Inactive [InActive] Cleaned Virtumonde but Can't run Blacklight

davekeys · 2008/09/25

I've worked three days on a client's computer that was infected with Virtumonde. It always seems to come back.
Software I used to clean infection:
spybot,
VirtumundoBeGone.exe
VundoFix.exe
ComboFix.exe
SuperAntiSpyware
f-vmonde.exe

It still came back so I started to suspect a rootkit. I downloaded f-secure blacklight but got a could not acquire necessary rights message.

Following are the hijackthis log and then the L2MFIX log:

Thanks in advance for any help. The user at the other end (remote) is comfortable performing functions in safe mode and can be talked through on the phone.

The log files were too long to post so they are here:

http://home.davekeys.com/jimlm2fix.txt

http://home.davekeys.com/jimlm2fix.txt

Arie · 2008/09/26

"davekeys said: ↑

The log files were too long to post
Click to expand...

So split them over 2 posts.

davekeys · 2008/09/26

OK, here is hijackthis part one:

Logfile of random's system information tool 1.02 (written by random/random)
Run by Jim at 2008-09-25 22:22:21
Microsoft Windows XP Professional Service Pack 3
System drive C: has 20 GB (34%) free of 57 GB
Total RAM: 1279 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:28 PM, on 9/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Nuance\PDF Professional 5\pdfpro5hook.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\VFNBPE4A\rsit[1].exe
C:\Program Files\trend micro\Jim.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rli...d=1033&ver=12&app=outlook.exe&p1=32&p2=5&p3=1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search - Home - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search - Home\DesktopSearchBand300000074.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [PDFHook] C:\Program Files\Nuance\PDF Professional 5\pdfpro5hook.exe
O4 - HKLM\..\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Professional 5\RegistryController.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Nuance PDF Professional 5-reminder] "C:\Program Files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini "
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title= "CorelDRAW Graphics Suite 12" /date=100308 serial=DR12WRX-1868303-HJJ lang=EN
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe "
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe "
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini "
O4 - HKLM\..\Run: [90e3ece7] BOGUSrundll32.exe "C:\WINDOWS\system32\tmggapgf.dll ",b
O4 - HKLM\..\Run: [BM93d0df7b] Rundll32.exe "C:\WINDOWS\system32\kotuvqxf.dll ",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1229272821-854245398-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - S-1-5-21-1229272821-854245398-1343024091-500 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Administrator')
O4 - S-1-5-21-1229272821-854245398-1343024091-500 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Administrator')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Open with Nuance PDF Converter 5.0 - res://C:\Program Files\Nuance\PDF Professional 5\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/J...b2/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: vqltju.dll nzbvik.dll haazer.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDFProFiltSrv - Nuance Communications, Inc. - C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 13234 bytes

davekeys · 2008/09/26

hijackthis part 2:

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-08-31 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-09-18 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-08-31 2403392]
{E3286BF1-E654-42FF-B4A6-5E111731DF6B} - Nuance PDF - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll [2008-01-25 299008]
{968631B6-4729-440D-9BF4-251F5593EC9A} - Copernic Desktop Search - Home - C:\Program Files\Copernic Desktop Search - Home\DesktopSearchBand300000074.dll [2008-08-28 995328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"NvCplDaemon "=C:\WINDOWS\system32\NvCpl.dll [2004-10-26 4632576]
"nwiz "=nwiz.exe /installquiet []
"Dell QuickSet "=C:\Program Files\Dell\QuickSet\quickset.exe [2004-10-07 610304]
"Apoint "=C:\Program Files\Apoint\Apoint.exe [2005-10-07 176128]
"Kernel and Hardware Abstraction Layer "=C:\WINDOWS\KHALMNPR.EXE [2007-01-23 101136]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"egui "=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-06-10 1447168]
"GrooveMonitor "=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"PDFHook "=C:\Program Files\Nuance\PDF Professional 5\pdfpro5hook.exe [2008-02-02 795936]
"PDF5 Registry Controller "=C:\Program Files\Nuance\PDF Professional 5\RegistryController.exe [2008-02-02 58656]
"SSBkgdUpdate "=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2007-03-26 210472]
"ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-16 221184]
"ISUSScheduler "=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"Nuance PDF Professional 5-reminder "=C:\Program Files\Nuance\PDF Professional 5\Ereg\Ereg.exe [2007-08-31 328992]
"LogMeIn GUI "=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-02-28 63048]
"HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152]
"CorelDRAW Graphics Suite 11b "=C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe [2003-11-25 729088]
"PaperPort PTD "=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2008-05-10 29984]
"IndexSearch "=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2008-05-10 46368]
"PPort11reminder "=C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe [2007-08-31 328992]
"90e3ece7 "=BOGUSrundll32.exe C:\WINDOWS\system32\tmggapgf.dll []
"BM93d0df7b "=C:\WINDOWS\system32\kotuvqxf.dll [2008-09-24 95232]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"H/PC Connection Agent "=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-09-18 68856]
"Copernic Desktop Search - Home "=C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe [2008-08-28 1520640]
"PPWebCap "=C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe [2008-05-10 83232]
"SUPERAntiSpyware "=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-03 1576176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\Jim\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "vqltju.dll nzbvik.dll haazer.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-05-28 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages "=msv1_0
C:\WINDOWS\system32\ljJYOggF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=145
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun "=
"NoDriveTypeAutoRun "=
"NoDrives "=
"NoActiveDesktop "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE "= "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook "
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE "= "C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove "
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE "= "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote "
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Stamps.com Internet Postage\ipostage.exe "= "C:\Program Files\Stamps.com Internet Postage\ipostage.exe:*:Enabled:Stamps.com "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "

davekeys · 2008/09/26

hijackthis part 3:

======List of files/folders created in the last 3 months======

2008-09-25 22:21:47 ----D---- C:\rsit
2008-09-25 22:21:47 ----D---- C:\Program Files\trend micro
2008-09-25 21:53:58 ----A---- C:\WINDOWS\system32\zip.exe
2008-09-25 21:53:58 ----A---- C:\WINDOWS\system32\strings.exe
2008-09-25 21:53:58 ----A---- C:\WINDOWS\system32\restart.exe
2008-09-25 21:53:58 ----A---- C:\WINDOWS\system32\Process.exe
2008-09-25 21:53:58 ----A---- C:\WINDOWS\system32\Ntrights.exe
2008-09-25 21:53:58 ----A---- C:\WINDOWS\system32\locate.com
2008-09-25 21:53:58 ----A---- C:\direct.txt
2008-09-25 21:53:37 ----D---- C:\l2mfix
2008-09-25 19:44:16 ----A---- C:\WINDOWS\system32\ROOTKITScannerRfsbl.exe
2008-09-24 22:04:18 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-24 22:03:54 ----D---- C:\Program Files\SUPERAntiSpyware
2008-09-24 22:03:53 ----D---- C:\Documents and Settings\Jim\Application Data\SUPERAntiSpyware.com
2008-09-24 21:04:25 ----A---- C:\WINDOWS\system32\procexp.exe
2008-09-24 18:17:14 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-24 18:17:14 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-24 18:17:14 ----A---- C:\WINDOWS\system32\java.exe
2008-09-24 18:09:29 ----A---- C:\WINDOWS\cookies.ini
2008-09-24 16:02:43 ----D---- C:\fsaua.data
2008-09-24 15:46:23 ----A---- C:\WINDOWS\system32\haazer.dll
2008-09-24 15:46:21 ----A---- C:\WINDOWS\system32\ledbjcym.dll
2008-09-24 15:43:52 ----ASH---- C:\WINDOWS\system32\fgpaggmtBOGUS.ini
2008-09-24 15:43:02 ----A---- C:\WINDOWS\system32\tmggapgf.dll
2008-09-24 15:40:04 ----A---- C:\WINDOWS\pskt.ini
2008-09-24 15:40:01 ----A---- C:\WINDOWS\system32\kotuvqxf.dll
2008-09-24 13:04:18 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-09-24 09:19:05 ----D---- C:\Program Files\Lavasoft
2008-09-24 09:19:00 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-24 09:14:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 16:16:53 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-23 16:16:31 ----D---- C:\Program Files\Spyware Doctor
2008-09-23 16:16:31 ----D---- C:\Documents and Settings\Jim\Application Data\PC Tools
2008-09-23 14:49:41 ----SHD---- C:\RECYCLER
2008-09-23 14:44:29 ----SH---- C:\WINDOWS\system32\mybifvmv.ini
2008-09-23 14:44:17 ----A---- C:\WINDOWS\system32\BOGUSvmvfibym.dll
2008-09-23 14:41:19 ----A---- C:\WINDOWS\system32\BOGUSnzbvik.dll
2008-09-23 14:41:17 ----A---- C:\WINDOWS\system32\ghhkljrwBOGUS.dll
2008-09-23 14:38:19 ----A---- C:\WINDOWS\BM93d0df7b.txt
2008-09-23 13:12:30 ----D---- C:\Avenger
2008-09-23 13:12:30 ----A---- C:\avenger.txt
2008-09-23 12:27:53 ----ASH---- C:\WINDOWS\system32\FggOYJjlBOGUS.ini
2008-09-22 21:07:34 ----A---- C:\ComboFix.txt
2008-09-22 20:55:23 ----D---- C:\WINDOWS\temp
2008-09-22 20:43:11 ----D---- C:\WINDOWS\erdnt
2008-09-22 20:42:05 ----D---- C:\QooBox
2008-09-22 20:41:49 ----A---- C:\WINDOWS\zip.exe
2008-09-22 20:41:49 ----A---- C:\WINDOWS\swreg.exe
2008-09-22 20:41:49 ----A---- C:\WINDOWS\sed.exe
2008-09-22 20:41:49 ----A---- C:\WINDOWS\Nircmd.exe
2008-09-22 20:41:49 ----A---- C:\WINDOWS\grep.exe
2008-09-22 20:41:48 ----A---- C:\WINDOWS\VFind.exe
2008-09-22 20:41:48 ----A---- C:\WINDOWS\swxcacls.exe
2008-09-22 20:41:48 ----A---- C:\WINDOWS\SWSC.exe
2008-09-22 20:41:48 ----A---- C:\WINDOWS\fdsv.exe
2008-09-22 20:14:56 ----D---- C:\VundoFix Backups
2008-09-22 20:14:56 ----A---- C:\VundoFix.txt
2008-09-22 20:14:15 ----A---- C:\WINDOWS\wininit.ini
2008-09-22 16:12:27 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-22 16:12:27 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 15:23:08 ----D---- C:\temp_phw
2008-09-22 15:11:41 ----SHD---- C:\WINDOWS\CSC
2008-09-22 14:39:54 ----A---- C:\WINDOWS\system32\vqltjuBOGUS.dll
2008-09-22 14:39:53 ----A---- C:\WINDOWS\system32\gcnephdrBOGUS.dll
2008-09-22 14:36:56 ----A---- C:\WINDOWS\system32\ohdmsjnmBOGUS.dll
2008-09-22 09:59:08 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-22 08:31:37 ----A---- C:\WINDOWS\system32\ixjwgdBOGUS.dll
2008-09-22 08:31:36 ----A---- C:\WINDOWS\system32\rjsbmhssBOGUS.dll
2008-09-22 08:21:00 ----A---- C:\WINDOWS\system32\9bc02899-.txt
2008-09-22 08:20:16 ----ASH---- C:\WINDOWS\system32\FggOYJjlBOGUS.ini2
2008-09-22 08:14:59 ----D---- C:\WINDOWS\system32\mC19
2008-09-22 08:14:58 ----D---- C:\Temp
2008-09-20 07:35:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-09-18 15:13:51 ----D---- C:\WINDOWS\Prefetch
2008-09-18 15:10:54 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-09-18 15:10:44 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-09-18 15:10:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-09-18 15:10:24 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-09-18 15:10:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-09-18 15:09:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-09-18 15:09:38 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-09-18 15:09:28 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-09-18 15:09:19 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-18 15:09:09 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-18 15:08:48 ----HDC---- C:\WINDOWS\$NtUninstallKB915800-v4$
2008-09-18 15:02:08 ----D---- C:\WINDOWS\system32\scripting
2008-09-18 15:02:07 ----D---- C:\WINDOWS\l2schemas
2008-09-18 15:02:06 ----D---- C:\WINDOWS\system32\en
2008-09-18 15:02:05 ----D---- C:\WINDOWS\system32\bits
2008-09-18 14:54:17 ----D---- C:\WINDOWS\ServicePackFiles
2008-09-18 14:36:32 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-09-18 06:23:35 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2008-09-17 19:53:05 ----A---- C:\WINDOWS\system32\ptpusb.dll
2008-09-17 19:53:04 ----A---- C:\WINDOWS\system32\ptpusd.dll
2008-09-17 05:54:28 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-09-17 05:53:41 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-09-17 05:52:46 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-09-17 05:51:52 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-09-16 15:11:54 ----D---- C:\Documents and Settings\Jim\Application Data\Windows Search
2008-09-16 15:03:17 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-09-16 14:44:10 ----HDC---- C:\WINDOWS\$NtUninstallKB926239$
2008-09-16 14:43:40 ----A---- C:\WINDOWS\system32\spmsg.dll
2008-09-16 14:43:39 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-09-16 14:42:38 ----D---- C:\Program Files\Windows Media Connect 2
2008-09-16 14:41:48 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-09-16 14:39:29 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-09-16 14:38:09 ----D---- C:\WINDOWS\system32\LogFiles
2008-09-16 14:38:00 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-09-16 14:37:05 ----D---- C:\96b5f350790660608c09b2734f604c
2008-09-16 11:48:45 ----D---- C:\Documents and Settings\Jim\Application Data\Windows Desktop Search
2008-09-16 11:41:27 ----D---- C:\Program Files\Windows Desktop Search
2008-09-16 11:40:59 ----HDC---- C:\WINDOWS\$NtUninstallKB940157$
2008-09-16 11:40:22 ----HDC---- C:\WINDOWS\$NtUninstallKB915800-v4_0$
2008-09-16 11:39:18 ----D---- C:\d6540837577852e1ab168df47ed688
2008-09-15 11:49:08 ----A---- C:\Stamps.com Connection Test.txt
2008-09-14 10:02:37 ----D---- C:\Documents and Settings\Jim\Application Data\Stamps.com Internet Postage
2008-09-14 10:01:59 ----D---- C:\Documents and Settings\All Users\Application Data\{D9AA4D17-9292-410D-9AA5-84526D062900}
2008-09-14 10:01:47 ----D---- C:\Documents and Settings\All Users\Application Data\{97B4F769-48E2-4A00-AEF1-C2853E48F4FA}
2008-09-14 10:01:24 ----D---- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2008-09-14 10:01:00 ----D---- C:\Documents and Settings\All Users\Application Data\{FBB5C4A9-4848-46A0-8863-C359F08D7728}
2008-09-14 10:00:07 ----D---- C:\Program Files\Stamps.com Internet Postage
2008-09-11 08:00:42 ----D---- C:\Documents and Settings\Jim\Application Data\Help
2008-09-10 16:35:41 ----HDC---- C:\WINDOWS\$NtUninstallKB938464_0$
2008-09-08 07:18:16 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$
2008-09-07 10:08:09 ----D---- C:\WINDOWS\ie7updates
2008-09-07 10:07:19 ----D---- C:\WINDOWS\WBEM
2008-09-07 10:07:17 ----D---- C:\WINDOWS\system32\en-US
2008-09-07 10:05:15 ----HDC---- C:\WINDOWS\ie7
2008-09-07 10:05:00 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-09-07 10:04:23 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-09-07 10:03:37 ----HDC---- C:\WINDOWS\$NtUninstallKB915865$
2008-09-07 10:03:34 ----A---- C:\WINDOWS\system32\xmllite.dll
2008-09-07 10:02:27 ----D---- C:\WINDOWS\network diagnostic
2008-09-07 10:02:26 ----HDC---- C:\WINDOWS\$NtUninstallKB914440$
2008-09-07 10:02:12 ----HDC---- C:\WINDOWS\$NtUninstallKB904942$
2008-09-07 09:55:45 ----A---- C:\WINDOWS\system32\MRT.exe
2008-09-05 23:30:42 ----N---- C:\WINDOWS\system32\WgaLogon.dll
2008-09-05 23:29:58 ----N---- C:\WINDOWS\system32\WgaTray.exe
2008-09-05 19:32:35 ----D---- C:\Program Files\Copernic Desktop Search - Home
2008-09-04 21:35:23 ----D---- C:\Documents and Settings\Jim\Application Data\ScanSoft
2008-09-04 21:22:14 ----A---- C:\WINDOWS\maxlink.ini
2008-09-04 21:22:01 ----D---- C:\Documents and Settings\Jim\Application Data\.oit
2008-09-04 21:20:40 ----D---- C:\Program Files\ScanSoft
2008-09-04 13:42:55 ----D---- C:\Documents and Settings\Jim\Application Data\Libronix DLS
2008-09-04 13:42:51 ----D---- C:\Documents and Settings\All Users\Application Data\Libronix DLS
2008-09-04 13:42:03 ----D---- C:\Program Files\Libronix DLS
2008-09-03 21:23:07 ----D---- C:\Documents and Settings\Jim\Application Data\Mobipocket
2008-09-03 21:21:43 ----D---- C:\Program Files\Mobipocket.com
2008-09-03 05:28:28 ----D---- C:\Program Files\MSXML 4.0
2008-09-02 21:29:14 ----D---- C:\Documents and Settings\Jim\Application Data\Download Manager
2008-09-02 21:19:41 ----D---- C:\Documents and Settings\Jim\Application Data\HPAppData
2008-09-02 21:18:29 ----D---- C:\Program Files\Common Files\Borland Shared
2008-09-02 21:17:23 ----D---- C:\Program Files\WordPerfect Office 12
2008-09-02 20:07:19 ----D---- C:\Documents and Settings\Jim\Application Data\HP
2008-09-02 19:59:42 ----D---- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-09-02 19:58:34 ----D---- C:\Documents and Settings\All Users\Application Data\HP
2008-09-02 19:57:20 ----D---- C:\Program Files\Common Files\HP
2008-09-02 19:57:18 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2008-09-02 19:57:17 ----D---- C:\Program Files\Hewlett-Packard
2008-09-02 19:55:37 ----D---- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-09-02 19:55:16 ----A---- C:\WINDOWS\system32\hpz3l5ha.dll
2008-09-02 19:55:15 ----RA---- C:\WINDOWS\system32\hpzids01.dll
2008-09-02 19:53:55 ----RA---- C:\WINDOWS\system32\hpwwiax3.dll
2008-09-02 19:53:55 ----RA---- C:\WINDOWS\system32\hpwtiop3.dll
2008-09-02 19:53:55 ----RA---- C:\WINDOWS\system32\hppldcoi.dll
2008-09-02 19:53:55 ----RA---- C:\WINDOWS\system32\hpovst11.dll
2008-09-02 19:53:55 ----RA---- C:\WINDOWS\system32\difxapi.dll
2008-09-02 19:52:21 ----RA---- C:\WINDOWS\hpzshl01.exe
2008-09-02 19:52:21 ----RA---- C:\WINDOWS\hpzmsi01.exe
2008-09-02 19:52:17 ----D---- C:\WINDOWS\braveheart
2008-09-02 19:51:46 ----D---- C:\Program Files\HP
2008-09-02 08:09:18 ----D---- C:\Documents and Settings\Jim\Application Data\gtk-2.0
2008-09-02 08:07:19 ----D---- C:\Documents and Settings\Jim\Application Data\.purple
2008-09-02 08:06:50 ----D---- C:\Program Files\Pidgin
2008-09-02 08:06:24 ----D---- C:\Program Files\Common Files\GTK
2008-09-01 16:43:10 ----D---- C:\Documents and Settings\All Users\Application Data\Sling Media
2008-09-01 16:42:10 ----D---- C:\WINDOWS\Downloaded Installations
2008-09-01 16:41:50 ----D---- C:\Program Files\Sling Media
2008-09-01 16:25:58 ----D---- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-09-01 16:25:54 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-09-01 16:25:54 ----A---- C:\WINDOWS\system32\LMIport.dll
2008-09-01 16:25:29 ----A---- C:\WINDOWS\system32\LMIinit.dll
2008-09-01 16:25:19 ----D---- C:\Program Files\LogMeIn
2008-09-01 16:23:47 ----D---- C:\WINDOWS\Sun
2008-09-01 16:23:47 ----D---- C:\Documents and Settings\Jim\Application Data\Sun
2008-09-01 16:18:32 ----D---- C:\Program Files\Evernote
2008-09-01 16:17:36 ----D---- C:\Documents and Settings\Jim\Application Data\InstallShield
2008-09-01 15:59:52 ----D---- C:\Documents and Settings\Jim\Application Data\Zeon
2008-09-01 15:30:23 ----D---- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-01 15:30:15 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-09-01 15:30:13 ----D---- C:\Documents and Settings\All Users\Application Data\Nuance
2008-09-01 15:30:12 ----D---- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-01 15:29:50 ----D---- C:\Program Files\Common Files\ScanSoft Shared
2008-09-01 15:29:49 ----D---- C:\Program Files\Nuance
2008-09-01 15:29:49 ----D---- C:\Documents and Settings\All Users\Application Data\Zeon
2008-09-01 15:08:35 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2008-09-01 14:53:49 ----D---- C:\pdfpro50r-efg
2008-09-01 14:45:55 ----D---- C:\Documents and Settings\Jim\Application Data\Corel
2008-09-01 14:41:54 ----D---- C:\Documents and Settings\All Users\Application Data\Corel
2008-09-01 14:40:18 ----D---- C:\Program Files\Corel
2008-09-01 14:40:18 ----D---- C:\Program Files\Common Files\Corel
2008-09-01 14:37:23 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803$
2008-09-01 14:18:18 ----D---- C:\Documents and Settings\Jim\Application Data\Macromedia
2008-09-01 14:16:04 ----D---- C:\Documents and Settings\Jim\Application Data\Mozilla
2008-09-01 12:50:29 ----HDC---- C:\WINDOWS\$NtUninstallKB909394$
2008-09-01 12:50:10 ----D---- C:\Program Files\Microsoft ActiveSync
2008-09-01 12:49:16 ----D---- C:\Documents and Settings\Jim\Application Data\Adobe
2008-09-01 12:35:31 ----A---- C:\WINDOWS\system32\wmphoto.dll
2008-09-01 12:35:28 ----A---- C:\WINDOWS\system32\wlanapi.dll
2008-09-01 12:35:25 ----A---- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-01 12:35:25 ----A---- C:\WINDOWS\system32\windowscodecs.dll
2008-09-01 12:35:21 ----A---- C:\WINDOWS\system32\verclsid.exe
2008-09-01 12:35:15 ----A---- C:\WINDOWS\system32\tspkg.dll
2008-09-01 12:35:15 ----A---- C:\WINDOWS\system32\tsgqec.dll
2008-09-01 12:35:05 ----A---- C:\WINDOWS\system32\spupdwxp.exe
2008-09-01 12:35:03 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-09-01 12:35:02 ----N---- C:\WINDOWS\slrundll.exe
2008-09-01 12:35:02 ----A---- C:\WINDOWS\system32\slserv.exe
2008-09-01 12:35:02 ----A---- C:\WINDOWS\system32\slrundll.exe
2008-09-01 12:35:01 ----A---- C:\WINDOWS\system32\slgen.dll
2008-09-01 12:35:01 ----A---- C:\WINDOWS\system32\slextspk.dll
2008-09-01 12:35:01 ----A---- C:\WINDOWS\system32\slcoinst.dll
2008-09-01 12:34:58 ----A---- C:\WINDOWS\system32\setupn.exe
2008-09-01 12:34:56 ----A---- C:\WINDOWS\system32\s3gnb.dll
2008-09-01 12:34:54 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2008-09-01 12:34:53 ----A---- C:\WINDOWS\system32\rasqec.dll
2008-09-01 12:34:52 ----A---- C:\WINDOWS\system32\qutil.dll
2008-09-01 12:34:51 ----A---- C:\WINDOWS\system32\qcliprov.dll
2008-09-01 12:34:50 ----A---- C:\WINDOWS\system32\qagentrt.dll
2008-09-01 12:34:50 ----A---- C:\WINDOWS\system32\qagent.dll
2008-09-01 12:34:48 ----A---- C:\WINDOWS\system32\photometadatahandler.dll
2008-09-01 12:34:45 ----A---- C:\WINDOWS\system32\onex.dll
2008-09-01 12:34:36 ----A---- C:\WINDOWS\system32\napstat.exe
2008-09-01 12:34:36 ----A---- C:\WINDOWS\system32\napmontr.dll
2008-09-01 12:34:36 ----A---- C:\WINDOWS\system32\napipsec.dll
2008-09-01 12:34:36 ----A---- C:\WINDOWS\system32\mtxparhd.dll
2008-09-01 12:34:35 ----A---- C:\WINDOWS\system32\msxml6r.dll
2008-09-01 12:34:35 ----A---- C:\WINDOWS\system32\msxml6.dll
2008-09-01 12:34:33 ----A---- C:\WINDOWS\system32\msshavmsg.dll
2008-09-01 12:34:33 ----A---- C:\WINDOWS\system32\mssha.dll
2008-09-01 12:34:21 ----A---- C:\WINDOWS\system32\mmcperf.exe
2008-09-01 12:34:21 ----A---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-09-01 12:34:20 ----A---- C:\WINDOWS\system32\mmcex.dll
2008-09-01 12:34:20 ----A---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-09-01 12:34:12 ----A---- C:\WINDOWS\system32\l2gpstore.dll
2008-09-01 12:34:12 ----A---- C:\WINDOWS\system32\kmsvc.dll
2008-09-01 12:34:12 ----A---- C:\WINDOWS\system32\kbdpash.dll
2008-09-01 12:34:12 ----A---- C:\WINDOWS\system32\kbdnepr.dll
2008-09-01 12:34:12 ----A---- C:\WINDOWS\system32\kbdiultn.dll
2008-09-01 12:34:12 ----A---- C:\WINDOWS\system32\kbdbhc.dll
2008-09-01 12:34:06 ----A---- C:\WINDOWS\system32\smtpapi.dll
2008-09-01 12:34:06 ----A---- C:\WINDOWS\system32\rwnh.dll
2008-09-01 12:34:03 ----A---- C:\WINDOWS\system32\comsdupd.exe
2008-09-01 12:34:01 ----A---- C:\WINDOWS\system32\hsfcisp2.dll
2008-09-01 12:33:58 ----A---- C:\WINDOWS\system32\faxpatch.exe
2008-09-01 12:33:58 ----A---- C:\WINDOWS\002881_.tmp
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eapsvc.dll
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eapqec.dll
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eappprxy.dll
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eapphost.dll
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eappgnui.dll
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eappcfg.dll
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eapp3hst.dll
2008-09-01 12:33:57 ----A---- C:\WINDOWS\system32\eapolqec.dll
2008-09-01 12:33:56 ----A---- C:\WINDOWS\system32\dot3ui.dll
2008-09-01 12:33:56 ----A---- C:\WINDOWS\system32\dot3svc.dll
2008-09-01 12:33:56 ----A---- C:\WINDOWS\system32\dot3msm.dll
2008-09-01 12:33:56 ----A---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-09-01 12:33:56 ----A---- C:\WINDOWS\system32\dot3dlg.dll
2008-09-01 12:33:56 ----A---- C:\WINDOWS\system32\dot3cfg.dll
2008-09-01 12:33:56 ----A---- C:\WINDOWS\system32\dot3api.dll
2008-09-01 12:33:55 ----A---- C:\WINDOWS\system32\dimsroam.dll
2008-09-01 12:33:55 ----A---- C:\WINDOWS\system32\dimsntfy.dll
2008-09-01 12:33:55 ----A---- C:\WINDOWS\system32\dhcpqec.dll
2008-09-01 12:33:53 ----A---- C:\WINDOWS\system32\credssp.dll
2008-09-01 12:33:50 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2008-09-01 12:33:50 ----A---- C:\WINDOWS\system32\azroles.dll
2008-09-01 12:33:49 ----A---- C:\WINDOWS\system32\ativvaxx.dll
2008-09-01 12:33:49 ----A---- C:\WINDOWS\system32\ativtmxx.dll
2008-09-01 12:33:49 ----A---- C:\WINDOWS\system32\ati3duag.dll
2008-09-01 12:33:49 ----A---- C:\WINDOWS\system32\ati3d1ag.dll
2008-09-01 12:33:49 ----A---- C:\WINDOWS\system32\ati2dvag.dll
2008-09-01 12:33:49 ----A---- C:\WINDOWS\system32\ati2dvaa.dll
2008-09-01 12:33:49 ----A---- C:\WINDOWS\system32\ati2cqag.dll
2008-09-01 12:33:46 ----A---- C:\WINDOWS\system32\aaclient.dll
2008-09-01 12:09:44 ----D---- C:\Documents and Settings\Jim\Application Data\Google
2008-09-01 11:48:46 ----D---- C:\Documents and Settings\Jim\Application Data\Logitech
2008-09-01 11:48:31 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-09-01 11:48:30 ----D---- C:\Documents and Settings\Jim\Application Data\Identities
2008-09-01 11:48:17 ----ASH---- C:\Documents and Settings\Jim\Application Data\desktop.ini
2008-09-01 11:48:16 ----SD---- C:\Documents and Settings\Jim\Application Data\Microsoft
2008-09-01 09:40:02 ----D---- C:\Program Files\Live Search Maps for Outlook
2008-09-01 09:07:32 ----D---- C:\WINDOWS\RegisteredPackages
2008-09-01 09:07:27 ----D---- C:\Program Files\Microsoft Streets & Trips
2008-09-01 09:07:27 ----D---- C:\Program Files\Microsoft Location Finder
2008-09-01 09:00:05 ----RSD---- C:\WINDOWS\assembly
2008-09-01 09:00:05 ----D---- C:\WINDOWS\Microsoft.NET
2008-09-01 09:00:04 ----D---- C:\WINDOWS\system32\URTTemp
2008-09-01 08:51:41 ----A---- C:\WINDOWS\system32\muweb.dll
2008-09-01 08:51:41 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-09-01 08:51:41 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-08-31 22:46:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
2008-08-31 22:46:09 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-08-31 22:46:01 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-08-31 22:45:52 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-31 22:45:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-08-31 22:45:34 ----HDC---- C:\WINDOWS\$NtUninstallKB951698_0$
2008-08-31 22:45:22 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$
2008-08-31 22:45:13 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-31 22:45:02 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-08-31 22:44:53 ----HDC---- C:\WINDOWS\$NtUninstallKB951066_0$
2008-08-31 22:44:26 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-31 22:44:07 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-08-31 22:43:50 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-08-31 22:43:35 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-08-31 21:59:11 ----A---- C:\WINDOWS\system32\msonpmon.dll
2008-08-31 21:56:49 ----D---- C:\Program Files\Microsoft Works
2008-08-31 21:56:31 ----D---- C:\Program Files\MSBuild
2008-08-31 21:55:40 ----D---- C:\Program Files\Microsoft Visual Studio
2008-08-31 21:55:40 ----D---- C:\Program Files\Common Files\DESIGNER
2008-08-31 21:49:06 ----D---- C:\WINDOWS\SHELLNEW
2008-08-31 21:48:28 ----D---- C:\Program Files\Microsoft Office
2008-08-31 21:48:27 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-31 21:48:02 ----RHD---- C:\MSOCache
2008-08-31 20:54:45 ----D---- C:\Program Files\Mozilla Firefox
2008-08-31 20:48:50 ----D---- C:\WINDOWS\system32\PreInstall
2008-08-31 20:48:47 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-08-31 20:48:47 ----HD---- C:\WINDOWS\$hf_mig$
2008-08-31 20:42:15 ----D---- C:\Program Files\ESET
2008-08-31 20:42:15 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-31 20:00:30 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-08-31 19:59:53 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-08-31 19:59:40 ----D---- C:\Program Files\Common Files\Adobe
2008-08-31 19:59:40 ----D---- C:\Program Files\Adobe
2008-08-31 19:58:05 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-08-31 19:57:58 ----D---- C:\Program Files\Google
2008-08-31 19:57:51 ----D---- C:\Program Files\NOS
2008-08-31 19:57:51 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2008-08-31 17:55:52 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-08-31 17:42:50 ----D---- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-31 17:15:26 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-08-31 17:15:24 ----HDC---- C:\WINDOWS\$NtUninstallWdf01005$
2008-08-31 17:14:59 ----A---- C:\WINDOWS\KHALMNPR.Exe
2008-08-31 17:14:58 ----A---- C:\WINDOWS\system32\WdfCoInstaller01005.dll
2008-08-31 17:14:56 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-08-31 17:14:48 ----A---- C:\WINDOWS\system32\KemXML.dll
2008-08-31 17:14:48 ----A---- C:\WINDOWS\system32\KemWnd.dll
2008-08-31 17:14:48 ----A---- C:\WINDOWS\system32\KemUtil.dll
2008-08-31 17:14:48 ----A---- C:\WINDOWS\system32\kemutb.dll
2008-08-31 17:14:33 ----D---- C:\Documents and Settings\All Users\Application Data\Logitech
2008-08-31 17:14:32 ----D---- C:\Program Files\Logitech
2008-08-31 17:14:30 ----D---- C:\Program Files\Common Files\Logitech
2008-08-31 16:16:35 ----RA---- C:\WINDOWS\system32\Vxdif.dll
2008-08-31 16:16:35 ----D---- C:\Program Files\Apoint
2008-08-31 16:13:39 ----D---- C:\Program Files\Modem Helper
2008-08-31 16:10:33 ----RA---- C:\WINDOWS\system32\BMAPI.dll
2008-08-31 16:10:21 ----D---- C:\Program Files\Dell
2008-08-31 16:07:59 ----D---- C:\WINDOWS\nview
2008-08-31 16:07:59 ----A---- C:\WINDOWS\system32\nvudisp.exe
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nwiz.exe
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrszht.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrszhc.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrsptb.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrsko.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrsja.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrsit.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrsfr.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrses.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwrsde.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwimg.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwdmcpl.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvwddi.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvsvc32.exe
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvshell.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvrszht.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvrszhc.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvrsptb.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvrsko.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvrsja.dll
2008-08-31 16:07:42 ----A---- C:\WINDOWS\system32\nvrsit.dll
2008-08-31 16:07:41 ----A---- C:\WINDOWS\system32\nvrsfr.dll
2008-08-31 16:07:41 ----A---- C:\WINDOWS\system32\nvrses.dll
2008-08-31 16:07:41 ----A---- C:\WINDOWS\system32\nvrsde.dll
2008-08-31 16:07:41 ----A---- C:\WINDOWS\system32\nvoglnt.dll
2008-08-31 16:07:41 ----A---- C:\WINDOWS\system32\nvmctray.dll
2008-08-31 16:07:40 ----A---- C:\WINDOWS\system32\nview.dll
2008-08-31 16:07:40 ----A---- C:\WINDOWS\system32\nvdspsch.exe
2008-08-31 16:07:39 ----A---- C:\WINDOWS\system32\nvcpl.dll
2008-08-31 16:07:39 ----A---- C:\WINDOWS\system32\nvcodins.dll
2008-08-31 16:07:39 ----A---- C:\WINDOWS\system32\nvcod.dll
2008-08-31 16:07:39 ----A---- C:\WINDOWS\system32\nvappbar.exe
2008-08-31 16:07:38 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2008-08-31 16:07:38 ----A---- C:\WINDOWS\system32\keystone.exe
2008-08-31 16:06:45 ----A---- C:\WINDOWS\system32\BCMLogon.dll
2008-08-31 16:06:45 ----A---- C:\WINDOWS\system32\AegisI5.exe
2008-08-31 16:06:44 ----A---- C:\WINDOWS\system32\WLTRYSVC.EXE
2008-08-31 16:06:44 ----A---- C:\WINDOWS\system32\BCMWLTRY.EXE
2008-08-31 16:06:44 ----A---- C:\WINDOWS\system32\AegisE5.dll
2008-08-31 16:06:36 ----A---- C:\WINDOWS\system32\BCMWLU00.EXE
2008-08-31 16:06:36 ----A---- C:\WINDOWS\system32\BCMWLD2K.EXE
2008-08-31 16:04:43 ----D---- C:\Program Files\Broadcom
2008-08-31 16:03:31 ----D---- C:\Program Files\CONEXANT
2008-08-31 16:03:25 ----A---- C:\WINDOWS\system32\mdmxsdk.dll
2008-08-31 16:03:25 ----A---- C:\WINDOWS\system32\HSFCI010.dll
2008-08-31 16:01:13 ----D---- C:\WINDOWS\tiinst
2008-08-31 15:58:00 ----D---- C:\Program Files\Intel
2008-08-31 15:57:30 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-08-31 15:56:12 ----A---- C:\WINDOWS\system32\ksuser.dll
2008-08-31 15:56:06 ----D---- C:\Program Files\SigmaTel
2008-08-31 15:53:41 ----D---- C:\Program Files\Java
2008-08-31 15:53:41 ----D---- C:\Program Files\Common Files\Java
2008-08-31 15:48:49 ----D---- C:\Program Files\Dell Computer Corporation
2008-08-31 15:42:40 ----A---- C:\WINDOWS\system32\hidserv.dll
2008-08-31 15:36:44 ----RA---- C:\WINDOWS\system32\hhactivex.dll
2008-08-31 15:36:44 ----A---- C:\WINDOWS\system32\RcdScan.dll
2008-08-31 15:36:42 ----A---- C:\WINDOWS\system32\VB5DB.DLL
2008-08-31 15:36:36 ----HD---- C:\Program Files\InstallShield Installation Information
2008-08-31 15:33:17 ----D---- C:\Program Files\Common Files\InstallShield
2008-08-31 15:26:32 ----HD---- C:\Program Files\Uninstall Information
2008-08-31 15:25:46 ----D---- C:\WINDOWS\SoftwareDistribution
2008-08-31 15:25:44 ----SD---- C:\WINDOWS\system32\Microsoft
2008-08-31 15:25:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-08-31 15:20:05 ----D---- C:\WINDOWS\system32\xircom
2008-08-31 15:20:05 ----D---- C:\Program Files\xerox
2008-08-31 15:20:05 ----D---- C:\Program Files\microsoft frontpage
2008-08-31 15:19:50 ----D---- C:\DELL
2008-08-31 15:19:36 ----A---- C:\WINDOWS\control.ini
2008-08-31 15:19:36 ----A---- C:\AUTOEXEC.BAT
2008-08-31 15:19:22 ----A---- C:\WINDOWS\OEWABLog.txt
2008-08-31 15:19:16 ----A---- C:\WINDOWS\system32\mapi32.dll
2008-08-31 15:18:14 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-08-31 15:18:14 ----RD---- C:\WINDOWS\Offline Web Pages
2008-08-31 15:18:14 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-31 15:18:08 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-08-31 15:18:02 ----HD---- C:\Program Files\WindowsUpdate
2008-08-31 15:17:41 ----D---- C:\WINDOWS\system32\DirectX
2008-08-31 15:17:23 ----A---- C:\WINDOWS\system32\atrace.dll
2008-08-31 15:17:20 ----A---- C:\WINDOWS\system32\desktop.ini
2008-08-31 15:17:20 ----A---- C:\WINDOWS\desktop.ini
2008-08-31 15:17:13 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2008-08-31 15:17:12 ----A---- C:\WINDOWS\system32\acctres.dll
2008-08-31 15:17:11 ----D---- C:\Program Files\Common Files\Services
2008-08-31 15:17:09 ----SD---- C:\WINDOWS\Tasks
2008-08-31 15:17:09 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2008-08-31 15:17:08 ----D---- C:\Program Files\Common Files\MSSoap
2008-08-31 15:17:04 ----D---- C:\WINDOWS\srchasst
2008-08-31 15:17:03 ----D---- C:\WINDOWS\system32\Macromed
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wups.dll
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wuauserv.dll
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-08-31 15:17:00 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-08-31 15:16:59 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2008-08-31 15:16:59 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-08-31 15:16:59 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2008-08-31 15:16:59 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2008-08-31 15:16:56 ----D---- C:\Program Files\Movie Maker
2008-08-31 15:16:52 ----A---- C:\WINDOWS\system32\safrslv.dll
2008-08-31 15:16:52 ----A---- C:\WINDOWS\system32\safrdm.dll
2008-08-31 15:16:52 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2008-08-31 15:16:52 ----A---- C:\WINDOWS\system32\racpldlg.dll
2008-08-31 15:16:49 ----A---- C:\WINDOWS\system32\fltmc.exe
2008-08-31 15:16:49 ----A---- C:\WINDOWS\system32\fltlib.dll
2008-08-31 15:16:48 ----D---- C:\WINDOWS\system32\Restore
2008-08-31 15:16:48 ----A---- C:\WINDOWS\system32\srsvc.dll
2008-08-31 15:16:48 ----A---- C:\WINDOWS\system32\srrstr.dll
2008-08-31 15:16:48 ----A---- C:\WINDOWS\system32\srclient.dll
2008-08-31 15:16:48 ----A---- C:\WINDOWS\system32\ils.dll
2008-08-31 15:16:47 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2008-08-31 15:16:47 ----A---- C:\WINDOWS\system32\msconf.dll
2008-08-31 15:16:47 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2008-08-31 15:16:47 ----A---- C:\WINDOWS\system32\mnmdd.dll
2008-08-31 15:16:47 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2008-08-31 15:16:44 ----D---- C:\Program Files\NetMeeting
2008-08-31 15:16:44 ----A---- C:\WINDOWS\system32\msoert2.dll
2008-08-31 15:16:44 ----A---- C:\WINDOWS\system32\msoeacct.dll
2008-08-31 15:16:43 ----A---- C:\WINDOWS\system32\inetres.dll
2008-08-31 15:16:43 ----A---- C:\WINDOWS\system32\inetcomm.dll
2008-08-31 15:16:41 ----D---- C:\Program Files\Outlook Express
2008-08-31 15:16:41 ----A---- C:\WINDOWS\system32\schedsvc.dll
2008-08-31 15:16:41 ----A---- C:\WINDOWS\system32\mstinit.exe
2008-08-31 15:16:41 ----A---- C:\WINDOWS\system32\mstask.dll
2008-08-31 15:16:40 ----A---- C:\WINDOWS\system32\isign32.dll
2008-08-31 15:16:40 ----A---- C:\WINDOWS\system32\inetcfg.dll
2008-08-31 15:16:40 ----A---- C:\WINDOWS\system32\icwphbk.dll
2008-08-31 15:16:40 ----A---- C:\WINDOWS\system32\icwdial.dll
2008-08-31 15:16:35 ----D---- C:\Program Files\Common Files\System
2008-08-31 15:16:29 ----D---- C:\Program Files\Internet Explorer
2008-08-31 15:15:51 ----D---- C:\Program Files\ComPlus Applications
2008-08-31 15:15:49 ----A---- C:\WINDOWS\vbaddin.ini
2008-08-31 15:15:49 ----A---- C:\WINDOWS\vb.ini
2008-08-31 15:15:43 ----D---- C:\WINDOWS\Registration

davekeys · 2008/09/26

hijackthis part 4:

2008-08-31 15:15:33 ----D---- C:\Program Files\Windows Media Player
2008-08-31 15:15:33 ----D---- C:\Program Files\Online Services
2008-08-31 15:15:26 ----D---- C:\Program Files\Messenger
2008-08-31 15:15:22 ----D---- C:\Program Files\MSN Gaming Zone
2008-08-31 15:15:22 ----A---- C:\WINDOWS\system32\write.exe
2008-08-31 15:15:14 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-08-31 15:15:14 ----A---- C:\WINDOWS\system32\hticons.dll
2008-08-31 15:15:13 ----A---- C:\WINDOWS\system32\winchat.exe
2008-08-31 15:15:13 ----A---- C:\WINDOWS\system32\avwav.dll
2008-08-31 15:15:13 ----A---- C:\WINDOWS\system32\avtapi.dll
2008-08-31 15:15:13 ----A---- C:\WINDOWS\system32\avmeter.dll
2008-08-31 15:15:07 ----A---- C:\WINDOWS\system32\getuname.dll
2008-08-31 15:15:07 ----A---- C:\WINDOWS\system32\charmap.exe
2008-08-31 15:15:06 ----A---- C:\WINDOWS\system32\winmine.exe
2008-08-31 15:15:06 ----A---- C:\WINDOWS\system32\sol.exe
2008-08-31 15:15:06 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-08-31 15:15:06 ----A---- C:\WINDOWS\system32\calc.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\tslabels.ini
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\tskill.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\tscon.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\shadow.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\rwinsta.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\reset.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\regini.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\qwinsta.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\qappsrv.exe
2008-08-31 15:15:05 ----A---- C:\WINDOWS\system32\freecell.exe
2008-08-31 15:15:04 ----A---- C:\WINDOWS\system32\msg.exe
2008-08-31 15:15:04 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2008-08-31 15:15:04 ----A---- C:\WINDOWS\system32\logoff.exe
2008-08-31 15:15:04 ----A---- C:\WINDOWS\system32\cdmodem.dll
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\stclient.dll
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\mtxex.dll
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\mtxdm.dll
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\comsnap.dll
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\comrepl.dll
2008-08-31 15:15:03 ----A---- C:\WINDOWS\system32\comaddin.dll
2008-08-31 15:14:58 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2008-08-31 15:14:47 ----D---- C:\Program Files\MSN
2008-08-31 15:14:46 ----A---- C:\WINDOWS\system32\sndrec32.exe
2008-08-31 15:14:46 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-08-31 15:14:46 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-08-31 15:14:46 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-08-31 15:14:45 ----D---- C:\Program Files\Windows NT
2008-08-31 15:14:45 ----A---- C:\WINDOWS\system32\spider.exe
2008-08-31 15:14:45 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-08-31 15:14:45 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-08-31 15:14:44 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2008-08-31 15:14:44 ----A---- C:\WINDOWS\system32\remotepg.dll
2008-08-31 15:14:44 ----A---- C:\WINDOWS\system32\rdshost.exe
2008-08-31 15:14:44 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2008-08-31 15:14:44 ----A---- C:\WINDOWS\system32\mstscax.dll
2008-08-31 15:14:44 ----A---- C:\WINDOWS\system32\mstsc.exe
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\rdpclip.exe
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\rdchost.dll
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\qprocess.exe
2008-08-31 15:14:43 ----A---- C:\WINDOWS\system32\icaapi.dll
2008-08-31 15:14:42 ----D---- C:\WINDOWS\system32\MsDtc
2008-08-31 15:14:42 ----A---- C:\WINDOWS\system32\xolehlp.dll
2008-08-31 15:14:42 ----A---- C:\WINDOWS\system32\mtxoci.dll
2008-08-31 15:14:42 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2008-08-31 15:14:42 ----A---- C:\WINDOWS\system32\msdtctm.dll
2008-08-31 15:14:42 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2008-08-31 15:14:42 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2008-08-31 15:14:41 ----D---- C:\WINDOWS\system32\Com
2008-08-31 15:14:41 ----A---- C:\WINDOWS\system32\msdtclog.dll
2008-08-31 15:14:41 ----A---- C:\WINDOWS\system32\msdtc.exe
2008-08-31 15:14:41 ----A---- C:\WINDOWS\system32\colbact.dll
2008-08-31 15:14:40 ----A---- C:\WINDOWS\system32\comsvcs.dll
2008-08-31 15:14:40 ----A---- C:\WINDOWS\system32\clbcatex.dll
2008-08-31 15:14:40 ----A---- C:\WINDOWS\system32\catsrvut.dll
2008-08-31 15:14:40 ----A---- C:\WINDOWS\system32\catsrvps.dll
2008-08-31 15:14:40 ----A---- C:\WINDOWS\system32\catsrv.dll
2008-08-31 15:14:39 ----A---- C:\WINDOWS\system32\comuid.dll
2008-08-31 15:14:39 ----A---- C:\WINDOWS\system32\clbcatq.dll
2008-08-31 15:14:34 ----A---- C:\WINDOWS\system32\servdeps.dll
2008-08-31 15:14:34 ----A---- C:\WINDOWS\system32\mmfutil.dll
2008-08-31 15:14:33 ----A---- C:\WINDOWS\system32\licwmi.dll
2008-08-31 15:14:33 ----A---- C:\WINDOWS\system32\cmprops.dll
2008-08-31 11:09:56 ----A---- C:\WINDOWS\system32\h323log.txt
2008-08-31 11:04:16 ----A---- C:\WINDOWS\system32\wshirda.dll
2008-08-31 11:04:16 ----A---- C:\WINDOWS\system32\irmon.dll
2008-08-31 11:04:16 ----A---- C:\WINDOWS\system32\irftp.exe
2008-08-31 11:03:43 ----A---- C:\WINDOWS\system32\usbui.dll
2008-08-31 11:02:35 ----A---- C:\WINDOWS\imsins.BAK
2008-08-31 11:02:32 ----SHD---- C:\WINDOWS\Installer
2008-08-31 11:02:32 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-08-31 11:02:31 ----D---- C:\Program Files\Common Files\ODBC
2008-08-31 11:02:31 ----A---- C:\WINDOWS\ODBCINST.INI
2008-08-31 11:02:28 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-08-31 11:02:27 ----RD---- C:\Program Files
2008-08-31 11:02:27 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-08-31 11:02:27 ----D---- C:\Program Files\Common Files
2008-08-31 11:02:25 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2008-08-31 11:02:25 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2008-08-31 11:02:25 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdur.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdru.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2008-08-31 11:02:23 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2008-08-31 11:02:21 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2008-08-31 11:02:21 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2008-08-31 11:02:21 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2008-08-31 11:02:21 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2008-08-31 11:02:21 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2008-08-31 11:02:21 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2008-08-31 11:02:21 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2008-08-31 11:02:20 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2008-08-31 11:02:20 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2008-08-31 11:02:20 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2008-08-31 11:02:20 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2008-08-31 11:02:20 ----RA---- C:\WINDOWS\system32\kbdest.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdro.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2008-08-31 11:02:18 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2008-08-31 11:02:15 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-08-31 11:02:15 ----A---- C:\WINDOWS\system32\irclass.dll
2008-08-31 11:02:15 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2008-08-31 11:02:15 ----A---- C:\WINDOWS\system32\dgsetup.dll
2008-08-31 11:02:15 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2008-08-31 11:02:13 ----A---- C:\WINDOWS\TASKMAN.EXE
2008-08-31 11:02:13 ----A---- C:\WINDOWS\system32\CONFIG.TMP
2008-08-31 11:02:12 ----A---- C:\WINDOWS\system32\batt.dll
2008-08-31 11:02:12 ----A---- C:\WINDOWS\notepad.exe
2008-08-31 11:02:11 ----A---- C:\WINDOWS\system32\storprop.dll
2008-08-31 11:02:01 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-08-31 11:01:58 ----RA---- C:\WINDOWS\SET8.tmp
2008-08-31 11:01:55 ----RA---- C:\WINDOWS\SET4.tmp
2008-08-31 11:01:53 ----RA---- C:\WINDOWS\SET3.tmp
2008-08-31 11:01:48 ----D---- C:\WINDOWS\system32\CatRoot2
2008-08-31 11:01:48 ----D---- C:\WINDOWS\system32\CatRoot
2008-08-31 11:01:42 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-31 11:01:21 ----A---- C:\WINDOWS\setuplog.txt
2008-08-31 11:01:17 ----SHD---- C:\System Volume Information
2008-08-31 11:01:17 ----D---- C:\Documents and Settings
2008-08-31 11:00:16 ----SH---- C:\boot.ini
2008-08-31 10:50:27 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-08-31 10:50:27 ----RSD---- C:\WINDOWS\Fonts
2008-08-31 10:50:27 ----RD---- C:\WINDOWS\Web
2008-08-31 10:50:27 ----HD---- C:\WINDOWS\inf
2008-08-31 10:50:27 ----D---- C:\WINDOWS\WinSxS
2008-08-31 10:50:27 ----D---- C:\WINDOWS\twain_32
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\wins
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\wbem
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\usmt
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\spool
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\ShellExt
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\Setup
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\ras
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\oobe
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\npp
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\mui
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\inetsrv
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\IME
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\icsxml
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\ias
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\export
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\drivers
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\dhcp
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\config
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\3com_dmi
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\3076
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\2052
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1054
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1042
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1041
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1037
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1033
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1031
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1028
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32\1025
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system32
2008-08-31 10:50:27 ----D---- C:\WINDOWS\system
2008-08-31 10:50:27 ----D---- C:\WINDOWS\security
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Resources
2008-08-31 10:50:27 ----D---- C:\WINDOWS\repair
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Provisioning
2008-08-31 10:50:27 ----D---- C:\WINDOWS\PeerNet
2008-08-31 10:50:27 ----D---- C:\WINDOWS\pchealth
2008-08-31 10:50:27 ----D---- C:\WINDOWS\mui
2008-08-31 10:50:27 ----D---- C:\WINDOWS\msapps
2008-08-31 10:50:27 ----D---- C:\WINDOWS\msagent
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Media
2008-08-31 10:50:27 ----D---- C:\WINDOWS\java
2008-08-31 10:50:27 ----D---- C:\WINDOWS\ime
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Help
2008-08-31 10:50:27 ----D---- C:\WINDOWS\ehome
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Driver Cache
2008-08-31 10:50:27 ----D---- C:\WINDOWS\dell
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Debug
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Cursors
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Connection Wizard
2008-08-31 10:50:27 ----D---- C:\WINDOWS\Config
2008-08-31 10:50:27 ----D---- C:\WINDOWS\AppPatch
2008-08-31 10:50:27 ----D---- C:\WINDOWS\addins
2008-08-31 10:50:27 ----D---- C:\WINDOWS
2008-07-14 07:09:18 ----A---- C:\WINDOWS\system32\tzchange.exe
2008-07-03 05:14:02 ----A---- C:\WINDOWS\system32\xpsp3res.dll

======List of files/folders modified in the last 3 months======

2008-09-22 21:01:46 ----A---- C:\WINDOWS\system.ini
2008-09-16 14:43:07 ----A---- C:\WINDOWS\win.ini
2008-09-05 23:30:06 ----A---- C:\WINDOWS\system32\LegitCheckControl.dll
2008-07-18 22:10:48 ----A---- C:\WINDOWS\system32\cdm.dll
2008-07-18 22:10:40 ----A---- C:\WINDOWS\system32\wups2.dll
2008-07-18 22:10:24 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-07-18 22:09:42 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-07-18 22:08:34 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-07 16:26:58 ----A---- C:\WINDOWS\system32\es.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2004-06-30 16128]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-06-10 53256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-06-10 39944]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2008-08-31 15781]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2005-09-28 113847]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 b57w2k;Broadcom 570x Gigabit Integrated Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2003-05-21 175360]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-06-25 315392]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GTICARD;GTICARD; C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-02-06 59328]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-06-17 200064]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-02-28 10144]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-10-26 2830688]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\stac97.sys [2004-09-15 263608]
R3 tiumfwl;tiumfwl; C:\WINDOWS\system32\drivers\tiumfwl.sys [2002-10-09 42060]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-01-17 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-01-17 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-01-17 21568]
S3 IKFileSec;File Security Driver; C:\WINDOWS\system32\drivers\ikfilesec.sys [2008-08-25 40840]
S3 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
S3 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
S3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2007-01-23 34576]
S3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2007-01-23 33296]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-24 611664]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-05-28 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-02-28 63040]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2004-10-26 127044]
R2 PDFProFiltSrv;PDFProFiltSrv; C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2008-02-02 144672]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2006-11-02 174656]
R2 SlingAgentService;SlingAgent Service; C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe [2008-08-03 93960]
R2 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\wltrysvc.exe [2004-06-25 45056]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-06-10 19200]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-31 138168]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-08-25 1077640]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

davekeys · 2008/09/26

Here's LM2Fix:

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
"DllName "= "C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll "
"Logon "= "SABWINLOLogon "
"Logoff "= "SABWINLOLogoff "
"Startup "= "SABWINLOStartup "
"Shutdown "= "SABWINLOShutdown "
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
"Asynchronous "=dword:00000001
"DllName "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,69,00,6d,00,73,00,6e,00,74,00,66,00,79,00,2e,00,64,00,6c,00,6c,00,00,00
"Startup "= "WlDimsStartup "
"Shutdown "= "WlDimsShutdown "
"Logon "= "WlDimsLogon "
"Logoff "= "WlDimsLogoff "
"StartShell "= "WlDimsStartShell "
"Lock "= "WlDimsLock "
"Unlock "= "WlDimsUnlock "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
"Asynchronous "=dword:00000000
"DllName "=hex(2):4c,00,4d,00,49,00,69,00,6e,00,69,00,74,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Impersonate "=dword:00000000
"Lock "= "WLEventLock "
"Logoff "= "WLEventLogoff "
"Logon "= "WLEventLogon "
"Shutdown "= "WLEventShutdown "
"StartScreenSaver "= "WLEventStartScreenSaver "
"StartShell "= "WLEventStartShell "
"Startup "= "WLEventStartup "
"StopScreenSaver "= "WLEventStopScreenSaver "
"Unlock "= "WLEventUnlock "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon "= "WLEventLogon "
"Logoff "= "WLEventLogoff "
"Startup "= "WLEventStartup "
"Shutdown "= "WLEventShutdown "
"StartScreenSaver "= "WLEventStartScreenSaver "
"StopScreenSaver "= "WLEventStopScreenSaver "
"Lock "= "WLEventLock "
"Unlock "= "WLEventUnlock "
"StartShell "= "WLEventStartShell "
"PostShell "= "WLEventPostShell "
"Disconnect "= "WLEventDisconnect "
"Reconnect "= "WLEventReconnect "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000000
"SafeMode "=dword:00000001
"MaxWait "=dword:ffffffff
"DllName "=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event "=dword:00000000
"InstallEvent "= "1.8.0031.9 "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
@=" "
"Data "=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,8a,67,43,b3,de,3f,b2,43,82,88,61,88,4f,25,53,96,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,0d,5f,fb,36,bd,93,0a,6b,\
ef,37,fa,33,5b,78,d5,f9,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,e9,\
20,b1,de,48,aa,ff,e0,3d,e4,1e,93,a1,ad,6a,01,b0,01,00,00,52,5f,c5,ed,05,87,\
62,d9,4f,f5,9f,22,70,48,b1,2a,c4,ec,4b,c5,e5,d6,26,81,1f,33,cc,8c,d5,8e,ec,\
d9,18,0b,be,db,77,b3,9b,98,9f,8c,53,aa,29,a8,09,9f,84,31,78,d6,e9,1b,bd,8d,\
16,f6,63,00,c3,9f,4e,1d,62,71,f4,01,aa,ce,c8,6d,dd,2d,39,f4,9e,dc,0f,67,80,\
0a,54,7a,4c,71,2c,8f,bb,40,0e,62,83,62,e1,2c,e2,74,16,52,00,dc,2d,49,08,78,\
c4,49,46,a5,82,38,5c,f6,13,61,48,4b,5a,a9,09,b2,a3,c9,80,15,f0,08,c2,b9,a8,\
be,99,d8,ba,90,c2,fa,b0,03,b6,cc,b4,9b,e3,60,b2,21,1f,89,a1,1f,d1,f7,62,bc,\
a7,a1,66,47,e2,5b,8d,92,ac,1f,28,26,40,1f,4c,d9,cd,8a,5c,3e,d1,95,9e,30,58,\
7d,26,e1,5f,cb,f2,e0,9e,9c,99,a2,39,a0,48,31,b2,0c,8f,1d,5b,fc,c0,8e,22,c2,\
86,0c,24,1c,6e,60,53,cc,6a,48,10,75,a1,bd,91,e9,95,51,92,3e,dd,24,4d,2c,38,\
e4,4e,b5,39,88,b3,8f,87,a5,35,10,32,6f,e7,29,aa,6e,36,f0,3d,dc,c5,80,f3,d5,\
f9,a1,f1,02,b8,a2,ab,6f,27,d3,dd,4e,1b,b4,a5,62,83,13,e8,4d,ee,dc,08,cb,95,\
1d,02,76,61,ae,98,69,ed,ba,82,7a,6a,0a,16,d7,9e,f1,f5,51,3b,ef,70,e2,ad,df,\
c4,58,fc,1a,13,27,ab,cf,2d,1b,f5,fc,64,83,ca,98,f8,e9,f1,32,6d,e5,5a,61,2e,\
01,8c,75,53,d6,3c,ec,46,ad,0b,3b,88,28,4d,4e,a3,9c,35,83,8e,15,04,30,c5,c0,\
5b,fe,f4,63,46,c6,80,80,18,cd,c0,45,17,a2,1a,1e,cf,00,5d,db,82,c8,f4,b0,e0,\
34,66,af,30,ff,90,be,75,39,4d,9f,1e,a9,95,28,b2,40,8c,26,10,20,b0,8a,17,f7,\
ef,46,64,2f,b0,14,55,a9,47,08,35,ef,fd,3f,12,96,f3,17,28,08,6f,42,c1,46,57,\
04,14,00,00,00,38,2e,b4,cb,14,f9,41,13,b7,1d,d6,8a,27,9b,e2,c6,82,3e,a4,45

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046} "= "Multimedia File Property Sheet "
"{176d6597-26d3-11d1-b350-080036a75b03} "= "ICM Scanner Management "
"{1F2E5C40-9550-11CE-99D2-00AA006E086C} "= "NTFS Security Page "
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32} "= "OLE Docfile Property Page "
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6} "= "Shell extensions for sharing "
"{41E300E0-78B6-11ce-849B-444553540000} "= "PlusPack CPL Extension "
"{42071712-76d4-11d1-8b24-00a0c9068ff3} "= "Display Adapter CPL Extension "
"{42071713-76d4-11d1-8b24-00a0c9068ff3} "= "Display Monitor CPL Extension "
"{42071714-76d4-11d1-8b24-00a0c9068ff3} "= "Display Panning CPL Extension "
"{4E40F770-369C-11d0-8922-00A024AB2DBB} "= "DS Security Page "
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} "= "Compatibility Page "
"{56117100-C0CD-101B-81E2-00AA004AE837} "= "Shell Scrap DataHandler "
"{59099400-57FF-11CE-BD94-0020AF85B590} "= "Disk Copy Extension "
"{59be4990-f85c-11ce-aff7-00aa003ca9f6} "= "Shell extensions for Microsoft Windows Network objects "
"{5DB2625A-54DF-11D0-B6C4-0800091AA605} "= "ICM Monitor Management "
"{675F097E-4C4D-11D0-B6C1-0800091AA605} "= "ICM Printer Management "
"{764BF0E1-F219-11ce-972D-00AA00A14F56} "= "Shell extensions for file compression "
"{77597368-7b15-11d0-a0c2-080036af3f03} "= "Web Printer Shell Extension "
"{7988B573-EC89-11cf-9C00-00AA00A14F56} "= "Disk Quota UI "
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "= "Encryption Context Menu "
"{85BBD920-42A0-1069-A2E4-08002B30309D} "= "Briefcase "
"{88895560-9AA2-1069-930E-00AA0030EBC8} "= "HyperTerminal Icon Ext "
"{BD84B380-8CA2-1069-AB1D-08000948F534} "= "Fonts "
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27} "= "ICC Profile "
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} "= "Printers Security Page "
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} "= "Shell extensions for sharing "
"{f92e8c40-3d33-11d2-b1aa-080036a75b03} "= "Display TroubleShoot CPL Extension "
"{7444C717-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto PKO Extension "
"{7444C719-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto Sign Extension "
"{7007ACC7-3202-11D1-AAD2-00805FC1270E} "= "Network Connections "
"{992CFFA0-F557-101A-88EC-00DD010CCC48} "= "Network Connections "
"{E211B736-43FD-11D1-9EFB-0000F8757FCD} "= "Scanners & Cameras "
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} "= "Scanners & Cameras "
"{905667aa-acd6-11d2-8080-00805f6596d2} "= "Scanners & Cameras "
"{3F953603-1008-4f6e-A73A-04AAC7A992F1} "= "Scanners & Cameras "
"{83bbcbf3-b28a-4919-a5aa-73027445d672} "= "Scanners & Cameras "
"{F0152790-D56E-4445-850E-4F3117DB740C} "= "Remote Sessions CPL Extension "
"{60254CA5-953B-11CF-8C96-00AA00B8708C} "= "Shell extensions for Windows Script Host "
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829} "= "Microsoft Data Link "
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Icon Handler "
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Shell Extension "
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF} "= "Scheduled Tasks "
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} "= "Set Program Access and Defaults "
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED} "= "Auto Update Property Sheet Extension "
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "= "Taskbar and Start Menu "
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} "= "Search "
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} "= "Run... "
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} "= "Internet "
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} "= "E-mail "
"{D20EA4E1-3957-11d2-A40B-0C5020524152} "= "Fonts "
"{D20EA4E1-3957-11d2-A40B-0C5020524153} "= "Administrative Tools "
"{596AB062-B4D2-4215-9F74-E9109B0A8153} "= "Previous Versions Property Page "
"{9DB7A13C-F208-4981-8353-73CC61AE2783} "= "Previous Versions "
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} "= "Audio Media Properties Handler "
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} "= "Video Media Properties Handler "
"{E4B29F9D-D390-480b-92FD-7DDB47101D71} "= "Wav Properties Handler "
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E} "= "Avi Properties Handler "
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9} "= "Midi Properties Handler "
"{c5a40261-cd64-4ccf-84cb-c394da41d590} "= "Video Thumbnail Extractor "
"{5E6AB780-7743-11CF-A12B-00AA004AE837} "= "Microsoft Internet Toolbar "
"{22BF0C20-6DA7-11D0-B373-00A0C9034938} "= "Download Status "
"{91EA3F8B-C99B-11d0-9815-00C04FD91972} "= "Augmented Shell Folder "
"{6413BA2C-B461-11d1-A18A-080036B11A03} "= "Augmented Shell Folder 2 "
"{F61FFEC1-754F-11d0-80CA-00AA005B4383} "= "BandProxy "
"{7BA4C742-9E81-11CF-99D3-00AA004AE837} "= "Microsoft BrowserBand "
"{30D02401-6A81-11d0-8274-00C04FD5AE38} "= "IE Search Band "
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13} "= "In-pane search "
"{07798131-AF23-11d1-9111-00A0C98BA67D} "= "Web Search "
"{AF4F6510-F982-11d0-8595-00AA004CD6D8} "= "Registry Tree Options Utility "
"{01E04581-4EEE-11d0-BFE9-00AA005B4383} "= "&Address "
"{A08C11D2-A228-11d0-825B-00AA005B4383} "= "Address EditBox "
"{00BB2763-6A77-11D0-A535-00C04FD7D062} "= "Microsoft AutoComplete "
"{7376D660-C583-11d0-A3A5-00C04FD706EC} "= "TridentImageExtractor "
"{6756A641-DE71-11d0-831B-00AA005B4383} "= "MRU AutoComplete List "
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} "= "Custom MRU AutoCompleted List "
"{7e653215-fa25-46bd-a339-34a2790f3cb7} "= "Accessible "
"{acf35015-526e-4230-9596-becbe19f0ac9} "= "Track Popup Bar "
"{00BB2764-6A77-11D0-A535-00C04FD7D062} "= "Microsoft History AutoComplete List "
"{03C036F1-A186-11D0-824A-00AA005B4383} "= "Microsoft Shell Folder AutoComplete List "
"{00BB2765-6A77-11D0-A535-00C04FD7D062} "= "Microsoft Multiple AutoComplete List Container "
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1} "= "Shell Band Site Menu "
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} "= "Shell DeskBarApp "
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1} "= "Shell DeskBar "
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1} "= "Shell Rebar BandSite "
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C} "= "User Assist "
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} "= "Global Folder Settings "
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E} "= "Favorites Band "
"{0A89A860-D7B1-11CE-8350-444553540000} "= "Shell Automation Inproc Service "
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} "= "Shell DocObject Viewer "
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} "= "Microsoft Browser Architecture "
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= "InternetShortcut "
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE} "= "Microsoft Url History Service "
"{FF393560-C2A7-11CF-BFF4-444553540000} "= "History "
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497} "= "Microsoft Url Search Hook "
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} "= "IE4 Suite Splash Screen "
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13} "= "CDF Extension Copy Hook "
"{131A6951-7F78-11D0-A979-00C04FD705A2} "= "ISFBand OC "
"{9461b922-3c5a-11d2-bf8b-00c04fb93661} "= "Search Assistant OC "
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "= "The Internet "
"{871C5380-42A0-1069-A2EA-08002B30309D} "= "Internet Name Space "
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E} "= "Explorer Band "
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{88C6C381-2E85-11D0-94DE-444553540000} "= "ActiveX Cache Folder "
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "= "WebCheck "
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} "= "Subscription Mgr "
"{F5175861-2688-11d0-9C5E-00AA00A45957} "= "Subscription Folder "
"{08165EA0-E946-11CF-9C87-00AA005127ED} "= "WebCheckWebCrawler "
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} "= "WebCheckChannelAgent "
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} "= "TrayAgent "
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02} "= "Code Download Agent "
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} "= "ConnectionAgent "
"{D8BD2030-6FC9-11D0-864F-00AA006809D9} "= "PostAgent "
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} "= "WebCheck SyncMgr Handler "
"{352EC2B7-8B9A-11D1-B8AE-006008059382} "= "Shell Application Manager "
"{0B124F8F-91F0-11D1-B8B5-006008059382} "= "Installed Apps Enumerator "
"{CFCCC7A0-A282-11D1-9082-006008059382} "= "Darwin App Publisher "
"{e84fda7c-1d6a-45f6-b725-cb260c236066} "= "Shell Image Verbs "
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} "= "Shell Image Data Factory "
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} "= "Autoplay for SlideShow "
"{3F30C968-480A-4C6C-862D-EFC0897BB84B} "= "GDI+ file thumbnail extractor "
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC} "= "Summary Info Thumbnail handler (DOCFILES) "
"{EAB841A0-9550-11cf-8C16-00805F1408F3} "= "HTML Thumbnail Extractor "
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} "= "Shell Image Property Handler "
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D} "= "Web Publishing Wizard "
"{add36aa8-751a-4579-a266-d66f5202ccbb} "= "Print Ordering via the Web "
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1} "= "Shell Publishing Wizard Object "
"{58f1f272-9240-4f51-b6d4-fd63d1618591} "= "Get a Passport Wizard "
"{7A9D77BD-5403-11d2-8785-2E0420524153} "= "User Accounts "
"{BD472F60-27FA-11cf-B8B4-444553540000} "= "Compressed (zipped) Folder Right Drag Handler "
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "= "Compressed (zipped) Folder SendTo Target "
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87} "= "Extensions Manager Folder "
"{63da6ec0-2e98-11cf-8d82-444553540000} "= "FTP Folders Webview "
"{883373C3-BF89-11D1-BE35-080036B11A03} "= "Microsoft DocProp Shell Ext "
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D} "= "Microsoft DocProp Inplace Edit Box Control "
"{8EE97210-FD1F-4B19-91DA-67914005F020} "= "Microsoft DocProp Inplace ML Edit Box Control "
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} "= "Microsoft DocProp Inplace Droplist Combo Control "
"{6A205B57-2567-4A2C-B881-F787FAB579A3} "= "Microsoft DocProp Inplace Calendar Control "
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} "= "Microsoft DocProp Inplace Time Control "
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB} "= "Directory Query UI "
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} "= "Shell properties for a DS object "
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} "= "Directory Object Find "
"{F020E586-5264-11d1-A532-0000F8757D7E} "= "Directory Start/Search Find "
"{0D45D530-764B-11d0-A1CA-00AA00C16E65} "= "Directory Property UI "
"{62AE1F9A-126A-11D0-A14B-0800361B1103} "= "Directory Context Menu Verbs "
"{ECF03A33-103D-11d2-854D-006008059367} "= "MyDocs Copy Hook "
"{ECF03A32-103D-11d2-854D-006008059367} "= "MyDocs Drop Target "
"{4a7ded0a-ad25-11d0-98a8-0800361b1103} "= "MyDocs Properties "
"{750fdf0e-2a26-11d1-a3ea-080036587f03} "= "Offline Files Menu "
"{10CFC467-4392-11d2-8DB4-00C04FA31A66} "= "Offline Files Folder Options "
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} "= "Offline Files Folder "
"{143A62C8-C33B-11D1-84FE-00C04FA34A14} "= "Microsoft Agent Character Property Sheet Handler "
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} "= "DfsShell "
"{60fd46de-f830-4894-a628-6fa81bc0190d} "= "%DESC_PublishDropTarget% "
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} "= "MMC Icon Handler "
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} "= ".CAB file viewer "
"{32714800-2E5F-11d0-8B85-00AA0044F941} "= "For &People... "
"{8DD448E6-C188-4aed-AF92-44956194EB1F} "= "Windows Media Player Burn Audio CD Context Menu Handler "
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} "= "Windows Media Player Play as Playlist Context Menu Handler "
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} "= "Windows Media Player Add to Playlist Context Menu Handler "
"{A70C977A-BF00-412C-90B7-034C51DA2439} "= "NvCpl DesktopContext Class "
"{FFB699E0-306A-11d3-8BD1-00104B6F7516} "= "Play on my TV helper "
"{1CDB2949-8F65-4355-8456-263E7C208A5D} "= "Desktop Explorer "
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47} "= "Desktop Explorer Menu "
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "= "nView Desktop Context Menu "
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} "= "Logitech Setpoint Extension "
"{B9B9F083-2B04-452A-8691-83694AC1037B} "= "Logitech Setpoint Extension "
"{B089FE88-FB52-11D3-BDF1-0050DA34150D} "= "Eset Smart Security - Context Menu Shell Extension "
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "= "Web Folders "
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "= "Groove GFS Browser Helper "
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "= "Groove GFS Explorer Bar "
"{A449600E-1DC6-4232-B948-9BD794D62056} "= "Groove GFS Stub Icon Handler "
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "= "Groove GFS Stub Execution Hook "
"{6C467336-8281-4E60-8204-430CED96822D} "= "Groove GFS Context Menu Handler "
"{387E725D-DC16-4D76-B310-2C93ED4752A0} "= "Groove XML Icon Handler "
"{16F3DD56-1AF5-4347-846D-7C10C4192619} "= "Groove Explorer Icon Overlay 3 (GFS Folder) "
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "= "Groove Explorer Icon Overlay 2 (GFS Stub) "
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "= "Groove Explorer Icon Overlay 4 (GFS Unread Mark) "
"{99FD978C-D287-4F50-827F-B2C658EDA8E7} "= "Groove Explorer Icon Overlay 1 (GFS Unread Stub) "
"{920E6DB1-9907-4370-B3A0-BAFC03D81399} "= "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) "
"{0006F045-0000-0000-C000-000000000046} "= "Microsoft Office Outlook Custom Icon Handler "
"{00020D75-0000-0000-C000-000000000046} "= "Microsoft Office Outlook Desktop Icon Handler "
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "= "Microsoft Office OneNote Namespace Extension for Windows Desktop Search "
"{42042206-2D85-11D3-8CFF-005004838597} "= "Microsoft Office HTML Icon Handler "
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "= "Microsoft Office Metadata Handler "
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "= "Microsoft Office Thumbnail Handler "
"{21569614-B795-46b1-85F4-E737A8DC09AD} "= "Shell Search Band "
"{1D2680C9-0E2A-469d-B787-065558BC7D43} "= "Fusion Cache "
"{e82a2d71-5b2f-43a0-97b8-81be15854de8} "= "ShellLink for Application References "
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "= "Shell Icon Handler for Application References "
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78} "= "Mobile Device "
"{69FAF551-9023-4584-AE16-CEBCB07F5C6B} "= "PDF Converter 5.0 Shell Extension "
@= "CorelDRAW Shell Extension Component "
"{07C45BB1-4A8C-4642-A1F5-237E7215FF66} "= "IE Microsoft BrowserBand "
"{1C1EDB47-CE22-4bbb-B608-77B48F83C823} "= "IE Fade Task "
"{205D7A97-F16D-4691-86EF-F3075DCCA57D} "= "IE Menu Desk Bar "
"{3028902F-6374-48b2-8DC6-9725E775B926} "= "IE AutoComplete "
"{43886CD5-6529-41c4-A707-7B3C92C05E68} "= "IE Navigation Bar "
"{44C76ECD-F7FA-411c-9929-1B77BA77F524} "= "IE Menu Site "
"{4B78D326-D922-44f9-AF2A-07805C2A3560} "= "IE Menu Band "
"{6038EF75-ABFC-4e59-AB6F-12D397F6568D} "= "IE Microsoft History AutoComplete List "
"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} "= "IE Tracking Shell Menu "
"{6CF48EF8-44CD-45d2-8832-A16EA016311B} "= "IE IShellFolderBand "
"{73CFD649-CD48-4fd8-A272-2070EA56526B} "= "IE BandProxy "
"{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} "= "IE MRU AutoComplete List "
"{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} "= "IE RSS Feeder Folder "
"{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} "= "IE Microsoft Shell Folder AutoComplete List "
"{B31C5FAE-961F-415b-BAF0-E697A5178B94} "= "IE Microsoft Multiple AutoComplete List Container "
"{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} "= "Microsoft Browser Architecture "
"{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} "= "IE Shell Rebar BandSite "
"{E6EE9AAC-F76B-4947-8260-A9F136138E11} "= "IE Shell Band Site Menu "
"{F2CF5485-4E02-4f68-819C-B92DE9277049} "= "&Links "
"{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} "= "IE Registry Tree Options Utility "
"{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "= "IE User Assist "
"{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} "= "IE Custom MRU AutoCompleted List "
"{da67b8ad-e81b-4c70-9b91b417b5e33527} "= "Windows Search Shell Service "
"{97e467b4-98c6-4f19-9588-161b7773d6f6} "= "Office Document Property Handler "
"{97090E2F-3062-4459-855B-014F0D3CDBB1} "= "Windows Search Deskbar "
"{13E7F612-F261-4391-BEA2-39DF4F3FA311} "= "Windows Desktop Search "
"{640167b4-59b0-47a6-b335-a6b3c0695aea} "= "Portable Media Devices "
"{35786D3C-B075-49b9-88DD-029876E11C01} "= "Portable Devices "
"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} "= "Portable Devices Menu "

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bogusn~1.dll Tue Sep 23 2008 2:41:20p A.... 128,000 125.00 K
bogusv~1.dll Tue Sep 23 2008 2:44:20p A.... 91,136 89.00 K
cdm.dll Fri Jul 18 2008 10:10:48p A.... 94,920 92.70 K
es.dll Mon Jul 7 2008 4:26:58p A.... 253,952 248.00 K
gcnephdr.dll Mon Sep 22 2008 2:39:56p A.... 119,808 117.00 K
ghhkljrw.dll Tue Sep 23 2008 2:41:20p A.... 128,000 125.00 K
haazer.dll Wed Sep 24 2008 3:46:24p A.... 128,000 125.00 K
ixjwgd.dll Mon Sep 22 2008 8:31:38a A.... 119,808 117.00 K
kotuvqxf.dll Wed Sep 24 2008 3:40:04p A.... 95,232 93.00 K
ledbjcym.dll Wed Sep 24 2008 3:46:24p A.... 128,000 125.00 K
legitc~1.dll Fri Sep 5 2008 11:30:06p A.... 1,480,232 1.41 M
mucltui.dll Fri Jul 18 2008 10:07:34p A.... 270,880 264.53 K
muweb.dll Fri Jul 18 2008 10:07:32p A.... 210,976 206.03 K
ohdmsjnm.dll Mon Sep 22 2008 2:36:58p A.... 82,944 81.00 K
rjsbmhss.dll Mon Sep 22 2008 8:31:38a A.... 119,808 117.00 K
tmggapgf.dll Wed Sep 24 2008 3:43:04p A.... 91,136 89.00 K
vqltju.dll Mon Sep 22 2008 2:39:56p A.... 119,808 117.00 K
wgalogon.dll Fri Sep 5 2008 11:30:42p ..... 241,704 236.04 K
wuapi.dll Fri Jul 18 2008 10:09:44p A.... 563,912 550.70 K
wuaueng.dll Fri Jul 18 2008 10:09:42p A.... 1,811,656 1.73 M
wucltui.dll Fri Jul 18 2008 10:09:46p A.... 325,832 318.20 K
wups.dll Fri Jul 18 2008 10:10:20p A.... 36,552 35.70 K
wups2.dll Fri Jul 18 2008 10:10:40p A.... 45,768 44.70 K
wuweb.dll Fri Jul 18 2008 10:09:44p A.... 205,000 200.20 K

24 items found: 24 files, 0 directories.
Total of file sizes: 6,893,064 bytes 6.57 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
mcrh.tmp Wed Sep 24 2008 1:04:20p A.... 143 0.14 K

1 item found: 1 file, 0 directories.
Total of file sizes: 143 bytes 0.14 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 90E3-EC48

Directory of C:\WINDOWS\System32

09/25/2008 06:16 PM 926,399 fgpaggmt.ini
09/25/2008 05:29 PM <DIR> dllcache
09/24/2008 10:50 PM 906,072 FggOYJjl.ini
09/24/2008 10:48 PM 906,072 FggOYJjl.ini2
09/23/2008 02:44 PM 898,638 mybifvmv.ini
09/03/2008 12:12 PM 952 KGyGaAvL.sys
08/31/2008 03:25 PM <DIR> Microsoft
5 File(s) 3,638,133 bytes
2 Dir(s) 20,554,428,416 bytes free

Geri · 2008/09/27

Hi davekeys

Lets scan a couple files.

Please go to Jotti's malware scan

Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time

C:\WINDOWS\system32\ghhkljrwBOGUS.dll
C:\WINDOWS\system32\BOGUSnzbvik.dll
C:\WINDOWS\system32\kotuvqxf.dll
C:\WINDOWS\system32\tmggapgf.dll

Click on the submit button

Please post the results in your next reply.

Please do this.

Delete the Combofix you have and download this new version.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

Vista users right click Combofix.exe and select Run As Administrator.

When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Jotti results and the combofix log.

Thanks
Geri

davekeys · 2008/09/29

Thank you. I appreciate the help and update on combofix. I'll run that immediately after this post.

Here are my results:

C:\WINDOWS\system32\ghhkljrwBOGUS.dll
results:
Scan taken on 29 Sep 2008 20:39:12 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found a variant of Win32/Adware.Virtumonde.NBP application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

C:\WINDOWS\system32\BOGUSnzbvik.dll
results:
Scan taken on 29 Sep 2008 20:42:42 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found a variant of Win32/Adware.Virtumonde.NBP application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

C:\WINDOWS\system32\kotuvqxf.dll
results: THIS FILE IS NO LONGER PRESENT

C:\WINDOWS\system32\tmggapgf.dll
results:
Scan taken on 29 Sep 2008 20:49:37 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.744721
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Virtumonde.AC.gen!Eldorado
F-Secure Anti-Virus
Found nothing
G DATA
Found Trojan.Generic.744721
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found a variant of Win32/Adware.Virtumonde.NBP application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Thank you again,

Dave

davekeys · 2008/09/29

This is the logfile from the new ver. of combofix:

ComboFix 08-09-28.01 - Jim 2008-09-29 16:56:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.673 [GMT -4:00]
Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM93d0df7b.txt
C:\WINDOWS\BM93d0df7b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mybifvmv.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-26 09:48 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-09-26 09:48 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-09-26 09:48 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-09-26 09:48 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-09-26 09:48 . 2008-09-26 09:48 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-09-26 09:48 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-09-26 09:48 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-09-26 09:48 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-09-26 09:47 . 2008-09-26 09:47 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-09-26 09:39 . 2008-09-26 09:39 <DIR> d-------- C:\Program Files\eRightSoft
2008-09-25 22:21 . 2008-09-25 22:22 <DIR> d-------- C:\rsit
2008-09-25 22:21 . 2008-09-25 22:22 <DIR> d-------- C:\Program Files\trend micro
2008-09-25 21:53 . 2008-09-25 21:53 <DIR> d-------- C:\l2mfix
2008-09-25 21:53 . 2005-01-20 13:47 175,616 --a------ C:\WINDOWS\system32\strings.exe
2008-09-25 21:53 . 2005-01-13 21:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-09-25 21:53 . 2005-01-13 21:41 39,184 --a------ C:\WINDOWS\system32\Ntrights.exe
2008-09-25 21:53 . 2005-10-19 18:50 16,384 --a------ C:\WINDOWS\system32\restart.exe
2008-09-25 21:53 . 2005-01-13 21:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-09-25 19:44 . 2008-09-25 19:38 1,018,520 --a------ C:\WINDOWS\system32\ROOTKITScannerRfsbl.exe
2008-09-24 22:04 . 2008-09-24 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-24 22:03 . 2008-09-24 22:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-24 22:03 . 2008-09-24 22:03 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\SUPERAntiSpyware.com
2008-09-24 21:04 . 2008-08-06 17:27 3,520,552 --a------ C:\WINDOWS\system32\procexp.exe
2008-09-24 21:04 . 2007-08-31 06:36 72,138 --a------ C:\WINDOWS\system32\procexp.chm
2008-09-24 18:17 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-24 16:02 . 2008-09-24 16:02 <DIR> d-------- C:\fsaua.data
2008-09-24 15:46 . 2008-09-24 15:46 128,000 --a------ C:\WINDOWS\system32\ledbjcym.dll
2008-09-24 15:43 . 2008-09-25 18:16 926,399 --ahs---- C:\WINDOWS\system32\fgpaggmtBOGUS.ini
2008-09-24 15:43 . 2008-09-24 15:43 91,136 --a------ C:\WINDOWS\system32\tmggapgf.dll
2008-09-24 09:19 . 2008-09-24 09:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-24 09:19 . 2008-09-24 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-24 09:14 . 2008-09-24 22:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 16:16 . 2008-09-24 14:12 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-23 16:16 . 2008-09-23 16:16 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\PC Tools
2008-09-23 16:16 . 2008-09-24 18:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-23 16:16 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-23 16:16 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-23 16:16 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-23 16:16 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-23 14:44 . 2008-09-23 14:44 91,136 --a------ C:\WINDOWS\system32\BOGUSvmvfibym.dll
2008-09-23 14:41 . 2008-09-23 14:41 128,000 --a------ C:\WINDOWS\system32\ghhkljrwBOGUS.dll
2008-09-23 14:41 . 2008-09-23 14:41 128,000 --a------ C:\WINDOWS\system32\BOGUSnzbvik.dll
2008-09-23 12:27 . 2008-09-24 22:50 906,072 --ahs---- C:\WINDOWS\system32\FggOYJjlBOGUS.ini
2008-09-22 20:14 . 2008-09-22 20:14 <DIR> d-------- C:\VundoFix Backups
2008-09-22 20:14 . 2008-09-23 18:31 148 --a------ C:\WINDOWS\wininit.ini
2008-09-22 16:12 . 2008-09-23 17:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-22 16:12 . 2008-09-22 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 15:23 . 2008-09-22 15:23 <DIR> d-------- C:\temp_phw
2008-09-22 14:39 . 2008-09-22 14:39 119,808 --a------ C:\WINDOWS\system32\vqltjuBOGUS.dll
2008-09-22 14:39 . 2008-09-22 14:39 119,808 --a------ C:\WINDOWS\system32\gcnephdrBOGUS.dll
2008-09-22 14:36 . 2008-09-22 14:36 82,944 --a------ C:\WINDOWS\system32\ohdmsjnmBOGUS.dll
2008-09-22 08:31 . 2008-09-22 08:31 119,808 --a------ C:\WINDOWS\system32\rjsbmhssBOGUS.dll
2008-09-22 08:31 . 2008-09-22 08:31 119,808 --a------ C:\WINDOWS\system32\ixjwgdBOGUS.dll
2008-09-22 08:20 . 2008-09-24 22:48 906,072 --ahs---- C:\WINDOWS\system32\FggOYJjlBOGUS.ini2
2008-09-22 08:14 . 2008-09-22 08:22 <DIR> d-------- C:\WINDOWS\system32\mC19
2008-09-22 08:14 . 2008-09-22 08:14 <DIR> d-------- C:\Temp\mtc2
2008-09-22 08:14 . 2008-09-22 08:14 <DIR> d-------- C:\Temp
2008-09-18 15:02 . 2008-09-18 15:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-18 15:02 . 2008-09-18 15:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-18 15:02 . 2008-09-18 15:02 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-18 15:02 . 2008-09-18 15:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-18 14:54 . 2008-09-18 15:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-17 19:53 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-17 19:53 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-09-16 15:11 . 2008-09-16 15:11 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Windows Search
2008-09-16 14:42 . 2008-09-16 14:42 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-16 14:38 . 2008-09-16 14:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-16 14:38 . 2008-09-16 14:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-16 14:37 . 2008-09-16 14:38 <DIR> d-------- C:\96b5f350790660608c09b2734f604c
2008-09-16 11:48 . 2008-09-16 11:48 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Windows Desktop Search
2008-09-16 11:41 . 2008-09-16 11:41 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-16 11:39 . 2008-09-16 11:48 <DIR> d-------- C:\d6540837577852e1ab168df47ed688
2008-09-14 10:02 . 2008-09-18 19:17 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Stamps.com Internet Postage
2008-09-14 10:01 . 2008-09-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{FBB5C4A9-4848-46A0-8863-C359F08D7728}
2008-09-14 10:01 . 2008-09-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{D9AA4D17-9292-410D-9AA5-84526D062900}
2008-09-14 10:01 . 2008-09-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2008-09-14 10:01 . 2008-09-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{97B4F769-48E2-4A00-AEF1-C2853E48F4FA}
2008-09-14 10:00 . 2008-09-14 10:02 <DIR> d-------- C:\Program Files\Stamps.com Internet Postage
2008-09-14 10:00 . 2008-09-18 19:32 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-09-05 23:30 . 2008-09-05 23:30 241,704 -----c--- C:\WINDOWS\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 . 2008-09-05 23:29 917,032 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe
2008-09-05 19:32 . 2008-09-05 19:32 <DIR> d-------- C:\Program Files\Copernic Desktop Search - Home
2008-09-04 21:35 . 2008-09-04 21:35 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\ScanSoft
2008-09-04 21:22 . 2008-09-26 11:53 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\.oit
2008-09-04 21:22 . 2008-03-28 13:24 31,767 --a------ C:\WINDOWS\maxlink.ini
2008-09-04 21:20 . 2008-09-04 21:20 <DIR> d-------- C:\Program Files\ScanSoft
2008-09-04 13:42 . 2008-09-04 13:43 <DIR> d-------- C:\Program Files\Libronix DLS
2008-09-04 13:42 . 2008-09-08 20:26 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Libronix DLS
2008-09-04 13:42 . 2008-09-04 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Libronix DLS
2008-09-03 21:23 . 2008-09-03 22:11 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Mobipocket
2008-09-03 21:21 . 2008-09-03 21:21 <DIR> d-------- C:\Program Files\Mobipocket.com
2008-09-03 05:28 . 2008-09-03 05:28 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-02 21:45 . 2008-09-02 21:45 543 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-09-02 21:29 . 2008-09-02 21:36 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Download Manager
2008-09-02 21:19 . 2008-09-15 11:50 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\HPAppData
2008-09-02 21:18 . 2008-09-02 21:18 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-09-02 21:17 . 2008-09-02 21:42 <DIR> d-------- C:\Program Files\WordPerfect Office 12
2008-09-02 20:07 . 2008-09-02 20:07 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\HP
2008-09-02 20:00 . 0 C:\WINDOWS\system32\YªYª
2008-09-02 19:59 . 2008-09-02 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-09-02 19:58 . 2008-09-02 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-09-02 19:57 . 2008-09-02 19:57 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-09-02 19:57 . 2008-09-02 19:57 <DIR> d-------- C:\Program Files\Common Files\HP
2008-09-02 19:57 . 2008-09-02 19:57 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-09-02 19:56 . 2007-01-17 12:37 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-09-02 19:55 . 2008-09-02 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-09-02 19:55 . 2007-11-06 22:10 271,704 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-09-02 19:55 . 2007-03-15 15:32 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-09-02 19:55 . 2007-01-17 12:37 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-09-02 19:54 . 2007-01-17 12:37 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-09-02 19:53 . 2007-10-31 08:19 970,752 -ra------ C:\WINDOWS\system32\hpwtiop3.dll
2008-09-02 19:53 . 2007-10-31 08:19 729,088 -ra------ C:\WINDOWS\system32\hpwwiax3.dll
2008-09-02 19:53 . 2007-01-17 12:37 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-09-02 19:53 . 2007-01-17 12:37 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-09-02 19:53 . 2007-01-17 12:31 294,912 -ra------ C:\WINDOWS\system32\hpovst11.dll
2008-09-02 19:52 . 2008-09-02 19:52 <DIR> d-------- C:\WINDOWS\braveheart
2008-09-02 19:52 . 2007-11-06 22:04 1,373,528 -ra------ C:\WINDOWS\hpzshl01.exe
2008-09-02 19:52 . 2007-11-06 22:15 1,140,056 -ra------ C:\WINDOWS\hpzmsi01.exe
2008-09-02 19:52 . 2007-11-26 13:26 12,998 -ra------ C:\WINDOWS\hpwscr14.dat
2008-09-02 19:51 . 2008-09-02 19:59 <DIR> d-------- C:\Program Files\HP
2008-09-02 19:51 . 2008-04-13 14:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-09-02 19:51 . 2008-04-13 14:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-02 19:30 . 2008-09-02 20:02 179,961 --a------ C:\WINDOWS\hpwins14.dat
2008-09-02 19:30 . 2007-11-16 12:12 1,108 -ra------ C:\WINDOWS\hpwmdl14.dat
2008-09-02 08:09 . 2008-09-12 16:07 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\gtk-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 22:17 --------- d-----w C:\Program Files\Java
2008-09-01 20:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-01 19:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-31 19:58 --------- d-----w C:\Program Files\Intel
2008-08-31 19:56 --------- d-----w C:\Program Files\SigmaTel
2008-08-31 19:53 --------- d-----w C:\Program Files\Common Files\Java
2008-08-31 19:48 --------- d-----w C:\Program Files\Dell Computer Corporation
2008-08-31 19:20 --------- d-----w C:\Program Files\microsoft frontpage
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r C:\WINDOWS\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-18 68856]
"Copernic Desktop Search - Home "= "C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe" [2008-08-28 1520640]
"PPWebCap "= "C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe" [2008-05-10 83232]
"SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 4632576]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 610304]
"Apoint "= "C:\Program Files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"egui "= "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"GrooveMonitor "= "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"PDFHook "= "C:\Program Files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-02 795936]
"PDF5 Registry Controller "= "C:\Program Files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-02 58656]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Nuance PDF Professional 5-reminder "= "C:\Program Files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"LogMeIn GUI "= "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"CorelDRAW Graphics Suite 11b "= "C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"PaperPort PTD "= "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-05-10 29984]
"IndexSearch "= "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-05-10 46368]
"PPort11reminder "= "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"nwiz "= "nwiz.exe" [2004-10-26 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]
"90e3ece7 "= "BOGUSrundll32.exe" [BU]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\Jim\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-08-31 688128]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=vqltju.dll nzbvik.dll haazer.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420 "= i420vfw.dll
"vidc.yv12 "= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Stamps.com Internet Postage\\ipostage.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
R2 PDFProFiltSrv;PDFProFiltSrv;C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2008-02-02 144672]
R2 SlingAgentService;SlingAgent Service;C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe [2008-08-03 93960]
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-02-06 59328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\1iwjjbcp.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 17:09:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Copernic Desktop Search - Home\DesktopSearchSystem300000074.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2008-09-29 17:17:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-29 21:17:16
ComboFix2.txt 2008-09-23 01:07:34

Pre-Run: 21,072,695,296 bytes free
Post-Run: 21,063,192,576 bytes free

297 --- E O F --- 2008-09-26 10:49:39

Geri · 2008/09/29

Hi
OK please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
Code:
http://www.windowsbbs.com/malware-virus-removal/77280-cleaned-virtumonde-but-cant-run-blacklight.html

Collect::
C:\WINDOWS\system32\ledbjcym.dll
C:\WINDOWS\system32\fgpaggmtBOGUS.ini
C:\WINDOWS\system32\tmggapgf.dll
C:\WINDOWS\system32\BOGUSvmvfibym.dll
C:\WINDOWS\system32\ghhkljrwBOGUS.dll
C:\WINDOWS\system32\BOGUSnzbvik.dll
C:\WINDOWS\system32\FggOYJjlBOGUS.ini
C:\WINDOWS\system32\vqltjuBOGUS.dll
C:\WINDOWS\system32\gcnephdrBOGUS.dll
C:\WINDOWS\system32\ohdmsjnmBOGUS.dll
C:\WINDOWS\system32\rjsbmhssBOGUS.dll
C:\WINDOWS\system32\ixjwgdBOGUS.dll
C:\WINDOWS\system32\FggOYJjlBOGUS.ini2

File::
C:\WINDOWS\system32\ledbjcym.dll
C:\WINDOWS\system32\fgpaggmtBOGUS.ini
C:\WINDOWS\system32\tmggapgf.dll
C:\WINDOWS\system32\BOGUSvmvfibym.dll
C:\WINDOWS\system32\ghhkljrwBOGUS.dll
C:\WINDOWS\system32\BOGUSnzbvik.dll
C:\WINDOWS\system32\FggOYJjlBOGUS.ini
C:\WINDOWS\system32\vqltjuBOGUS.dll
C:\WINDOWS\system32\gcnephdrBOGUS.dll
C:\WINDOWS\system32\ohdmsjnmBOGUS.dll
C:\WINDOWS\system32\rjsbmhssBOGUS.dll
C:\WINDOWS\system32\ixjwgdBOGUS.dll
C:\WINDOWS\system32\FggOYJjlBOGUS.ini2
C:\WINDOWS\system32\YªYª

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "90e3ece7 "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "=" " 
Please post the combofix log.

Thanks
Geri

Log in or Sign up

Inactive [InActive] Cleaned Virtumonde but Can't run Blacklight

davekeys Inactive Thread Starter

Arie Administrator Administrator Staff

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

Geri Inactive Alumni

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Log in or Sign up

Inactive [InActive] Cleaned Virtumonde but Can't run Blacklight

davekeys Inactive Thread Starter

Arie Administrator Administrator Staff

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

Geri Inactive Alumni

davekeys Inactive Thread Starter

davekeys Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Useful Searches