Annoying popups

Can someone please help me with my computer at my job. I keep on getting popups. Can someone please look at my HJT Log and help me out.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:52:37 PM, on 01/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlsstratus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6995 bytes

 

Hey there

Got your PM OK.

Please do the following:

Start Hijackthis
Run system scan and check:

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe

Click "fix checked" and OK.

Exit Hijackthis and reboot.

Locate and delete:

C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Dot1XCfg

Next:

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

There will be more work to do.

Thanks

 

Deckard's System Scanner v20071014.68
Run by Reception on 2008-01-22 16:34:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Reception.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:34:43 PM, on 01/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Documents and Settings\reception\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RECEPT~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.mlsstratus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CEEA86F-2BF7-4958-96A3-2C67476735B4} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: {3b14d819-14d8-56d9-d5e4-fed574eed7f3} - {3f7dee47-5def-4e5d-9d65-8d41918d41b3} - C:\WINDOWS\system32\efujlhyf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\iiihfef.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [306c5d9b] rundll32.exe "C:\WINDOWS\system32\lxladaas.dll ",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O20 - Winlogon Notify: iiihfef - C:\WINDOWS\SYSTEM32\iiihfef.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rrnwgrhf.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7912 bytes

-- Files created between 2007-12-22 and 2008-01-22 -----------------------------

2008-01-22 15:58:34 0 d-------- H:\Deckard
2008-01-22 09:20:42 89664 --a------ C:\WINDOWS\system32\lxladaas.dll
2008-01-22 09:18:11 77376 --a------ C:\WINDOWS\system32\efujlhyf.dll
2008-01-22 09:15:36 183315 ---hs---- C:\WINDOWS\system32\bccdd.bak2
2008-01-21 16:47:35 6523 ---hs---- C:\WINDOWS\system32\bccdd.bak1
2008-01-21 16:47:02 328288 --a------ C:\WINDOWS\system32\ddccb.dll
2008-01-21 16:34:40 0 d-------- C:\Program Files\Temporary
2008-01-21 16:31:01 0 d-------- C:\Program Files\Outerinfo
2008-01-21 16:30:56 0 d-------- C:\Program Files\?ymbols
2008-01-21 16:30:19 0 d--hs---- C:\WINDOWS\YWRtaW4
2008-01-21 16:30:11 86016 --a------ C:\WINDOWS\system32\drivers\tapee.sys
2008-01-21 16:30:08 36864 --a------ C:\WINDOWS\mrofinu572.exe
2008-01-21 16:30:05 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-01-21 16:30:03 0 d-------- C:\Program Files\Web Buying
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\winzs6
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\nui4
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\extz1
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\comz7
2008-01-21 16:30:01 0 d-------- C:\Program Files\M?crosoft.NET
2008-01-21 16:29:43 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-01-21 16:29:39 38400 --a------ C:\WINDOWS\system32\iiihfef.dll
2008-01-21 12:44:38 53760 --a------ C:\WINDOWS\b122.exe
2008-01-16 18:03:05 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-01-15 16:52:24 140800 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 14:37:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 14:01:36 0 d-------- C:\WINDOWS\WindowsMobile
2008-01-15 14:01:27 0 d-------- C:\Documents and Settings\reception\Application Data\InstallShield
2008-01-15 13:50:02 0 d-------- C:\Program Files\Windows Mobile Device Handbook


-- Find3M Report ---------------------------------------------------------------

2008-01-21 16:35:04 0 d-------- C:\Program Files\M?crosoft.NET
2008-01-21 16:34:58 0 d-------- C:\Program Files\?ymbols
2008-01-21 16:30:05 0 d-------- C:\Program Files\Common Files
2008-01-15 14:40:18 0 d-------- C:\Program Files\Microsoft Works
2008-01-15 14:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 13:53:58 2528 --a------ C:\Documents and Settings\reception\Application Data\$_hpcst$.hpc
2008-01-15 13:51:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-03 18:02:10 0 d-------- C:\Program Files\America Online 9.0
2007-12-18 11:56:34 0 d-------- C:\Documents and Settings\reception\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CEEA86F-2BF7-4958-96A3-2C67476735B4}]
01/21/2008 04:47 PM 328288 --a------ C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3f7dee47-5def-4e5d-9d65-8d41918d41b3}]
01/22/2008 09:18 AM 77376 --a------ C:\WINDOWS\system32\efujlhyf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]
01/21/2008 04:29 PM 38400 --a------ C:\WINDOWS\system32\iiihfef.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/2003 01:21 AM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/13/2007 02:28 PM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 06:20 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [08/29/2007 11:58 AM]
"306c5d9b "= "C:\WINDOWS\system32\lxladaas.dll" [01/22/2008 09:20 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/27/2007 02:44 PM]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [09/03/2002 02:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [09/03/2002 02:36:04 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A051B1FF-8D7E-418B-AABE-4FF82F4280A2} "= C:\WINDOWS\system32\iiihfef.dll [01/21/2008 04:29 PM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiihfef]
iiihfef.dll 01/21/2008 04:29 PM 38400 C:\WINDOWS\SYSTEM32\iiihfef.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\ddccb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




-- End of Deckard's System Scanner: finished at 2008-01-22 16:35:26 ------------



Blender for some reason the other text thingy isn't coming up. I mean it did before but I clicked out of it by mistake.

 

Hi,

The other file should be located here:

C:\Deckard\System Scanner\extra.txt

 

If it is not in C:\ check here:

H:\Deckard\System Scanner\extra.txt

 

Blender when I check H: I do see Deckard but it is the same Main.txt that I see there.

 

hmmm

I think because we ran dss.exe a while back. "extra.txt" is created only one time.

Please run Deckard's System Scanner again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config
Click on "Check All "

Click Scan!

When finished, it shall produce two log for you (main.txt & extra.txt)

Please post main.txt, extra.txt in your next reply.

Thanks

 

Main.txt


Deckard's System Scanner v20071014.68
Run by Reception on 2008-01-23 09:58:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
60: 2008-01-23 14:58:26 UTC - RP1107 - Deckard's System Scanner Restore Point
59: 2008-01-23 14:16:04 UTC - RP1106 - Software Distribution Service 3.0
58: 2008-01-22 23:07:13 UTC - RP1105 - Software Distribution Service 3.0
57: 2008-01-22 20:48:02 UTC - RP1104 - Deckard's System Scanner Restore Point
56: 2008-01-22 19:52:09 UTC - RP1103 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-12-06 23:25:58 UTC - RP1048 - Software Distribution Service 3.0


Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Reception.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58:42 AM, on 01/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Documents and Settings\reception\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RECEPT~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.mlsstratus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {e829661f-91c8-7789-7fd4-bb7b4c5fc5e0} - {0e5cf5c4-b7bb-4df7-9877-8c19f166928e} - C:\WINDOWS\system32\nmllraij.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\iiihfef.dll
O2 - BHO: (no name) - {A204EEA2-2BC6-49EB-B029-9A112B40B136} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [306c5d9b] rundll32.exe "C:\WINDOWS\system32\vajwixky.dll ",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O20 - Winlogon Notify: iiihfef - C:\WINDOWS\SYSTEM32\iiihfef.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rrnwgrhf.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7912 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070727-144324-157 O2 - BHO: (no name) - {e5c3f224-94b7-41d7-99df-dff10d451232} - C:\WINDOWS\system32\rfpydgo.dll (file missing)
backup-20070727-144324-167 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20070727-144324-342 O2 - BHO: (no name) - {91C48C25-395F-48FF-A257-626727DA5482} - C:\Program Files\NetMeeting\vixy83122.dll (file missing)
backup-20070727-144324-947 O2 - BHO: (no name) - {11978EAF-7B5F-4A3F-A59B-C37C13478D74} - (no file)
backup-20070727-144324-979 O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)
backup-20070827-104707-115 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUzed004MFUS_ZZzer000
backup-20070827-104707-336 O4 - HKLM\..\Run: [{C5-5D-D3-34-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
backup-20070827-104707-356 O2 - BHO: (no name) - {2D82C9B6-A244-4E3C-8F25-BF89AC5924A2} - C:\WINDOWS\system32\pmnnk.dll (file missing)
backup-20070827-104707-511 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
backup-20071029-093041-185 O15 - Trusted Zone: *.imageservr.com (HKLM)
backup-20071029-093041-216 O15 - Trusted Zone: *.imagesrvr.com
backup-20071029-093041-425 O15 - Trusted Zone: *.amaena.com (HKLM)
backup-20071029-093041-436 O15 - Trusted Zone: *.amaena.com
backup-20071029-093041-452 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20071029-093041-611 O15 - Trusted Zone: *.trustedantivirus.com
backup-20071029-093041-651 O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
backup-20080122-144615-256 O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
backup-20080122-144615-401 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 tapee - c:\windows\system32\drivers\tapee.sys

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 catchme - c:\docume~1\recept~1\locals~1\temp\catchme.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DCSLoader (DCS Loader) - c:\windows\system32\spool\drivers\w32x86\3\ophaldcs.exe <Not Verified; Oki Data Corporation; OKI DCS Loader>

S2 DomainService - c:\windows\system32\rrnwgrhf.exe /service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\SYSTEM32\winlogon.exe (pid 540)
2008-01-21 16:29:39 38400 --a------ C:\WINDOWS\SYSTEM32\iiihfef.dll
2003-05-21 01:19:00 45056 --a------ C:\WINDOWS\SYSTEM32\NavLogon.dll

C:\WINDOWS\explorer.exe (pid 2188)
2008-01-21 16:47:06 328288 --a------ C:\WINDOWS\SYSTEM32\ddccb.dll
2008-01-21 16:29:39 38400 --a------ C:\WINDOWS\SYSTEM32\iiihfef.dll
2006-12-22 12:28:14 271360 --a------ C:\WINDOWS\SYSTEM32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:56 36864 --a------ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2008-01-23 09:47:53 87616 --a------ C:\WINDOWS\SYSTEM32\vajwixky.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-01-23 09:59:05 408 --ah----- C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job
2008-01-23 09:44:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-12-23 and 2008-01-23 -----------------------------

2008-01-23 09:47:52 87616 --a------ C:\WINDOWS\system32\vajwixky.dll
2008-01-23 09:44:52 74304 --a------ C:\WINDOWS\system32\giilglea.exe <Not Verified; ; DDC>
2008-01-23 09:42:31 80960 --a------ C:\WINDOWS\system32\nmllraij.dll
2008-01-22 15:58:34 0 d-------- H:\Deckard
2008-01-22 09:20:42 89664 -----n--- C:\WINDOWS\system32\lxladaas.dll
2008-01-22 09:18:11 77376 --a------ C:\WINDOWS\system32\efujlhyf.dll
2008-01-22 09:15:36 183892 ---hs---- C:\WINDOWS\system32\bccdd.bak2
2008-01-21 16:47:35 6523 ---hs---- C:\WINDOWS\system32\bccdd.bak1
2008-01-21 16:47:02 328288 --a------ C:\WINDOWS\system32\ddccb.dll
2008-01-21 16:34:40 0 d-------- C:\Program Files\Temporary
2008-01-21 16:31:01 0 d-------- C:\Program Files\Outerinfo
2008-01-21 16:30:56 0 d-------- C:\Program Files\?ymbols
2008-01-21 16:30:19 0 d--hs---- C:\WINDOWS\YWRtaW4
2008-01-21 16:30:11 86016 --a------ C:\WINDOWS\system32\drivers\tapee.sys
2008-01-21 16:30:08 36864 --a------ C:\WINDOWS\mrofinu572.exe
2008-01-21 16:30:05 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-01-21 16:30:03 0 d-------- C:\Program Files\Web Buying
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\winzs6
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\nui4
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\extz1
2008-01-21 16:30:01 0 d-------- C:\WINDOWS\system32\comz7
2008-01-21 16:30:01 0 d-------- C:\Program Files\M?crosoft.NET
2008-01-21 16:29:43 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-01-21 16:29:39 38400 --a------ C:\WINDOWS\system32\iiihfef.dll
2008-01-21 12:44:38 53760 --a------ C:\WINDOWS\b122.exe
2008-01-16 18:03:05 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-01-15 16:52:24 140800 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 14:37:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 14:01:36 0 d-------- C:\WINDOWS\WindowsMobile
2008-01-15 14:01:27 0 d-------- C:\Documents and Settings\reception\Application Data\InstallShield
2008-01-15 13:50:02 0 d-------- C:\Program Files\Windows Mobile Device Handbook


-- Find3M Report ---------------------------------------------------------------

2008-01-21 16:35:04 0 d-------- C:\Program Files\M?crosoft.NET
2008-01-21 16:34:58 0 d-------- C:\Program Files\?ymbols
2008-01-21 16:30:05 0 d-------- C:\Program Files\Common Files
2008-01-15 14:40:18 0 d-------- C:\Program Files\Microsoft Works
2008-01-15 14:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 13:53:58 2528 --a------ C:\Documents and Settings\reception\Application Data\$_hpcst$.hpc
2008-01-15 13:51:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-03 18:02:10 0 d-------- C:\Program Files\America Online 9.0
2007-12-18 11:56:34 0 d-------- C:\Documents and Settings\reception\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0e5cf5c4-b7bb-4df7-9877-8c19f166928e}]
01/23/2008 09:42 AM 80960 --a------ C:\WINDOWS\system32\nmllraij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]
01/21/2008 04:29 PM 38400 --a------ C:\WINDOWS\system32\iiihfef.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A204EEA2-2BC6-49EB-B029-9A112B40B136}]
01/21/2008 04:47 PM 328288 --a------ C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/2003 01:21 AM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/13/2007 02:28 PM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 06:20 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [08/29/2007 11:58 AM]
"306c5d9b "= "C:\WINDOWS\system32\vajwixky.dll" [01/23/2008 09:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/27/2007 02:44 PM]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [09/03/2002 02:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [09/03/2002 02:36:04 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A051B1FF-8D7E-418B-AABE-4FF82F4280A2} "= C:\WINDOWS\system32\iiihfef.dll [01/21/2008 04:29 PM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiihfef]
iiihfef.dll 01/21/2008 04:29 PM 38400 C:\WINDOWS\SYSTEM32\iiihfef.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\ddccb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




-- End of Deckard's System Scanner: finished at 2008-01-23 10:00:06 ------------

 

Extra.txt


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.66GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 509.98 MiB / 184.86 MiB
Pagefile Memory (total/avail): 1247.23 MiB / 963.71 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1894.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.21 GiB total, 24.27 GiB free.
D: is CDROM (No Media)
H: is Network (NTFS)
Y: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75FRA0 - 37.25 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe "= "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe "= "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "
"C:\\WINDOWS\\system32\\rrnwgrhf.exe "= "C:\\WINDOWS\\system32\\rrn "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\reception\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DARTPROC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\
HOMESHARE=\\server2k3\c21users\reception
LOGONSERVER=\\SERVER2K3
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RECEPT~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\RECEPT~1\LOCALS~1\Temp
USERDNSDOMAIN=DARTCAPITAL.LOCAL
USERDOMAIN=DARTCAPITAL
USERNAME=Reception
USERPROFILE=C:\Documents and Settings\reception
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

admin (new local, admin)
Administrator (admin)
alivingstone (admin)
afrancis (admin)
pable (admin)
mlabby (new local, admin, net ready)
reception (admin)
jgreenidge (admin)
awhite (admin)
dmaiorino (admin)
gnicholson (new local, net ready)
lcirillo (admin)
dcascone (admin)
ccapolino (new local, admin, net ready)
swolman (admin)
fdumoney (admin)
mwalton (admin)
mrahimi (admin)
dadams (new local, admin, net ready)
netadmin (new local, admin, net ready)
lparades (admin)
rbostonhill (admin)
administrator.dartcapital (admin)
reception (admin)
netadmin.DARTCAPITAL (admin)
itammari
cbrooks (new local, net ready)
LoanOfficer (new local, net ready)
Administrator.DARTCAPITAL.000 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{E31C348B-63A9-4CBF-8D7F-D932ABB63244}
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Business Contact Manager for Outlook 2003 --> MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB}
CalyxLoanBridge11 --> MsiExec.exe /X{192A3445-56FC-47B3-B706-17D599E3B630}
CardRecovery --> C:\PROGRA~1\CARDRE~1\UNWISE.EXE C:\PROGRA~1\CARDRE~1\INSTALL.LOG
Conexant SmartHSFi V.9x 56K DF PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702\HXFSETUP.EXE -U -IDel8d8xk.INF
Crown Print Monitor+ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8FD0AC90-1268-4A53-977E-E8E90D10EF6A}\setup.exe" AnyText
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dot1XCfg --> "C:\Program Files\Dot1XCfg\Dot1XCfg.exe" -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll "
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe "
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Office Outlook 2007 --> MsiExec.exe /X{91120000-001A-0000-0000-0000000FF1CE}
Microsoft Office Outlook 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall OUTLOOKR /dll OSETUP.DLL
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft WSE 2.0 SP3 Runtime --> MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\reception\Application Data\Move Networks\ie_bin\Uninst.exe
NotePadSync --> C:\Program Files\InstallShield Installation Information\{14A19F58-528A-4ACC-8723-F6854B39CACC}\setup.exe -runfromtemp -l0x0009 -removeonly
Point --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85BC5C08-E73D-11D2-964D-444553540000}\SETUP.EXE" -l0x9 -uninst
Point --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F05E2B98-DA04-4FFA-8D08-DA218E6A2B47}\SETUP.EXE" -l0x9 -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe "
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe "
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Update for Outlook 2007 Junk Email Filter (kb943597) --> msiexec /package {91120000-001A-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VNC Enterprise Edition E4.2.5 --> "C:\Program Files\RealVNC\VNC4\unins000.exe "
Web Buying --> C:\Program Files\Web Buying\v1.8.6\wbuninst.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Mobile® Device Handbook --> C:\Program Files\Windows Mobile Device Handbook\Windows Mobile Device Handbook\Bin\DHUninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S


-- Application Event Log -------------------------------------------------------

Event Record #/Type2943 / Error
Event Submitted/Written: 01/23/2008 09:42:26 AM / 01/23/2008 09:42:27 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type2941 / Error
Event Submitted/Written: 01/23/2008 09:24:48 AM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event Record #/Type2940 / Error
Event Submitted/Written: 01/23/2008 09:24:48 AM
Event ID/Source: 1097 / Userenv
Event Description:
Windows cannot find the machine account, The clocks on the client and server machines are skewed. .

Event Record #/Type2935 / Warning
Event Submitted/Written: 01/23/2008 09:23:22 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type2934 / Error
Event Submitted/Written: 01/23/2008 09:16:26 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28858 / Warning
Event Submitted/Written: 01/23/2008 09:58:59 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%DARTCAPITAL27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DARTCAPITAL27 can't undo changes that you allow.

For more information please see the following:
%DARTCAPITAL275

Scan ID: {60CC2DE9-03C3-4972-A022-B87240AF255F}

User: DARTCAPITAL\reception

Name: %DARTCAPITAL271

ID: %DARTCAPITAL272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DARTCAPITAL276

Alert Type: %DARTCAPITAL278

Detection Type: 1.1.1593.02

Event Record #/Type28857 / Warning
Event Submitted/Written: 01/23/2008 09:58:59 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%DARTCAPITAL27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DARTCAPITAL27 can't undo changes that you allow.

For more information please see the following:
%DARTCAPITAL275

Scan ID: {80ECFC9E-F687-466F-BBE7-B38B06A32222}

User: DARTCAPITAL\reception

Name: %DARTCAPITAL271

ID: %DARTCAPITAL272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DARTCAPITAL276

Alert Type: %DARTCAPITAL278

Detection Type: 1.1.1593.02

Event Record #/Type28856 / Warning
Event Submitted/Written: 01/23/2008 09:58:59 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%DARTCAPITAL27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DARTCAPITAL27 can't undo changes that you allow.

For more information please see the following:
%DARTCAPITAL275

Scan ID: {EA0AA8AE-8690-4FCD-AD2D-4C1CD3B70859}

User: DARTCAPITAL\reception

Name: %DARTCAPITAL271

ID: %DARTCAPITAL272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DARTCAPITAL276

Alert Type: %DARTCAPITAL278

Detection Type: 1.1.1593.02

Event Record #/Type28855 / Warning
Event Submitted/Written: 01/23/2008 09:58:56 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%DARTCAPITAL27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DARTCAPITAL27 can't undo changes that you allow.

For more information please see the following:
%DARTCAPITAL275

Scan ID: {6E7063B9-0452-404E-A4F7-45C9DE2242CE}

User: DARTCAPITAL\reception

Name: %DARTCAPITAL271

ID: %DARTCAPITAL272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DARTCAPITAL276

Alert Type: %DARTCAPITAL278

Detection Type: 1.1.1593.02

Event Record #/Type28854 / Warning
Event Submitted/Written: 01/23/2008 09:58:56 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%DARTCAPITAL27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DARTCAPITAL27 can't undo changes that you allow.

For more information please see the following:
%DARTCAPITAL275

Scan ID: {30FF81FB-B5DA-42D6-B2C0-1028A45607A9}

User: DARTCAPITAL\reception

Name: %DARTCAPITAL271

ID: %DARTCAPITAL272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DARTCAPITAL276

Alert Type: %DARTCAPITAL278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-01-23 10:00:06 ------------

 

Hi,

Thanks

I notice in Extra.txt there are alot of user profiles. Most of those "roaming profiles" I gather?
I ask because we will have to check those other accounts but we can't unless they are logged on if not local accounts.

I use another tool to check those though.

Let's see what we can get this round.
Make sure other users are logged off totally.

Then....

Download Combofix from one of the following links and save it to the desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Follow instructions here for the use of ComboFix including installing Recovery console if you don't have it installed:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post me the log from C:\Combofix.txt.

Also let me know which users are normally logged on so we can check/clean them up first.
We'll get to others as we can.

Any chance you can hit the network drive with a virus scan where everyone's profiles are stored?
That should nail most baddies from their desktops, documents folders and application data folders as well as temp folders.
Preferrably when they are not logged in -- so nothing from their profile is active.

Thanks

 

ComboFix 08-01-23.2 - Reception 2008-01-23 13:57:07.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.193 [GMT -5:00]
Running from: C:\Documents and Settings\reception\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\reception\Application Data\YSTEM3~1
C:\Documents and Settings\reception\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\reception\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\mcroso~1.net
C:\Program Files\mcroso~1.net\M?crosoft.NET\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\ymbols~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\SYSTEM32\bccdd.bak1
C:\WINDOWS\SYSTEM32\bccdd.bak2
C:\WINDOWS\SYSTEM32\bccdd.ini
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\efujlhyf.dll
C:\WINDOWS\system32\giilglea.exe
C:\WINDOWS\system32\iiihfef.dll
C:\WINDOWS\system32\lxladaas.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nmllraij.dll
C:\WINDOWS\system32\opnlmmk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\saadalxl.ini
C:\WINDOWS\system32\vajwixky.dll
C:\WINDOWS\SYSTEM32\ykxiwjav.ini
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 14:10 . 2008-01-23 14:10 <DIR> d-------- C:\Temp\tn3
2008-01-23 13:51 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 13:51 . 2006-04-27 21:42 212 --a------ C:\Boot.bak
2008-01-23 11:17 . 2008-01-23 11:17 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-21 16:30 . 2008-01-21 16:51 <DIR> d--hs---- C:\WINDOWS\YWRtaW4
2008-01-21 16:30 . 2008-01-21 17:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\winzs6
2008-01-21 16:30 . 2008-01-21 16:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\nui4
2008-01-21 16:30 . 2008-01-21 16:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\extz1
2008-01-21 16:30 . 2008-01-21 16:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\comz7
2008-01-21 16:30 . 2008-01-21 16:30 <DIR> d-------- C:\Temp\gTiis19
2008-01-21 16:30 . 2008-01-21 16:30 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tapee.sys
2008-01-21 16:30 . 2008-01-23 14:07 58,883 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-21 16:30 . 2008-01-21 16:30 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-21 16:29 . 2008-01-21 16:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-21 16:29 . 2008-01-21 16:29 <DIR> d-------- C:\Temp\cXzz9
2008-01-15 14:35 . 2008-01-15 14:35 <DIR> dr-h----- C:\MSOCache
2008-01-15 14:01 . 2008-01-15 14:01 <DIR> d-------- C:\WINDOWS\WindowsMobile
2008-01-15 13:50 . 2008-01-15 13:50 <DIR> d-------- C:\Program Files\Windows Mobile Device Handbook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 19:40 --------- d-----w C:\Program Files\Microsoft Works
2008-01-15 19:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 18:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-03 23:02 --------- d-----w C:\Program Files\America Online 9.0
2005-07-29 21:24 472 --sha-r C:\WINDOWS\YWRtaW4\sqlQuqb.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-10-24_13.14.35.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-06 09:52:38 72,960 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqac.sys
+ 2007-07-06 13:08:11 138,240 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqad.dll
+ 2007-07-06 13:08:11 47,104 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqdscli.dll
+ 2007-07-06 13:08:11 16,896 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqise.dll
+ 2007-07-06 13:08:11 660,992 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqqm.dll
+ 2007-07-06 13:08:11 177,152 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqrt.dll
+ 2007-07-06 13:08:11 95,744 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqsec.dll
+ 2007-07-06 13:08:11 48,640 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqupgrd.dll
+ 2007-07-06 13:08:11 471,552 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqutil.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB937894\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB937894\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\updspapi.dll
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-10-10 23:47:27 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\advpack.dll
+ 2007-10-10 23:47:27 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\dxtrans.dll
+ 2007-10-10 23:47:27 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\extmgr.dll
+ 2007-10-10 23:47:27 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\icardie.dll
+ 2007-10-10 08:16:47 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ie4uinit.exe
+ 2007-10-10 23:47:27 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakeng.dll
+ 2007-10-10 23:47:27 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieaksie.dll
+ 2007-10-10 05:47:20 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:28:12 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dat
+ 2007-10-10 23:47:27 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dll
+ 2007-10-10 23:47:27 388,096 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iedkcs32.dll
+ 2007-10-10 23:47:27 6,067,200 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieframe.dll
+ 2007-10-10 23:47:27 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iernonce.dll
+ 2007-10-10 23:47:27 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iertutil.dll
+ 2007-10-10 08:16:47 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieudinit.exe
+ 2007-10-10 08:16:56 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
+ 2007-10-10 23:47:28 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\jsproxy.dll
+ 2007-10-10 23:47:28 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeeds.dll
+ 2007-10-10 23:47:28 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeedsbs.dll
+ 2007-10-30 23:48:49 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
+ 2007-10-10 23:47:28 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtmled.dll
+ 2007-10-10 23:47:28 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msrating.dll
+ 2007-10-10 23:47:28 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mstime.dll
+ 2007-10-10 23:47:28 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\occache.dll
+ 2007-10-10 23:47:28 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\url.dll
+ 2007-10-10 23:47:29 1,162,240 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\urlmon.dll
+ 2007-10-10 23:47:29 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\webcheck.dll
+ 2007-10-10 23:47:29 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\updspapi.dll
+ 2007-11-13 11:02:46 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
+ 2004-08-04 03:58:22 72,960 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqac.sys
+ 2004-08-04 05:56:44 138,240 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqad.dll
+ 2004-08-04 05:56:44 47,104 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqdscli.dll
+ 2004-08-04 05:56:44 16,896 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqise.dll
+ 2004-08-04 05:56:44 660,992 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqqm.dll
+ 2004-08-04 05:56:44 177,152 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqrt.dll
+ 2004-08-04 05:56:44 95,744 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqsec.dll
+ 2004-08-04 05:56:44 48,640 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqupgrd.dll
+ 2004-08-04 05:56:44 471,552 -c----w C:\WINDOWS\$NtUninstallKB937894$\mqutil.dll
+ 2005-10-12 23:12:26 213,216 -c----w C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe
+ 2005-10-12 23:12:34 371,424 -c----w C:\WINDOWS\$NtUninstallKB937894$\spuninst\updspapi.dll
+ 2005-08-30 03:54:26 1,287,168 -c----w C:\WINDOWS\$NtUninstallKB941568$\quartz.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB941568$\spuninst\updspapi.dll
+ 2007-10-27 21:39:36 213,216 -c----w C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe
+ 2007-10-27 21:39:46 371,424 -c----w C:\WINDOWS\$NtUninstallKB941569$\spuninst\updspapi.dll
+ 2005-01-28 18:44:28 224,768 -c----w C:\WINDOWS\$NtUninstallKB941569$\wmasf.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB942763$\spuninst\updspapi.dll
+ 2007-07-18 12:42:22 60,416 -c----w C:\WINDOWS\$NtUninstallKB942763$\tzchange.exe
+ 2006-12-19 21:52:18 8,453,632 -c----w C:\WINDOWS\$NtUninstallKB943460$\shell32.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w C:\WINDOWS\$NtUninstallKB943460$\spuninst\updspapi.dll
+ 2007-06-19 07:24:36 350,720 -c----w C:\WINDOWS\$NtUninstallKB943460$\xpsp3res.dll
+ 2002-08-29 11:00:00 27,440 -c----w C:\WINDOWS\$NtUninstallKB944653$\secdrv.sys
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB944653$\spuninst\updspapi.dll
+ 2008-01-15 19:40:10 8,007,680 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll
+ 2008-01-15 19:39:35 80,696 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll
+ 2008-01-15 19:40:09 13,312 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll
- 2004-02-12 12:41:31 371,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.Forms.dll
+ 2008-01-15 19:39:52 371,496 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.Forms.dll
+ 2008-01-15 19:39:53 64,288 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-01-15 19:39:52 416,544 ----a-w C:\WINDOWS\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2008-01-15 19:39:57 12,080 ----a-w C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2008-01-15 19:39:56 11,544 ----a-w C:\WINDOWS\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2005-10-21 01:47:04 30,592 ------w C:\WINDOWS\Driver Cache\I386\rndismpx.sys
+ 2005-10-21 01:47:05 12,800 ------w C:\WINDOWS\Driver Cache\I386\usb8023x.sys
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-23 18:36:58 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 18:36:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 18:36:58 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 18:36:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 18:36:58 4,218,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 18:36:59 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:39 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 10:04:41 3,584,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:41 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:41 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:43 824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
+ 2006-09-15 21:25:18 3,611,416 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119A10000000000000000F01FEC\12.0.4518\OUTLFLTR.DAT
+ 2008-01-15 19:37:50 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2007-10-10 07:01:37 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-12-12 23:20:16 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-10-10 07:01:37 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-12-12 23:20:16 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-10 07:01:36 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-12 23:20:16 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-10 07:01:37 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-12 23:20:17 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-10 07:01:38 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-12 23:20:17 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-10 07:01:38 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-12 23:20:17 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-10 07:01:38 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-12 23:20:17 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-10 07:01:37 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-12 23:20:16 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-10-10 07:01:36 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-12 23:20:16 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-10-10 07:01:38 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-12 23:20:17 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-10 07:01:36 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-12 23:20:16 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

 

- 2007-10-10 07:01:36 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-12-12 23:20:16 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-01-16 23:03:18 20,240 ----a-r C:\WINDOWS\Installer\{91120000-001A-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-01-16 23:03:19 217,864 ----a-r C:\WINDOWS\Installer\{91120000-001A-0000-0000-0000000FF1CE}\misc.exe
+ 2008-01-16 23:03:18 18,704 ----a-r C:\WINDOWS\Installer\{91120000-001A-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-01-16 23:03:19 35,088 ----a-r C:\WINDOWS\Installer\{91120000-001A-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-16 23:03:18 845,584 ----a-r C:\WINDOWS\Installer\{91120000-001A-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-01-15 18:51:46 22,486 ----a-r C:\WINDOWS\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\ARPPRODUCTICON.exe
+ 2008-01-15 18:51:46 22,486 ----a-r C:\WINDOWS\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\WCESMgrIcon.exe
- 2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
+ 2000-08-31 13:00:00 51,200 ----a-w C:\WINDOWS\nircmd.exe
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2006-11-13 18:38:40 22,824 ----a-w C:\WINDOWS\SYSTEM32\ceutil.dll
- 2007-08-20 10:04:34 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
+ 2007-10-10 23:55:51 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
- 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2007-08-20 10:04:34 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
+ 2007-10-10 23:55:51 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
- 2007-08-17 10:20:54 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
- 2007-08-20 10:04:35 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
- 2007-08-20 10:04:35 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
- 2007-08-20 10:04:38 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
- 2007-08-20 10:04:38 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-08-17 10:20:54 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
- 2007-08-17 10:21:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
+ 2007-10-10 10:59:52 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
- 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2006-08-17 12:28:27 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
+ 2007-07-06 10:05:47 72,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqac.sys
+ 2007-07-06 12:46:59 138,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqad.dll
+ 2007-07-06 12:46:59 47,104 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqdscli.dll
+ 2007-07-06 12:46:59 16,896 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqise.dll
+ 2007-07-06 12:46:59 660,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqqm.dll
+ 2007-07-06 12:46:59 177,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqrt.dll
+ 2007-07-06 12:46:59 95,744 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqsec.dll
+ 2007-07-06 12:46:59 48,640 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqupgrd.dll
+ 2007-07-06 12:46:59 471,552 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqutil.dll
- 2007-08-20 10:04:39 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
- 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2007-08-20 10:04:42 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
+ 2007-10-10 23:55:59 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
+ 2007-10-29 22:43:03 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
- 2006-12-19 21:52:18 8,453,632 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
- 2006-04-20 11:51:50 359,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
- 2007-08-20 10:04:42 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
+ 2007-10-10 23:55:59 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2007-08-20 10:04:42 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2005-01-28 18:44:28 224,768 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
+ 2007-10-27 22:40:06 227,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
- 2004-08-04 03:58:22 72,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\mqac.sys
- 2004-08-04 04:04:32 30,080 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rndismp.sys
+ 2005-10-21 01:47:04 30,592 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rndismp.sys
- 2004-08-04 04:04:32 30,080 ------w C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
+ 2005-10-21 01:47:04 30,592 ------w C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
- 2002-08-29 11:00:00 27,440 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS
+ 2007-11-13 10:25:53 20,480 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
- 2004-08-04 04:04:34 12,672 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\usb8023.sys
+ 2005-10-21 01:47:05 12,800 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\usb8023.sys
- 2004-08-04 04:04:34 12,672 ------w C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
+ 2005-10-21 01:47:05 12,800 ------w C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
- 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-01-05 21:48:12 126,976 ----a-w C:\WINDOWS\SYSTEM32\extz1\lovstadcom2.exe
- 2005-03-17 19:39:58 1,146,320 ----a-w C:\WINDOWS\SYSTEM32\FM20.DLL
+ 2006-10-26 19:10:08 1,190,688 ----a-w C:\WINDOWS\SYSTEM32\FM20.DLL
- 2003-07-15 04:57:04 32,584 ----a-w C:\WINDOWS\SYSTEM32\FM20ENU.DLL
+ 2006-10-26 19:10:06 33,088 ----a-w C:\WINDOWS\SYSTEM32\FM20ENU.DLL
- 2007-04-19 08:08:17 242,328 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-01-15 19:44:25 264,616 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
- 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
- 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
- 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
- 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
- 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2002-08-21 11:10:16 204,800 ----a-w C:\WINDOWS\SYSTEM32\INKED.DLL
+ 2006-10-26 18:45:04 207,360 ----a-w C:\WINDOWS\SYSTEM32\INKED.DLL
- 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
- 2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
+ 2008-01-22 14:26:37 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
- 2004-08-04 05:56:44 138,240 ----a-w C:\WINDOWS\SYSTEM32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\SYSTEM32\mqad.dll
- 2004-08-04 05:56:44 47,104 ----a-w C:\WINDOWS\SYSTEM32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\SYSTEM32\mqdscli.dll
- 2004-08-04 05:56:44 16,896 ----a-w C:\WINDOWS\SYSTEM32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\SYSTEM32\mqise.dll
- 2004-08-04 05:56:44 660,992 ----a-w C:\WINDOWS\SYSTEM32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\SYSTEM32\mqqm.dll
- 2004-08-04 05:56:44 177,152 ----a-w C:\WINDOWS\SYSTEM32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\SYSTEM32\mqrt.dll
- 2004-08-04 05:56:44 95,744 ----a-w C:\WINDOWS\SYSTEM32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\SYSTEM32\mqsec.dll
- 2004-08-04 05:56:44 48,640 ----a-w C:\WINDOWS\SYSTEM32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\SYSTEM32\mqupgrd.dll
- 2004-08-04 05:56:44 471,552 ----a-w C:\WINDOWS\SYSTEM32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\SYSTEM32\mqutil.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-01-19 13:13:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\nGpxx01\nGpxx011065.exe
- 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
- 2007-08-15 14:50:19 61,930 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-01-15 19:49:05 61,930 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-08-15 14:50:19 402,426 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-01-15 19:49:05 402,426 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
+ 2006-11-13 18:39:28 138,024 ----a-w C:\WINDOWS\SYSTEM32\rapi.dll
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
- 2007-04-02 18:21:27 139,776 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2000-08-31 13:00:00 156,160 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
- 2007-07-18 12:42:22 60,416 ----a-w C:\WINDOWS\SYSTEM32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\SYSTEM32\tzchange.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
- 2002-08-21 11:13:12 189,952 ----a-w C:\WINDOWS\SYSTEM32\WISPTIS.EXE
+ 2006-10-26 18:45:04 293,376 ----a-w C:\WINDOWS\SYSTEM32\WISPTIS.EXE
- 2005-01-28 18:44:28 224,768 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
+ 2007-10-27 22:40:06 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
- 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-01-23 19:07:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_564.dat
+ 2007-09-19 22:47:58 106,496 ----a-w C:\WINDOWS\WindowsMobile\NotePadSync.dll
+ 2006-10-26 18:40:34 95,744 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2005-09-23 06:16:02 1,093,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2005-09-23 06:16:06 1,079,808 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2005-09-23 06:16:08 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2005-09-23 06:16:10 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2006-10-26 18:40:36 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2006-10-26 18:40:36 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2006-10-26 18:40:36 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2006-10-26 18:40:36 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2006-10-26 18:40:36 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2006-10-26 18:40:36 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2006-10-26 18:40:36 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2006-10-26 18:40:36 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2006-10-26 18:40:36 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"Dot1XCfg "= "C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [2008-01-23 11:17 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-13 14:28 185632]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-08-29 11:58 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-08-29 11:58 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-13 14:28 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

R1 tapee;tapee;C:\WINDOWS\system32\drivers\tapee.sys [2008-01-21 16:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 19:27:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-23 19:30:21 C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job "
- C:\WINDOWS\system32\MOBSYNC.EXEJ /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:27:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
----------------------------------------------------------------------



---------------------------------------------------------------


***Okay well there is only one sign on that is used for this computer and that is the receptionist, all of the other ones are no longer in use. And Im a little slow so can you let me know how can I do that virus scan to the network drive.

 

Hi,

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\SYSTEM32\DRIVERS\tapee.sys
Click Send.
Please post the results of this scan to this thread.

Let me know if it gives you error.

Next:

Download "Autoruns" from here:

http://download.sysinternals.com/Files/Autoruns.zip

Save it and unzip it to its own folder.
Open folder and double click autoruns.exe
Wait for scan to finish.
Click the "options" menu and check "include empty sections" & "varify code signatures" & "Hide Microsoft Entries ".
click the "users" menu and checkmark "Receptionist"
If it does not scan again automatically; click the "file" menu and click "refresh ".

Wait for scan to finish.

Click the floppy icon> save log> post log.

It may take more than one post to get it all in.

---------

Not to worry about those other accounts if they are no longer in use just yet.
Let's just deal with what is in use for now & we can tackle the other stuff later.

Thanks

 

Hey Blender

Virustotal

0 bytes size received / Se ha recibido un archivo vacio


HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe
+ TkBellExe RealNetworks Scheduler (Verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe
+ vptray Symantec AntiVirus (Not verified) Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\vptray.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\reception\Start Menu\Programs\Startup
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ Dot1XCfg c:\program files\dot1xcfg\dot1xcfg.exe
+ swg GoogleToolbarNotifier (Verified) Google Inc c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ cetihpz HPCETIUI Protocol Handler Module (Not verified) Hewlett-Packard Company c:\program files\hp\hpcoretech\comp\hpuiprot.dll
+ ms-itss Microsoft® InfoTech Storage System Library (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\information retrieval\msitss.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Elements (Not verified) Adobe Systems Inc. c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll
+ LDVPMenu Symantec AntiVirus (Not verified) Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ LDVPMenu Symantec AntiVirus (Not verified) Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll
HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKCU\Software\Microsoft\Ctf\LangBarAddin
HKLM\Software\Microsoft\Ctf\LangBarAddin
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ 6 Months of AOL Included AOL Shell Extension (Verified) America Online, Inc. c:\program files\common files\aolshare\shell\us\shellext.dll
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Elements (Not verified) Adobe Systems Inc. c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ LDVP Shell Extensions Symantec AntiVirus (Not verified) Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 6.0 for ActivieX (Verified) Adobe Systems, Incorporated c:\program files\adobe\acrobat 6.0\acrobat\activex\acroiehelper.dll
+ AcroIEToolbarHelper Class c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll
+ Google Toolbar Helper Google IE Client Toolbar (Verified) Google Inc c:\program files\google\googletoolbar2.dll
+ Google Toolbar Notifier BHO GoogleToolbarNotifier (Verified) Google Inc c:\program files\google\googletoolbarnotifier\2.0.1121.2472\swg.dll
+ Yahoo! IE Services Button Yahoo! IE Services (Verified) Yahoo! Inc. c:\program files\yahoo!\common\yiesrvc.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ &Google Google IE Client Toolbar (Verified) Google Inc c:\program files\google\googletoolbar2.dll
+ Adobe PDF c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Extensions
Task Scheduler
HKLM\System\CurrentControlSet\Services
+ aawservice Ad-Aware service (Verified) Lavasoft AB c:\program files\lavasoft\ad-aware 2007\aawservice.exe
+ DCSLoader OPHALDCS (Not verified) Oki Data Corporation c:\windows\system32\spool\drivers\w32x86\3\ophaldcs.exe
+ DefWatch Virus Definition Daemon (Not verified) Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\defwatch.exe
+ MSSQL$MICROSOFTBCM SQL Server Windows NT (Not verified) Microsoft Corporation c:\program files\microsoft sql server\mssql$microsoftbcm\binn\sqlservr.exe
+ Norton AntiVirus Server Provides real-time virus scanning, reporting, and management functionality for Symantec Client Security. (Not verified) Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe
+ WANMiniportService Wan Miniport (ATW) Service (Not verified) America Online, Inc. c:\windows\wanmpsvc.exe
+ WinVNC4 VNC Server Enterprise Edition for Win32 (Verified) RealVNC Ltd c:\program files\realvnc\vnc4\winvnc4.exe
HKLM\System\CurrentControlSet\Services
+ Ad-Watch Connect Filter Driver for Ad-Watch network monitoring (Not verified) Lavasoft AB c:\windows\system32\drivers\nsdriver.sys
+ bvrp_pci File not found: C:\WINDOWS\System32\Drivers\bvrp_pci.sys
+ catchme File not found: C:\DOCUME~1\RECEPT~1\LOCALS~1\Temp\catchme.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ iAimTV2 File not found: System32\DRIVERS\wATV03nt.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ NAVAP AutoProtect (Not verified) Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\navap.sys
+ NAVAPEL NAVAPEL (Not verified) Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\navapel.sys
+ NAVENG AV Engine (Verified) Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20070117.019\naveng.sys
+ NAVEX15 AV Engine (Verified) Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20070117.019\navex15.sys
+ omci OMCI Device Driver (Not verified) Dell Computer Corporation c:\windows\system32\drivers\omci.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ SymEvent Symantec Event Library (Verified) Symantec Corporation c:\program files\symantec\symevent.sys
+ tapee c:\windows\system32\drivers\tapee.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ lsdelete (Verified) Lavasoft AB c:\windows\system32\lsdelete.exe
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Command Processor\Autorun
HKCU\Software\Microsoft\Command Processor\Autorun
HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ NavLogon c:\windows\system32\navlogon.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF Port Acrobat ® PDF Port (Not verified) Adobe Systems Incorporated. c:\windows\system32\adobepdf.dll
+ Crown Port+ c:\windows\system32\crnxmon.dll
+ HP Standard TCP/IP Port Standard TCP/IP Port Monitor DLL (Not verified) Hewlett Packard c:\windows\system32\hptcpmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

 

Sorry ... got called out.

Copy the following text to a new notepad file.
Save as file namd CFScript.txt and save it to your desktop.

Code:

http://www.windowsbbs.com/showthread.php?p=381759#post381759
folder::
C:\Temp\tn3
C:\WINDOWS\YWRtaW4
C:\WINDOWS\SYSTEM32\winzs6
C:\WINDOWS\SYSTEM32\nui4
C:\WINDOWS\SYSTEM32\extz1
C:\WINDOWS\SYSTEM32\comz7
C:\Temp\gTiis19
C:\WINDOWS\SYSTEM32\nGpxx01
C:\Temp\cXzz9
C:\Program Files\Dot1XCfg

collect::
C:\WINDOWS\SYSTEM32\DRIVERS\tapee.sys

file::
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\mrofinu572.exe.tmp

driver::
tapee

registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Dot1XCfg "=-

Once saved...

Drag CFScript on top of ComboFix and follow the prompts.

Post the new C:\combofix.txt please.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Thanks

 

ComboFix 08-01-23.2 - Reception 2008-01-24 9:53:15.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT -5:00]
Running from: C:\Documents and Settings\reception\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\reception\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\check_LSA7.txt
C:\Documents and Settings\reception\Application Data\YSTEM3~1
C:\Documents and Settings\reception\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\reception\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Dot1XCfg
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\mcroso~1.net
C:\Program Files\mcroso~1.net\M?crosoft.NET\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\ymbols~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\cXzz9
C:\Temp\gTiis19
C:\Temp\gTiis19\lTig.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\SYSTEM32\bccdd.bak1
C:\WINDOWS\SYSTEM32\bccdd.bak2
C:\WINDOWS\SYSTEM32\bccdd.ini
C:\WINDOWS\SYSTEM32\comz7
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\DRIVERS\tapee.sys
C:\WINDOWS\system32\efujlhyf.dll
C:\WINDOWS\SYSTEM32\extz1
C:\WINDOWS\SYSTEM32\extz1\lovstadcom2.exe
C:\WINDOWS\system32\giilglea.exe
C:\WINDOWS\system32\iiihfef.dll
C:\WINDOWS\system32\lxladaas.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\nmllraij.dll
C:\WINDOWS\SYSTEM32\nui4
C:\WINDOWS\system32\opnlmmk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\saadalxl.ini
C:\WINDOWS\system32\vajwixky.dll
C:\WINDOWS\SYSTEM32\winzs6
C:\WINDOWS\SYSTEM32\ykxiwjav.ini
C:\WINDOWS\YWRtaW4
C:\WINDOWS\YWRtaW4\sqlQuqb.vbs
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


-------\LEGACY_TAPEE
-------\tapee




((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 14:37 . 2008-01-24 09:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 14:37 . 2008-01-24 09:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 13:51 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 13:51 . 2006-04-27 21:42 212 --a------ C:\Boot.bak
2008-01-15 14:35 . 2008-01-15 14:35 <DIR> dr-h----- C:\MSOCache
2008-01-15 14:01 . 2008-01-15 14:01 <DIR> d-------- C:\WINDOWS\WindowsMobile
2008-01-15 13:50 . 2008-01-15 13:50 <DIR> d-------- C:\Program Files\Windows Mobile Device Handbook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 14:26 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-15 19:40 --------- d-----w C:\Program Files\Microsoft Works
2008-01-15 19:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 18:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-03 23:02 --------- d-----w C:\Program Files\America Online 9.0
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-01-23_14.30.20.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 18:36:58 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 14:53:07 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 18:36:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 14:53:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 18:36:58 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 14:53:07 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 18:36:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 14:53:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 18:36:58 4,218,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 14:53:08 4,218,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 18:36:59 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 14:53:08 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 14:41:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-13 14:28 185632]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-08-29 11:58 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-08-29 11:58 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-13 14:28 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 14:44:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-24 14:53:36 C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job "
- C:\WINDOWS\system32\MOBSYNC.EXEJ /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 09:55:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
--------------------------------------------------------------------------
**** Okay I did what you said and the log didn't popup automatically so I did it again. It still didnt popup but in the combofix box it said where the log could be found. But that other message box didnt popup. Anyway thanks again for helping me

 

Hi,

OK...

Not sure if that funky driver is still there or not.

did you get the prompt asking you to upload a file?
It go OK?

I wanna check that file is gone....

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it to its own folder.
Shut down unneccessary programs including open browser windows.
Shut down Antivirus to prevent conflicts.
Don't be surfing around while antivirus is off -- because you have to be online for "receptionist" to be logged in -- we have to take a little extra care while not protected.

The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan ".
Let the scan finish.
Once done press "save"
In the new window that pops up, give the log a name and save it someplace handy.
Press save.

Re-enable your antivirus & post that log here.
If too big to copy/paste -- attach it or upload here please:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Thanks

 

Hey B,
No I did not get that prompt asking me to upload a file. I will do that other thing you said to do right now.


Thanx again

 

OK.

Is there a zipped up file on the desktop called submit.date.time.zip? (date.time being date & time ComboFix was run)

Gmer scan will likely take some time.... mabye 1/2 hour tops.

After that have a look in this folder:

C:\Windows\system32\drivers

See if tapee.sys is there.
Don't confuse it with a very similar (and legit) file that may be present called tape.sys.
Let me know if tapee.sys is present.

-------------------

Then I want you to do this:

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
Click Send.
Please post the results of this scan to this thread.

Thanks

 

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-01-24 13:01:31
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.14 ----

? ComboFix.sys The system cannot find the file specified. !
? C:\DOCUME~1\RECEPT~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

-------------------------------------------------------------------------

Yes I do see submit.date.time.zip on my desktop, and tapee.sys is not there.


Thanx again