-17 16:36:39 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 16:36:37 ----D---- C:\Program Files\Viewpoint
2008-07-17 16:36:37 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 16:36:26 ----D---- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 16:36:26 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 16:36:07 ----D---- C:\Program Files\Common Files\AOL
2008-07-17 16:35:43 ----D---- C:\Program Files\AIM6
2008-07-17 16:21:28 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Sonic
2008-07-17 16:21:04 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Identities
2008-07-17 16:20:50 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Intel
2008-07-17 16:20:45 ----ASH---- C:\Documents and Settings\jhamilton2\Application Data\desktop.ini
2008-07-17 16:20:44 ----SD---- C:\Documents and Settings\jhamilton2\Application Data\Microsoft
2008-07-17 16:16:50 ----D---- C:\WINDOWS\Internet Logs
2008-07-17 16:15:58 ----A---- C:\WINDOWS\system32\dneinobj.dll
2008-07-17 16:15:30 ----D---- C:\Program Files\Common Files\Deterministic Networks
2008-07-17 16:15:27 ----D---- C:\Program Files\Cisco Systems
2008-07-17 16:13:53 ----D---- C:\vpnclient-win-msi-5.0.03.0530-k9
2008-07-17 16:02:46 ----A---- C:\WINDOWS\system32\Primomonnt.dll
2008-07-17 16:02:39 ----D---- C:\WINDOWS\PrimoPDF4
2008-07-17 16:02:39 ----D---- C:\Program Files\activePDF
2008-07-17 15:55:28 ----RSD---- C:\WINDOWS\assembly
2008-07-17 15:53:27 ----D---- C:\WINDOWS\Microsoft.NET
2008-07-17 15:05:45 ----A---- C:\WINDOWS\PrimoPDF Setup Log.txt
2008-07-17 15:05:04 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-17 14:56:56 ----D---- C:\WINDOWS\system32\PreInstall
2008-07-17 14:56:55 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-07-17 14:56:54 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-07-17 14:41:39 ----A---- C:\WINDOWS\ODBC.INI
2008-07-17 14:41:15 ----A---- C:\WINDOWS\system32\mdimon.dll
2008-07-17 14:38:15 ----D---- C:\Program Files\Microsoft.NET
2008-07-17 14:37:48 ----D---- C:\Program Files\Microsoft ActiveSync
2008-07-17 14:36:23 ----D---- C:\Program Files\Common Files\DESIGNER
2008-07-17 14:35:43 ----D---- C:\WINDOWS\SHELLNEW
2008-07-17 14:34:16 ----D---- C:\Program Files\Microsoft Office
2008-07-17 14:32:23 ----RHD---- C:\MSOCache
2008-07-17 14:30:10 ----D---- C:\Program Files\CA
2008-07-17 14:30:04 ----A---- C:\install_itm.bat
2008-07-17 14:26:29 ----D---- C:\WINDOWS\SchCache
2008-07-17 14:25:52 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-07-17 14:25:00 ----D---- C:\Documents and Settings\All Users\Application Data\Dell
2008-07-17 14:24:48 ----A---- C:\WINDOWS\system32\msxml4a.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\msvcr71.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\msvcp71.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\MFC71u.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\MFC71.dll
2008-07-17 14:24:30 ----D---- C:\Program Files\CyberLink
2008-07-17 14:24:30 ----A---- C:\WINDOWS\system32\atl71.dll
2008-07-17 14:17:22 ----D---- C:\Program Files\Common Files\Sonic
2008-07-17 14:16:37 ----D---- C:\Program Files\Common Files\SureThing Shared
2008-07-17 14:16:01 ----D---- C:\WINDOWS\system32\dla
2008-07-17 14:16:01 ----A---- C:\WINDOWS\wininit.ini
2008-07-17 14:16:01 ----A---- C:\WINDOWS\system32\tfswapi.dll
2008-07-17 14:16:01 ----A---- C:\WINDOWS\dla.exe
2008-07-17 14:16:00 ----D---- C:\Program Files\Sonic
2008-07-17 14:15:03 ----D---- C:\WINDOWS\Sun
2008-07-17 14:14:01 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-07-17 14:11:58 ----SHD---- C:\WINDOWS\CSC
2008-07-17 14:09:12 ----D---- C:\Program Files\Dell
2008-07-17 14:08:45 ----D---- C:\WINDOWS\Downloaded Installations
2008-07-17 13:16:24 ----D---- C:\Program Files\Modem Helper
2008-07-17 13:16:17 ----A---- C:\WINDOWS\system32\javaw.exe
2008-07-17 13:16:17 ----A---- C:\WINDOWS\system32\java.exe
2008-07-17 13:15:48 ----D---- C:\Program Files\Java
2008-07-17 13:15:46 ----D---- C:\Program Files\Dell Computer Corporation
2008-07-17 13:15:46 ----D---- C:\Program Files\Common Files\Java
2008-07-17 13:12:52 ----A---- C:\WINDOWS\system32\ksuser.dll
2008-07-17 13:12:44 ----A---- C:\WINDOWS\system32\stac97co.dll
2008-07-17 13:12:43 ----D---- C:\Program Files\SigmaTel
2008-07-17 13:08:04 ----A---- C:\WINDOWS\system32\igfxres.dll
2008-07-17 13:03:24 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-07-17 13:02:28 ----D---- C:\Program Files\CONEXANT
2008-07-17 13:02:22 ----A---- C:\WINDOWS\system32\mdmxsdk.dll
2008-07-17 13:02:22 ----A---- C:\WINDOWS\system32\HSFCI010.dll
2008-07-17 12:57:08 ----A---- C:\WINDOWS\system32\results.txt
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\oemdspif.dll
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxzoom.exe
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxtray.exe
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxsrvc.dll
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxress.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxpph.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxhk.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxext.exe
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxexps.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxeud.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdo.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdiag.exe
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdgps.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdev.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxcfg.exe
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\ialmrnt5.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\ialmrem.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmgicd.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmgdev.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmdnt5.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmdev5.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmdd5.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\iAlmCoIn_v3943.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\hkcmd.exe
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\hccutils.dll
2008-07-17 12:56:43 ----D---- C:\Documents and Settings\All Users\Application Data\Intel
2008-07-17 12:55:46 ----A---- C:\WINDOWS\system32\W29MLRES.DLL
2008-07-17 12:55:33 ----D---- C:\Program Files\Intel
2008-07-17 12:54:29 ----D---- C:\Program Files\Broadcom
2008-07-17 12:53:01 ----RA---- C:\WINDOWS\system32\hhactivex.dll
2008-07-17 12:53:01 ----A---- C:\WINDOWS\system32\RcdScan.dll
2008-07-17 12:52:58 ----A---- C:\WINDOWS\system32\VB5DB.DLL
2008-07-17 12:52:56 ----HD---- C:\Program Files\InstallShield Installation Information
2008-07-17 12:52:46 ----D---- C:\Program Files\Common Files\InstallShield
2008-07-17 12:45:55 ----HD---- C:\Program Files\Uninstall Information
2008-07-17 12:43:48 ----D---- C:\WINDOWS\SoftwareDistribution
2008-07-17 12:43:47 ----D---- C:\WINDOWS\Prefetch
2008-07-17 12:43:46 ----SD---- C:\WINDOWS\system32\Microsoft
2008-07-17 12:43:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-07-17 11:11:43 ----D---- C:\WINDOWS\system32\xircom
2008-07-17 11:11:43 ----D---- C:\Program Files\xerox
2008-07-17 11:11:43 ----D---- C:\Program Files\microsoft frontpage
2008-07-17 11:11:23 ----D---- C:\DELL
2008-07-17 11:11:07 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-07-17 11:11:05 ----HD---- C:\WINDOWS\$hf_mig$
2008-07-17 11:11:03 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2008-07-17 11:10:45 ----A---- C:\WINDOWS\control.ini
2008-07-17 11:10:45 ----A---- C:\AUTOEXEC.BAT
2008-07-17 11:10:24 ----A---- C:\WINDOWS\OEWABLog.txt
2008-07-17 11:10:19 ----A---- C:\WINDOWS\system32\mapi32.dll
2008-07-17 11:08:53 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-07-17 11:08:53 ----RD---- C:\WINDOWS\Offline Web Pages
2008-07-17 11:08:53 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-17 11:08:44 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-07-17 11:08:37 ----HD---- C:\Program Files\WindowsUpdate
2008-07-17 11:08:07 ----D---- C:\WINDOWS\system32\DirectX
2008-07-17 11:07:41 ----A---- C:\WINDOWS\system32\atrace.dll
2008-07-17 11:07:37 ----A---- C:\WINDOWS\system32\desktop.ini
2008-07-17 11:07:37 ----A---- C:\WINDOWS\desktop.ini
2008-07-17 11:07:29 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2008-07-17 11:07:27 ----A---- C:\WINDOWS\system32\acctres.dll
2008-07-17 11:07:26 ----D---- C:\Program Files\Common Files\Services
2008-07-17 11:07:23 ----SD---- C:\WINDOWS\Tasks
2008-07-17 11:07:23 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2008-07-17 11:07:22 ----D---- C:\Program Files\Common Files\MSSoap
2008-07-17 11:07:17 ----D---- C:\WINDOWS\srchasst
2008-07-17 11:07:16 ----D---- C:\WINDOWS\system32\Macromed
2008-07-17 11:07:12 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-07-17 11:07:12 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-07-17 11:07:12 ----A---- C:\WINDOWS\system32\wuauserv.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wups.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2008-07-17 11:07:05 ----D---- C:\Program Files\Movie Maker
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\safrslv.dll
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\safrdm.dll
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\racpldlg.dll
2008-07-17 11:06:56 ----A---- C:\WINDOWS\system32\fltMc.exe
2008-07-17 11:06:56 ----A---- C:\WINDOWS\system32\fltlib.dll
2008-07-17 11:06:55 ----D---- C:\WINDOWS\system32\Restore
2008-07-17 11:06:55 ----A---- C:\WINDOWS\system32\srsvc.dll
2008-07-17 11:06:55 ----A---- C:\WINDOWS\system32\srrstr.dll
2008-07-17 11:06:55 ----A---- C:\WINDOWS\system32\srclient.dll
2008-07-17 11:06:54 ----A---- C:\WINDOWS\system32\mnmdd.dll
2008-07-17 11:06:54 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2008-07-17 11:06:54 ----A---- C:\WINDOWS\system32\ils.dll
2008-07-17 11:06:53 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2008-07-17 11:06:53 ----A---- C:\WINDOWS\system32\msconf.dll
2008-07-17 11:06:53 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2008-07-17 11:06:50 ----D---- C:\Program Files\NetMeeting
2008-07-17 11:06:50 ----A---- C:\WINDOWS\system32\msoert2.dll
2008-07-17 11:06:49 ----A---- C:\WINDOWS\system32\msoeacct.dll
2008-07-17 11:06:48 ----A---- C:\WINDOWS\system32\inetres.dll
2008-07-17 11:06:48 ----A---- C:\WINDOWS\system32\inetcomm.dll
2008-07-17 11:06:45 ----D---- C:\Program Files\Outlook Express
2008-07-17 11:06:45 ----A---- C:\WINDOWS\system32\schedsvc.dll
2008-07-17 11:06:45 ----A---- C:\WINDOWS\system32\mstinit.exe
2008-07-17 11:06:45 ----A---- C:\WINDOWS\system32\mstask.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\isign32.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\inetcfg.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\icwphbk.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\icwdial.dll
2008-07-17 11:06:37 ----D---- C:\Program Files\Common Files\System
2008-07-17 11:06:33 ----D---- C:\Program Files\Internet Explorer
2008-07-17 11:05:45 ----D---- C:\Program Files\ComPlus Applications
2008-07-17 11:05:42 ----A---- C:\WINDOWS\vbaddin.ini
2008-07-17 11:05:42 ----A---- C:\WINDOWS\vb.ini
2008-07-17 11:05:35 ----D---- C:\WINDOWS\Registration
2008-07-17 11:05:24 ----D---- C:\Program Files\Windows Media Player
2008-07-17 11:05:24 ----D---- C:\Program Files\Online Services
2008-07-17 11:05:15 ----D---- C:\Program Files\Messenger
2008-07-17 11:05:10 ----D---- C:\Program Files\MSN Gaming Zone
2008-07-17 11:05:10 ----A---- C:\WINDOWS\system32\write.exe
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\hticons.dll
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\avwav.dll
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\avtapi.dll
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\avmeter.dll
2008-07-17 11:04:56 ----A---- C:\WINDOWS\system32\winchat.exe
2008-07-17 11:04:47 ----A---- C:\WINDOWS\system32\getuname.dll
2008-07-17 11:04:47 ----A---- C:\WINDOWS\system32\charmap.exe
2008-07-17 11:04:46 ----A---- C:\WINDOWS\system32\winmine.exe
2008-07-17 11:04:46 ----A---- C:\WINDOWS\system32\sol.exe
2008-07-17 11:04:46 ----A---- C:\WINDOWS\system32\calc.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\tskill.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\reset.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\freecell.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\tslabels.ini
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\tscon.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\shadow.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\rwinsta.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\regini.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\qwinsta.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\qappsrv.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\msg.exe
2008-07-17 11:04:43 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2008-07-17 11:04:43 ----A---- C:\WINDOWS\system32\logoff.exe
2008-07-17 11:04:43 ----A---- C:\WINDOWS\system32\cdmodem.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\mtxex.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\mtxdm.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\comaddin.dll
2008-07-17 11:04:41 ----A---- C:\WINDOWS\system32\stclient.dll
2008-07-17 11:04:41 ----A---- C:\WINDOWS\system32\comsnap.dll
2008-07-17 11:04:41 ----A---- C:\WINDOWS\system32\comrepl.dll
2008-07-17 11:04:34 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2008-07-17 11:04:20 ----D---- C:\Program Files\MSN
2008-07-17 11:04:19 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-07-17 11:04:18 ----A---- C:\WINDOWS\system32\sndrec32.exe
2008-07-17 11:04:18 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-07-17 11:04:18 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-07-17 11:04:17 ----D---- C:\Program Files\Windows NT
2008-07-17 11:04:17 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-07-17 11:04:17 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-07-17 11:04:16 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2008-07-17 11:04:16 ----A---- C:\WINDOWS\system32\spider.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\remotepg.dll
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\rdshost.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\rdchost.dll
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\mstscax.dll
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\mstsc.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\rdpclip.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\qprocess.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\icaapi.dll
2008-07-17 11:04:13 ----D---- C:\WINDOWS\system32\MsDtc
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\mtxoci.dll
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\xolehlp.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\msdtctm.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\msdtclog.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\msdtc.exe
2008-07-17 11:04:11 ----D---- C:\WINDOWS\system32\Com
2008-07-17 11:04:11 ----A---- C:\WINDOWS\system32\colbact.dll
2008-07-17 11:04:11 ----A---- C:\WINDOWS\system32\clbcatex.dll
2008-07-17 11:04:11 ----A---- C:\WINDOWS\system32\catsrvps.dll
2008-07-17 11:04:10 ----A---- C:\WINDOWS\system32\catsrvut.dll
2008-07-17 11:04:10 ----A---- C:\WINDOWS\system32\catsrv.dll
2008-07-17 11:04:09 ----A---- C:\WINDOWS\system32\comuid.dll
2008-07-17 11:04:09 ----A---- C:\WINDOWS\system32\comsvcs.dll
2008-07-17 11:04:09 ----A---- C:\WINDOWS\system32\clbcatq.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\servdeps.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\mmfutil.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\licwmi.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\cmprops.dll
2008-07-17 07:01:19 ----A---- C:\WINDOWS\system32\h323log.txt
2008-07-16 13:52:40 ----A---- C:\WINDOWS\system32\irmon.dll
2008-07-16 13:52:39 ----A---- C:\WINDOWS\system32\wshirda.dll
2008-07-16 13:52:39 ----A---- C:\WINDOWS\system32\irftp.exe
2008-07-16 13:50:41 ----A---- C:\WINDOWS\system32\usbui.dll
2008-07-16 13:47:55 ----A---- C:\WINDOWS\imsins.BAK
2008-07-16 13:47:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-07-16 13:47:49 ----SHD---- C:\WINDOWS\Installer
2008-07-16 13:47:48 ----D---- C:\Program Files\Common Files\ODBC
2008-07-16 13:47:48 ----A---- C:\WINDOWS\ODBCINST.INI
2008-07-16 13:47:43 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-07-16 13:47:42 ----RD---- C:\Program Files
2008-07-16 13:47:42 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-07-16 13:47:42 ----D---- C:\Program Files\Common Files
2008-07-16 13:47:36 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2008-07-16 13:47:36 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2008-07-16 13:47:36 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdur.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdru.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdest.dll
2008-07-16 13:47:23 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2008-07-16 13:47:23 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2008-07-16 13:47:23 ----RA---- C:\WINDOWS\system32\kbdro.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2008-07-16 13:47:17 ----A---- C:\WINDOWS\system32\irclass.dll
2008-07-16 13:47:17 ----A---- C:\WINDOWS\system32\dgsetup.dll
2008-07-16 13:47:17 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2008-07-16 13:47:16 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-07-16 13:47:16 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2008-07-16 13:47:13 ----A---- C:\WINDOWS\TASKMAN.EXE
2008-07-16 13:47:12 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2008-07-16 13:47:12 ----A---- C:\WINDOWS\system32\batt.dll
2008-07-16 13:47:11 ----A---- C:\WINDOWS\NOTEPAD.EXE
2008-07-16 13:47:05 ----A---- C:\WINDOWS\system32\storprop.dll
2008-07-16 13:46:48----ASH----C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-07-16 13:46:48 ----RA---- C:\WINDOWS\SET2A.tmp
2008-07-16 13:46:47 ----RA---- C:\WINDOWS\SET29.tmp
2008-07-16 13:46:39 ----RA---- C:\WINDOWS\SET8.tmp
2008-07-16 13:46:35 ----RA---- C:\WINDOWS\SET4.tmp
2008-07-16 13:46:32 ----RA---- C:\WINDOWS\SET3.tmp
2008-07-16 13:46:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-07-16 13:46:21 ----D---- C:\WINDOWS\system32\CatRoot
2008-07-16 13:46:15 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-07-16 13:45:46 ----A---- C:\WINDOWS\setuplog.txt
2008-07-16 13:45:40 ----D---- C:\Documents and Settings
2008-07-16 13:44:44 ----SH---- C:\boot.ini
2008-07-16 13:38:23 ----SHD---- C:\System Volume Information
2008-07-16 13:29:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-07-16 13:29:21 ----RSD---- C:\WINDOWS\Fonts
2008-07-16 13:29:21 ----RD---- C:\WINDOWS\Web
2008-07-16 13:29:21 ----HD---- C:\WINDOWS\inf
2008-07-16 13:29:21 ----D---- C:\WINDOWS\WinSxS
2008-07-16 13:29:21 ----D---- C:\WINDOWS\twain_32
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Temp
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\wins
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\wbem
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\usmt
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\spool
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\ShellExt
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\Setup
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\ras
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\oobe
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\npp
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\mui
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\inetsrv
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\IME
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\icsxml
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\ias
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\export
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\drivers
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\dhcp
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\config
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\3com_dmi
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\3076
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\2052
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1054
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1042
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1041
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1037
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1033
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1031
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1028
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1025
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system
2008-07-16 13:29:21 ----D---- C:\WINDOWS\security
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Resources
2008-07-16 13:29:21 ----D---- C:\WINDOWS\repair
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Provisioning
2008-07-16 13:29:21 ----D---- C:\WINDOWS\PeerNet
2008-07-16 13:29:21 ----D---- C:\WINDOWS\pchealth
2008-07-16 13:29:21 ----D---- C:\WINDOWS\mui
2008-07-16 13:29:21 ----D---- C:\WINDOWS\msapps
2008-07-16 13:29:21 ----D---- C:\WINDOWS\msagent
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Media
2008-07-16 13:29:21 ----D---- C:\WINDOWS\java
2008-07-16 13:29:21 ----D---- C:\WINDOWS\ime
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Help
2008-07-16 13:29:21 ----D---- C:\WINDOWS\ehome
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Driver Cache
2008-07-16 13:29:21 ----D---- C:\WINDOWS\dell
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Debug
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Cursors
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Connection Wizard
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Config
2008-07-16 13:29:21 ----D---- C:\WINDOWS\AppPatch
2008-07-16 13:29:21 ----D---- C:\WINDOWS\addins
2008-07-16 13:29:21 ----D---- C:\WINDOWS

 

List of drivers

R1 APPDRV;APPDRV; C:\WINDOWS\system32\SYSTEM32\DRIVERS\APPDRV.SYS []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINDOWS\system32\SYSTEM32\DRIVERS\OMCI.SYS []
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-07-17 17056]
R2 BASFND;BASFND; \??\C:\WINDOWS\system32\Drivers\BASFND.sys []
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 INO_FLTR;INO_FLTR; \??\C:\WINDOWS\system32\Drivers\ino_fltr.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2004-08-31 11354]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-08-23 121472]
R3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2008-03-29 125328]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-06-17 200064]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-11-02 773565]
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\system32\DRIVERS\iwca.sys [2004-08-12 234496]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2004-11-01 272568]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-10-21 3210496]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2007-01-18 5275]
S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []

List of services

R2 BAsfIpM;Broadcom ASF IP monitoring service v6.0.4; C:\WINDOWS\system32\basfipm.exe [2004-04-01 77824]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2008-04-17 1528608]
R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2004-09-07 86016]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-24 137200]
R2 iGateway;iTechnology iGateway 4.2; C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe [2007-02-05 106496]
R2 InoRPC;eTrust ITM RPC Service; C:\Program Files\CA\eTrustITM\InoRpc.exe [2007-01-16 198736]
R2 InoRT;eTrust Antivirus Realtime Service; C:\Program Files\CA\eTrustITM\InoRT.exe [2007-01-16 215120]
R2 InoTask;eTrust ITM Job Service; C:\Program Files\CA\eTrustITM\InoTask.exe [2008-07-17 386888]
R2 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe [2007-09-05 278528]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [2005-01-30 356352]
R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2004-09-07 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2004-09-07 360521]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WLANKEEPER;WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2004-09-07 225353]
S2 seiuctol;Security Control; zordisa.dll []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

 

Hi
OK Now Combofix.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

 

My husband has to take his laptop to the office to print something.
I will not have access to it until later today.
I will check back later to see if there's anything else I need to do.
I really appreciate your help Geri....you and Noahdfear have gotten me out of more than one problem and I will be signing up for a lifetime membership later today since I've been registered here and coming for help since 2002.
Thanks again for all of your help

 

OK
There are still a couple infected file and Drivers on it that will need to be removed.

Geri

 

I ran into a problem. My husband's antivirus and Pest Patrol cannot be disabled. The option is greyed out (probably by his IT guys).
Will combofix NOT run properly without disabling? It's Etrust threat management agent for both antivirus and pestpatrol.
He's leaving now but let me know if running combofix will cause a problem.
I'll check back later.
thanks.

 

Hi
It is best to disable them, but CF should run.

It "may" be the infection that has them disabled also, we'll see what happens.

Post back after you ran combofix, that way I will see that you posted...by not seeing my name as last poster.

Thanks

 

Hi Geri,
O.K., I couldn't disable the anti-virus software and I did run into a few problems.
I did run combofix but when the comoputer went to restart, again it would not shut down so I had to restart manually (which I know combofix states not to).
Anyway, it did prepare a log report after rebooting but while it was doing that the antivirus software detected 2 viruses (I'm not sure what they did with them).
Also, it appears that the problems are back....the homepage has been hijacked again to some page that has Chinese characters????? (I thought we removed this with MalWarebytes.
Here is the combofix log:

ComboFix 08-09-05.03 - jhamilton2 2008-09-07 17:29:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT -4:00]
Running from: C:\Documents and Settings\jhamilton2\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\Install.txt
C:\WINDOWS\system32\8Tqj6I.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\tawisys.ini

----- BITS: Possible infected sites -----

http://wsus.teleperformanceca.com
Infected copy of C:\WINDOWS\system32\spoolsv.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\spoolsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD


((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-07 14:48 . 2008-09-07 14:48 <DIR> d-------- C:\rsit
2008-09-07 14:33 . 2008-09-07 14:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 12:47 . 2008-09-07 17:30 <DIR> d-------- C:\WINDOWS\system32\inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 17:05 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-02 04:16 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Malwarebytes
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 20:03 --------- d-----w C:\Program Files\MSECache
2008-07-28 19:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-25 14:35 --------- d-----w C:\Program Files\Audacity
2008-07-25 14:17 --------- d-----w C:\Program Files\CallCopy
2008-07-24 14:44 --------- d-----w C:\Program Files\Google
2008-07-20 12:47 --------- d-----w C:\Program Files\Modem Helper
2008-07-18 02:02 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\acccore
2008-07-17 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 20:36 --------- d-----w C:\Program Files\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-17 20:36 --------- d-----w C:\Program Files\AIM6
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 20:21 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Sonic
2008-07-17 20:20 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Intel
2008-07-17 20:15 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-07-17 20:15 --------- d-----w C:\Program Files\Cisco Systems
2008-07-17 20:02 --------- d-----w C:\Program Files\activePDF
2008-07-17 18:38 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-17 18:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-17 18:30 --------- d-----w C:\Program Files\CA
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Sonic
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Intel
2008-07-17 18:26 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Sonic
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Intel
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-07-17 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 18:24 --------- d-----w C:\Program Files\CyberLink
2008-07-17 18:21 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Sonic
2008-07-17 18:17 --------- d-----w C:\Program Files\Common Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-07-17 18:09 --------- d-----w C:\Program Files\Dell
2008-07-17 17:16 --------- d-----w C:\Program Files\Java
2008-07-17 17:15 --------- d-----w C:\Program Files\Dell Computer Corporation
2008-07-17 17:15 --------- d-----w C:\Program Files\Common Files\Java
2008-07-17 17:12 --------- d-----w C:\Program Files\SigmaTel
2008-07-17 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-17 17:04 --------- d-----w C:\Program Files\Intel
2008-07-17 17:02 --------- d-----w C:\Program Files\CONEXANT
2008-07-17 16:57 17,056 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-17 16:57 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Intel
2008-07-17 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-07-17 16:54 --------- d-----w C:\Program Files\Broadcom
2008-07-17 15:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2008-01-23 18:34 53592 1f83b758355a2d3ead3552218fb78506 C:\WINDOWS\system32\wuauclt.exe
2008-01-23 18:34 53592 01d64a90525e6f8e2ab55497e87fb535 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-03 606208]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Realtime Monitor "= "C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-07-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

R0 cbnjf;cbnjf;C:\WINDOWS\system32\drivers\cbnjf.sys [2004-08-04 28960]
R2 afisicx;afisicx Service;C:\WINDOWS\system32\afisicx.exe [2004-08-04 44544]
R2 mabidwe;mabidwe Service;C:\WINDOWS\system32\mabidwe.exe [2004-08-04 44544]
R2 noytcyr;noytcyr Service;C:\WINDOWS\system32\noytcyr.exe [2004-08-04 44544]
R2 roytctm;roytctm Service;C:\WINDOWS\system32\roytctm.exe [2004-08-04 44032]
R2 soxpeca;soxpeca Service;C:\WINDOWS\system32\soxpeca.exe [2004-08-04 44544]
R2 tdydowkc;tdydowkc Service;C:\WINDOWS\system32\tdydowkc.exe [2004-08-04 44544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wsldoekd;wsldoekd Service;C:\WINDOWS\system32\wsldoekd.exe [2004-08-04 44032]
S2 seiuctol;Security Control;c:\windows\system32\rundll32.exe zordisa.dll,scan [ ]

*Newly Created Service* - AFISICX
*Newly Created Service* - MABIDWE
*Newly Created Service* - NOYTCYR
*Newly Created Service* - ROYTCTM
*Newly Created Service* - SOXPECA
*Newly Created Service* - TDYDOWKC
*Newly Created Service* - WSLDOEKD
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-RunOnce-GcBK - %systemroot%\system32\8Tqj6I.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Start Page = www.3929.cn?tn=102720
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 17:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\tpszxyd.sys 268288 bytes executable
C:\WINDOWS\system32\afisicx.exe 44544 bytes executable
C:\WINDOWS\system32\zordisa.dll 14848 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> c:\windows\system32\zordisa.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Temp\mfrj.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\Temp\dwbins.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
.
**************************************************************************
.
Completion time: 2008-09-07 17:41:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-07 21:41:11

Pre-Run: 22,786,527,232 bytes free
Post-Run: 22,924,091,392 bytes free

210 --- E O F --- 2008-08-17 01:58:46

On another note, my husband's printer drivers are no longer working??
I also got an error when the computer restarted and combofix was preparing the log:

Let me know if there's a way to fix this

**Whenever I restart the computer my husband's antivirus software detects a virus then says it's cured. But it seems to come back on reboot.
Also now get the error:
"Error loading 8tqj6I.dll, file cannot be found? whenever windows is starting up

 

Hi again,
I spoke with my husband's IT guy on the phone. He told me to boot into safe mode and do an online scan with housecall (Trend Micro)...I'm doing that now.
I'll let you know what it finds.
Oh, and it's his company's policy to disable the option to disable the antivirus and pest patrol.....lol, guess it didn't do it's job

 

OK let me know

 

Hi Geri,
Well, it did find a troj downloader file but when I when I clicked o.k. to have it save a log file, it didn't. I ran it in safe mode and windows did reboot without me having to power off manually.
When I rebooted the problem was still there...
Upon windows opening up the error:
Error loading 8tqj6I.dll the specified module could not be found.
I opened up IE and the homepage was hijacked again to a chinese language site.
I then rat MalWarebytes again and it found the same 35 trojan files.
I let it remove them again and still could not shut down without turning off the power then restarting myself. Before opening up IE I made sure that the homepage was set back to what it was originally. I also just ran Malwarebytes again and this time it didn't find anything?
I'm not sure if combofix ran properly because of the antivirus software.
should I try running it again......can it be run in safe mode?
Let me know.
Thanks!!!!

 

Hi
Yes run combofix again in normal mode and post the log it creates.

Thanks
Geri

 

GRRRR,
O.K. I ran combofix again
When it started that same error came up
error loading 8tqj6I.dll. then it started and also performed an update on itself.
When it finished it proceeded to shut down the computer and again the computer would not shut down....I had to power off and power on again.
Once it was booted up...the same dll error appeared again and combofix continued to do its thing.
During this, the antivirus came up with 2 messages stating that it found 2 viruses (it also did this the first time I ran combofix).
The first virus was call win32/silldifbj detected in windows\temp\as.ese
it "cured" the file. The second was win32/hitpop!generic ....it also stated this was cured.
Here is the latest combofix log:

ComboFix 08-09-05.04 - jhamilton2 2008-09-07 20:43:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -4:00]
Running from: C:\Documents and Settings\jhamilton2\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Install.txt
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\tawisys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD


((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 18:52 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-07 18:27 . 2008-09-07 18:57 <DIR> d-------- C:\Documents and Settings\jhamilton2\.housecall6.6
2008-09-07 14:48 . 2008-09-07 14:48 <DIR> d-------- C:\rsit
2008-09-07 14:33 . 2008-09-07 14:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 12:47 . 2008-09-07 20:44 <DIR> d-------- C:\WINDOWS\system32\inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 17:05 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-02 04:16 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Malwarebytes
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 20:03 --------- d-----w C:\Program Files\MSECache
2008-07-28 19:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-25 14:35 --------- d-----w C:\Program Files\Audacity
2008-07-25 14:17 --------- d-----w C:\Program Files\CallCopy
2008-07-24 14:44 --------- d-----w C:\Program Files\Google
2008-07-20 12:47 --------- d-----w C:\Program Files\Modem Helper
2008-07-18 02:02 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\acccore
2008-07-17 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 20:36 --------- d-----w C:\Program Files\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-17 20:36 --------- d-----w C:\Program Files\AIM6
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 20:21 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Sonic
2008-07-17 20:20 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Intel
2008-07-17 20:15 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-07-17 20:15 --------- d-----w C:\Program Files\Cisco Systems
2008-07-17 20:02 --------- d-----w C:\Program Files\activePDF
2008-07-17 18:38 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-17 18:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-17 18:30 --------- d-----w C:\Program Files\CA
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Sonic
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Intel
2008-07-17 18:26 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Sonic
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Intel
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-07-17 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 18:24 --------- d-----w C:\Program Files\CyberLink
2008-07-17 18:21 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Sonic
2008-07-17 18:17 --------- d-----w C:\Program Files\Common Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-07-17 18:09 --------- d-----w C:\Program Files\Dell
2008-07-17 17:16 --------- d-----w C:\Program Files\Java
2008-07-17 17:15 --------- d-----w C:\Program Files\Dell Computer Corporation
2008-07-17 17:15 --------- d-----w C:\Program Files\Common Files\Java
2008-07-17 17:12 --------- d-----w C:\Program Files\SigmaTel
2008-07-17 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-17 17:04 --------- d-----w C:\Program Files\Intel
2008-07-17 17:02 --------- d-----w C:\Program Files\CONEXANT
2008-07-17 16:57 17,056 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-17 16:57 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Intel
2008-07-17 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-07-17 16:54 --------- d-----w C:\Program Files\Broadcom
2008-07-17 15:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2008-01-23 18:34 53592 1f83b758355a2d3ead3552218fb78506 C:\WINDOWS\system32\wuauclt.exe
2008-01-23 18:34 53592 01d64a90525e6f8e2ab55497e87fb535 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_17.39.54.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-02 18:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-09-08 00:54:53 29,764 ----a-w C:\WINDOWS\Temp\mfrj.exe
+ 2008-09-08 00:54:54 42,564 ----a-w C:\WINDOWS\Temp\WowInitcode.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-03 606208]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Realtime Monitor "= "C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GcBK "= "%systemroot%\system32\8Tqj6I.dll" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-07-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

R0 cbnjf;cbnjf;C:\WINDOWS\system32\drivers\cbnjf.sys [2004-08-04 28960]
R2 afisicx;afisicx Service;C:\WINDOWS\system32\afisicx.exe [2004-08-04 44544]
R2 mabidwe;mabidwe Service;C:\WINDOWS\system32\mabidwe.exe [2004-08-04 44544]
R2 noytcyr;noytcyr Service;C:\WINDOWS\system32\noytcyr.exe [2004-08-04 44544]
R2 roytctm;roytctm Service;C:\WINDOWS\system32\roytctm.exe [2004-08-04 44032]
R2 soxpeca;soxpeca Service;C:\WINDOWS\system32\soxpeca.exe [2004-08-04 44544]
R2 tdydowkc;tdydowkc Service;C:\WINDOWS\system32\tdydowkc.exe [2004-08-04 44544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wsldoekd;wsldoekd Service;C:\WINDOWS\system32\wsldoekd.exe [2004-08-04 44032]
S2 seiuctol;Security Control;c:\windows\system32\rundll32.exe zordisa.dll,scan [ ]

*Newly Created Service* - AFISICX
*Newly Created Service* - MABIDWE
*Newly Created Service* - NOYTCYR
*Newly Created Service* - ROYTCTM
*Newly Created Service* - SOXPECA
*Newly Created Service* - TDYDOWKC
*Newly Created Service* - WSLDOEKD
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Start Page = www.3929.cn?tn=102720
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 20:53:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\comsa32.sys 10 bytes
C:\WINDOWS\system32\Install.txt 275 bytes
C:\WINDOWS\system32\tpszxyd.sys 266752 bytes executable
C:\WINDOWS\system32\wsldoekd.exe 44032 bytes executable
C:\WINDOWS\system32\afisicx.exe 44544 bytes executable
C:\WINDOWS\system32\zordisa.dll 14848 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> c:\windows\system32\zordisa.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Temp\mfrj.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\Temp\dwbins.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
.
**************************************************************************
.
Completion time: 2008-09-07 20:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 00:58:05
ComboFix2.txt 2008-09-07 21:41:23

Pre-Run: 22,837,121,024 bytes free
Post-Run: 22,837,698,560 bytes free

213 --- E O F --- 2008-08-17 01:58:46


Note that the homepage is again hijacked and even when I tried to change it it took me to the chinese language page.
The antivirus program also states I must restart the computer to complete the malware removal....this is a never ending process :-(.

 

Hi
OK do this.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

KillAll::
File::
C:\WINDOWS\system32\drivers\cbnjf.sys
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\soxpeca.exe 
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\wsldoekd.exe
c:\windows\system32\zordisa.dll
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\Temp\dwbins.exe
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\comsa32.sys 
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\Temp\mfrj.exe

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
 "GcBK "=-

Driver::
cbnjf
afisicx
mabidwe
noytcyr
roytctm
soxpeca
tdydowkc
wsldoekd
seiuctol 

Please post the CF log.