Look at this plz - Free Antivirus Forum

Look at this plz

BullGuard Antivirus Forum > Virus Removal > Removal Tools > Look at this plz

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

keng53140
Junior Member

Date Joined Apr 2007
Total Posts : 68

Posted 12-12-2007 11:13 (GMT +1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:49 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: The sdrmod - {16A0662E-AC21-4AD9-89E8-7495AC5ACE93} - C:\WINDOWS\sdrmod.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191725035108
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 2621 bytes

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:12:01 PM 12/11/2007

+ Scan result:

C:\System Volume Information\_restore{FD5B4A88-3CFB-4377-920B-880CE67A4545}\RP41\A0026608.ini -> Adware.Qworke : Cleaned with backup (quarantined).
C:\WINDOWS\system32\eulbn.dll -> Downloader.Bojo.r : Cleaned with backup (quarantined).
[1444] C:\WINDOWS\system32\eulbn.dll -> Downloader.Bojo.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Tim\Cookies\tim@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Tim\Cookies\tim@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx -> Trojan.Agent.bvg : Cleaned with backup (quarantined).

::Report end

********************************* ROOTCHK-(5-12-07)-LOG, by ejvindh
Tue 12/11/2007 15:17:46.48

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

catchme 0.3.1319 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 15:17:49
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

ComboFix 07-12-12.3 - Tim 2007-12-11 15:22:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.94 [GMT -6:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\Tim\Desktop\Error Cleaner.url
C:\Documents and Settings\Tim\Desktop\Privacy Protector.url
C:\Documents and Settings\Tim\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Tim\Favorites\Error Cleaner.url
C:\Documents and Settings\Tim\Favorites\Privacy Protector.url
C:\Documents and Settings\Tim\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Tim\ResErrors.log
C:\Documents and Settings\Tim\Start Menu\Programs\Startup\.protected
C:\Program Files\AntiVirGear 3.8
C:\Program Files\AntiVirGear 3.8\vpp.ini
C:\Program Files\trustedprotection
C:\Program Files\trustedprotection\Up\diagnosis.dat
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\Program Files\VideoAccessCodec\Uninstall.exe
C:\WINDOWS\.protected
C:\WINDOWS\advrepnok.dll
C:\WINDOWS\bindmod.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\hupsrv.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt
C:\WINDOWS\sdrmod.dll
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\wtopmod.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-11 14:18 . 2007-12-11 14:18 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Grisoft
2007-12-11 14:17 . 2007-12-11 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-11 14:17 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-11 14:02 . 2007-12-11 14:02 <DIR> d-------- C:\Program Files\CCleaner
2007-11-17 22:38 . 2007-12-11 13:23 285 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 19:42 --------- d-----w C:\Program Files\Video Add-on
2007-12-11 18:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-01 12:53 --------- d-----w C:\Program Files\Network Associates
2007-11-01 12:52 --------- d-----w C:\Program Files\WinAnonymous
2007-11-01 12:52 --------- d-----w C:\Program Files\VirusRanger
2007-11-01 12:52 --------- d-----w C:\Program Files\AntiSpyGolden 5.1
2007-11-01 12:51 --------- d-----w C:\Program Files\YourPrivacyGuard
2007-11-01 12:51 --------- d-----w C:\Program Files\SystemDefender
2007-11-01 12:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-01 12:42 --------- d-----w C:\Program Files\Google
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 01:07 --------- d-----w C:\Documents and Settings\Tim\Application Data\YourPrivacyGuard
2007-10-14 14:37 --------- d-----w C:\Documents and Settings\Tim\Application Data\SystemDefender
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}"= C:\WINDOWS\sdrmod.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{16a0662e-ac21-4ad9-89e8-7495ac5ace93}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{861A084D-C8F1-47F8-90F1-6494C0645FF2}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

*Newly Created Service* - AVGASCLN
*Newly Created Service* - CATCHME
*Newly Created Service* - HTTPFILTER
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 15:27:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 15:28:40
.
2007-11-18 04:38:55 --- E O F ---

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 12-13-2007 6:56 (GMT +1)

Hello

Please download http://siri.urz.free.fr/Fix/SmitfraudFix.exe (by S!Ri)

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (normally C:), and launch from there.

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, normally C:\rapport.txt

Post a fresh hijackthis log with rapport txt, new combofix log

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

process.exe is detected by some antivirus programs as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

keng53140
Junior Member

Date Joined Apr 2007
Total Posts : 68

Posted 12-14-2007 11:34 (GMT +1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:07 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: The sdrmod - {16A0662E-AC21-4AD9-89E8-7495AC5ACE93} - C:\WINDOWS\sdrmod.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191725035108
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2393 bytes

SmitFraudFix v2.268

Scan done at 16:11:33.29, Sat 12/15/2007
Run from C:\Documents and Settings\Tim\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\Tim\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8E069C8D-ECB5-48A3-906E-9AE222BBEC97}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8E069C8D-ECB5-48A3-906E-9AE222BBEC97}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8E069C8D-ECB5-48A3-906E-9AE222BBEC97}: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.94.163.100 24.94.163.101

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix 07-12-12.3 - Tim 2007-12-15 16:20:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.51 [GMT -6:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-15 16:11 . 2007-12-15 16:11 570 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-13 17:05 . 2007-12-13 17:05 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-13 17:04 . 2007-12-13 17:05 <DIR> d-------- C:\d2ec9a89d3edd10f3c8e47
2007-12-13 17:01 . 2007-12-13 17:02 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-13 17:01 . 2007-12-13 17:04 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-12 16:34 . 2007-12-15 16:24 165,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 16:34 . 2007-12-15 16:09 2,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 16:30 . 2007-12-12 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-12 16:29 . 2007-12-15 16:23 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-12 15:35 . 2007-12-12 15:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 15:33 . 2007-12-15 16:18 <DIR> d-------- C:\HJT
2007-12-12 15:27 . 2007-12-13 17:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-11 14:18 . 2007-12-11 14:18 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Grisoft
2007-12-11 14:17 . 2007-12-11 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-11 14:17 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-11 14:02 . 2007-12-11 14:02 <DIR> d-------- C:\Program Files\CCleaner
2007-11-17 22:38 . 2007-12-11 13:23 285 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 18:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-01 12:53 --------- d-----w C:\Program Files\Network Associates
2007-11-01 12:52 --------- d-----w C:\Program Files\WinAnonymous
2007-11-01 12:52 --------- d-----w C:\Program Files\VirusRanger
2007-11-01 12:52 --------- d-----w C:\Program Files\AntiSpyGolden 5.1
2007-11-01 12:51 --------- d-----w C:\Program Files\YourPrivacyGuard
2007-11-01 12:51 --------- d-----w C:\Program Files\SystemDefender
2007-11-01 12:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-01 12:42 --------- d-----w C:\Program Files\Google
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-24 01:07 --------- d-----w C:\Documents and Settings\Tim\Application Data\YourPrivacyGuard
.

((((((((((((((((((((((((((((( snapshot@2007-12-12_15.27.32.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 07:56:57 208,896 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2006-11-02 00:31:34 315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
- 2004-08-04 07:55:59 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2006-10-19 03:47:08 7,168 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2006-10-19 03:47:08 276,992 ------w C:\WINDOWS\system32\audiodev.dll
- 2004-08-04 07:56:41 286,208 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2006-10-19 03:47:10 542,720 ----a-w C:\WINDOWS\system32\blackbox.dll
- 2004-08-04 07:56:41 159,232 ----a-w C:\WINDOWS\system32\cewmdm.dll
+ 2006-10-19 03:47:10 229,376 ----a-w C:\WINDOWS\system32\cewmdm.dll
- 2007-10-27 23:39:20 230,912 -c----w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2006-10-19 03:47:18 222,208 -c----w C:\WINDOWS\system32\dllcache\WMASF.dll
- 2007-10-27 23:37:38 2,109,440 -c----w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-10-19 03:47:22 2,450,944 -c----w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2006-10-19 03:47:22 671,232 ------w C:\WINDOWS\system32\drivers\UMDF\wpdmtpdr.dll
+ 2006-10-19 02:00:00 38,528 ------w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-09-29 00:55:50 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-29 01:00:34 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-10-19 02:00:46 249,856 ------w C:\WINDOWS\system32\drmupgds.exe
- 2004-08-04 07:57:02 695,296 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-10-19 03:47:10 991,744 ----a-w C:\WINDOWS\system32\drmv2clt.dll
- 2004-08-04 07:56:42 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll
+ 2006-10-19 03:47:14 11,264 ----a-w C:\WINDOWS\system32\LAPRXY.dll
+ 2007-09-06 22:13:58 796,048 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
- 2004-08-04 07:56:50 103,936 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-19 02:03:58 100,864 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-19 03:47:14 212,992 ------w C:\WINDOWS\system32\MFPLAT.dll
+ 2006-10-19 03:47:14 259,072 ------w C:\WINDOWS\system32\MP43DECD.dll
- 2004-08-04 07:56:42 310,272 ------w C:\WINDOWS\system32\mp43dmod.dll
+ 2006-10-19 03:47:14 4,096 ------w C:\WINDOWS\system32\MP43DMOD.dll
+ 2006-10-19 03:47:14 317,440 ------w C:\WINDOWS\system32\MP4SDECD.dll
- 2004-08-04 07:56:42 384,512 ------w C:\WINDOWS\system32\mp4sdmod.dll
+ 2006-10-19 03:47:14 4,096 ------w C:\WINDOWS\system32\MP4SDMOD.dll
+ 2006-10-19 03:47:14 259,072 ------w C:\WINDOWS\system32\MPG4DECD.dll
- 2004-08-04 07:56:42 240,640 ----a-w C:\WINDOWS\system32\mpg4dmod.dll
+ 2006-10-19 03:47:14 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
- 2004-08-04 07:57:01 259,072 ----a-w C:\WINDOWS\system32\msnetobj.dll
+ 2006-10-19 03:47:16 179,712 ----a-w C:\WINDOWS\system32\msnetobj.dll
- 2004-08-04 07:56:43 52,224 ------w C:\WINDOWS\system32\mspmsnsv.dll
+ 2006-10-19 03:47:16 27,136 ------w C:\WINDOWS\system32\mspmsnsv.dll
- 2004-08-04 07:56:43 201,728 ----a-w C:\WINDOWS\system32\mspmsp.dll
+ 2006-10-19 03:47:16 175,616 ----a-w C:\WINDOWS\system32\mspmsp.dll
- 2004-08-04 07:57:01 356,352 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2006-10-19 03:47:16 414,208 ----a-w C:\WINDOWS\system32\msscp.dll
- 2004-08-04 07:56:44 245,760 ----a-w C:\WINDOWS\system32\mswmdm.dll
+ 2006-10-19 03:47:16 321,536 ----a-w C:\WINDOWS\system32\mswmdm.dll
+ 2006-10-19 03:47:18 284,160 ------w C:\WINDOWS\system32\PortableDeviceApi.dll
+ 2006-10-19 03:47:18 101,888 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-10-19 03:47:18 166,912 ------w C:\WINDOWS\system32\PortableDeviceTypes.dll
+ 2006-10-19 03:47:18 132,096 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
+ 2006-10-19 03:47:18 199,168 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
- 2004-08-04 07:56:44 237,568 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2006-10-19 03:47:18 211,456 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2004-04-27 10:40:52 11,264 ----a-w C:\WINDOWS\system32\SpOrder.dll
- 2006-09-06 22:43:16 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-16 07:05:22 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-10-19 03:58:00 8,704 ------w C:\WINDOWS\system32\uwdf.exe
+ 2007-09-06 22:14:04 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-09-06 22:14:28 395,080 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-09-06 22:14:04 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-09-06 22:14:04 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-09-06 22:14:04 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-09-06 22:14:04 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2007-09-06 22:14:06 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-09-06 22:14:06 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2007-09-06 22:14:06 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2006-10-19 03:47:18 4,096 ------w C:\WINDOWS\system32\wdfapi.dll
+ 2006-10-19 03:58:00 8,704 ------w C:\WINDOWS\system32\wdfmgr.exe
- 2004-08-04 07:56:46 408,064 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2006-10-19 03:47:18 757,248 ----a-w C:\WINDOWS\system32\WMADMOD.dll
- 2004-08-04 07:56:46 670,720 ----a-w C:\WINDOWS\system32\wmadmoe.dll
+ 2006-10-19 03:47:18 1,117,696 ----a-w C:\WINDOWS\system32\WMADMOE.dll
- 2007-10-27 23:39:20 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2006-10-19 03:47:18 222,208 ----a-w C:\WINDOWS\system32\WMASF.dll
- 2004-08-04 07:56:46 27,136 ----a-w C:\WINDOWS\system32\wmdmlog.dll
+ 2006-10-19 03:47:18 33,792 ----a-w C:\WINDOWS\system32\wmdmlog.dll
- 2004-08-04 07:56:46 23,552 ----a-w C:\WINDOWS\system32\wmdmps.dll
+ 2006-10-19 03:47:18 37,376 ----a-w C:\WINDOWS\system32\wmdmps.dll
+ 2006-10-19 03:47:18 429,056 ------w C:\WINDOWS\system32\wmdrmdev.dll
+ 2006-10-19 03:47:20 348,672 ------w C:\WINDOWS\system32\wmdrmnet.dll
+ 2006-10-19 03:47:20 535,040 ------w C:\WINDOWS\system32\wmdrmsdk.dll
- 2004-08-04 07:56:35 168,448 ------w C:\WINDOWS\system32\wmerror.dll
+ 2006-10-19 03:47:20 227,328 ------w C:\WINDOWS\system32\wmerror.dll
- 2004-08-04 07:56:46 151,552 ------w C:\WINDOWS\system32\wmidx.dll
+ 2006-10-19 03:47:20 157,184 ------w C:\WINDOWS\system32\wmidx.dll
- 2004-08-04 07:56:46 1,050,624 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
+ 2006-10-19 03:47:20 937,984 ----a-w C:\WINDOWS\system32\WMNetMgr.dll
- 2007-04-30 07:22:16 4,734,976 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2006-10-19 03:47:20 10,834,432 ----a-w C:\WINDOWS\system32\wmp.dll
- 2004-08-04 07:56:46 114,688 ------w C:\WINDOWS\system32\wmpasf.dll
+ 2006-10-19 03:47:20 242,688 ------w C:\WINDOWS\system32\wmpasf.dll
- 2004-08-04 07:56:46 233,472 ------w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-19 03:47:20 314,880 ------w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-19 03:47:20 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
+ 2006-10-19 03:47:20 1,661,440 ------w C:\WINDOWS\system32\wmpencen.dll
- 2004-08-04 07:56:36 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-19 03:47:20 8,231,936 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-19 03:47:20 613,376 ------w C:\WINDOWS\system32\wmpmde.dll
+ 2006-10-19 03:47:20 130,048 ------w C:\WINDOWS\system32\wmpps.dll
- 2004-08-04 07:56:46 102,400 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2006-10-19 03:47:20 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2006-10-19 03:47:20 204,288 ------w C:\WINDOWS\system32\wmpsrcwp.dll
- 2004-08-04 07:56:46 759,296 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2006-10-19 03:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2004-08-04 07:56:46 1,119,744 ------w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2006-10-19 03:47:22 4,096 ------w C:\WINDOWS\system32\wmsdmoe2.dll
- 2004-08-04 07:56:46 484,864 ------w C:\WINDOWS\system32\wmspdmod.dll
+ 2006-10-19 03:47:22 603,648 ------w C:\WINDOWS\system32\WMSPDMOD.dll
- 2004-08-04 07:56:46 896,512 ------w C:\WINDOWS\system32\wmspdmoe.dll
+ 2006-10-19 03:47:22 1,329,152 ------w C:\WINDOWS\system32\WMSPDMOE.dll
+ 2006-10-19 03:47:22 4,096 ------w C:\WINDOWS\system32\WMVADVD.dll
+ 2006-10-19 03:47:22 4,096 ------w C:\WINDOWS\system32\WMVADVE.DLL
- 2007-10-27 23:37:38 2,109,440 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 03:47:22 2,450,944 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 03:47:22 1,543,680 ------w C:\WINDOWS\system32\WMVDECOD.dll
- 2004-08-04 07:56:46 809,984 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2006-10-19 03:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
- 2004-08-04 07:56:46 1,001,472 ------w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 03:47:22 4,096 ------w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 03:47:22 1,574,912 ------w C:\WINDOWS\system32\WMVENCOD.dll
+ 2006-10-19 03:47:22 1,382,912 ------w C:\WINDOWS\system32\WMVSDECD.dll
+ 2006-10-19 03:47:22 767,488 ------w C:\WINDOWS\system32\WMVSENCD.dll
+ 2006-10-19 03:47:22 656,896 ------w C:\WINDOWS\system32\WMVXENCD.dll
+ 2006-10-19 03:47:22 629,760 ------w C:\WINDOWS\system32\wpd_ci.dll
+ 2006-10-19 03:47:22 35,840 ------w C:\WINDOWS\system32\wpdconns.dll
+ 2006-10-19 03:47:22 154,624 ------w C:\WINDOWS\system32\wpdmtp.dll
+ 2006-10-19 03:47:22 63,488 ------w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 03:47:22 2,603,008 ------w C:\WINDOWS\system32\WpdShext.dll
+ 2006-10-19 02:00:14 17,408 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-19 03:47:22 38,400 ------w C:\WINDOWS\system32\wpdshextres.dll
+ 2006-10-19 03:47:22 133,632 ------w C:\WINDOWS\system32\WPDShServiceObj.dll
+ 2006-10-19 03:47:22 356,352 ------w C:\WINDOWS\system32\wpdsp.dll
+ 2006-09-29 02:13:26 95,344 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-29 00:56:38 146,432 ------w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-29 00:56:16 165,376 ------w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-29 00:56:14 55,808 ------w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-29 00:56:38 316,416 ------w C:\WINDOWS\system32\WUDFx.dll
+ 2007-09-06 22:14:06 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-09-06 22:14:08 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2007-12-12 22:33:14 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-09-06 22:13:56 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 06:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 20:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 06:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 06:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 06:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 06:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 21:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 21:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 06:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 06:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 05:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-08-25 01:31:48 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-20 00:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 06:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 06:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 06:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 06:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-08-25 01:31:48 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-20 00:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2007-09-06 22:13:56 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 18:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2007-09-06 22:13:58 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-09-06 22:13:58 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-09-06 22:13:58 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-09-06 22:14:30 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-09-06 22:14:30 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-09-06 22:14:30 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-09-06 22:14:32 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-09-06 22:14:32 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-09-06 22:15:50 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-09-06 22:15:52 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-08-15 21:45:42 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-08-15 21:45:44 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-09-06 22:14:00 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-08-15 21:45:44 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-06-11 18:44:10 50,416 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-09-06 22:14:02 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-09-06 22:15:52 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-09-06 22:15:54 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 02:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-08-01 12:30:04 833,248 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-09-06 22:14:18 149,032 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-11 23:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2007-09-06 22:14:04 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-09-06 22:14:04 79,336 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-09-06 22:14:18 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-09-06 22:14:04 2,024,936 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-09-06 22:14:06 1,345,000 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-09-06 22:14:06 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-09-06 22:14:08 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-09-06 22:14:08 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-09-06 22:14:08 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-09-06 22:14:08 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2007-09-06 22:14:12 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
+ 2007-09-06 22:14:18 75,248 ----a-w C:\WINDOWS\zllsputility.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}"= C:\WINDOWS\sdrmod.dll [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 16:24:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 16:27:01
C:\ComboFix2.txt ... 2007-12-12 15:28
.
2007-11-18 04:38:55 --- E O F ---

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 12-15-2007 11:05 (GMT +1)

Open notepad and copy/paste the text in the quote box below into it:

Quote:

-----------------------------------------------------

KILLALL::

File::

C:\d2ec9a89d3edd10f3c8e47

Folder::

C:\Program Files\WinAnonymous

C:\Program Files\VirusRanger

C:\Program Files\AntiSpyGolden 5.1

C:\Program Files\YourPrivacyGuard

C:\Program Files\SystemDefender

C:\Documents and Settings\Tim\Application Data\YourPrivacyGuard

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}"=-

[HKEY_CLASSES_ROOT\clsid\{16a0662e-ac21-4ad9-89e8-7495ac5ace93}]

[HKEY_CLASSES_ROOT\sdrmod.ToolBar.1]

[HKEY_CLASSES_ROOT\TypeLib\{861A084D-C8F1-47F8-90F1-6494C0645FF2}]

[HKEY_CLASSES_ROOT\sdrmod.ToolBar]

----------------------------------------------

Save this as CFScript.txt

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

Post new hijackthis log along with fresh combofix log and tell how things are running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

keng53140
Junior Member

Date Joined Apr 2007
Total Posts : 68

Posted 12-16-2007 12:17 (GMT +1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:47 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191725035108
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2375 bytes

ComboFix 07-12-12.3 - Tim 2007-12-15 17:00:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.331 [GMT -6:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tim\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\d2ec9a89d3edd10f3c8e47
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tim\Application Data\YourPrivacyGuard
C:\Documents and Settings\Tim\Application Data\YourPrivacyGuard\Logs\update.log
C:\Program Files\AntiSpyGolden 5.1
C:\Program Files\AntiSpyGolden 5.1\AntiSpyGolden AntiSpyGolden.url
C:\Program Files\AntiSpyGolden 5.1\Logs\scan_log_10102007-071102.html
C:\Program Files\AntiSpyGolden 5.1\Logs\scan_log_10112007-185052.html
C:\Program Files\AntiSpyGolden 5.1\Logs\scan_log_10132007-103647.html
C:\Program Files\AntiSpyGolden 5.1\Logs\scan_log_10132007-192933.html
C:\Program Files\SystemDefender
C:\Program Files\SystemDefender\program.info
C:\Program Files\SystemDefender\SystemDefender.db
C:\Program Files\SystemDefender\SystemDefender.pkg
C:\Program Files\VirusRanger
C:\Program Files\VirusRanger\backdoor.avb
C:\Program Files\VirusRanger\base.dat
C:\Program Files\VirusRanger\ca.avb
C:\Program Files\VirusRanger\daily.avb
C:\Program Files\VirusRanger\kernel4.avb
C:\Program Files\VirusRanger\malware.avb
C:\Program Files\VirusRanger\OE.api
C:\Program Files\VirusRanger\OE4.api
C:\Program Files\VirusRanger\result.lst
C:\Program Files\VirusRanger\sdebug.log
C:\Program Files\VirusRanger\stop.set
C:\Program Files\VirusRanger\TheBAT.api
C:\Program Files\VirusRanger\tips.txt
C:\Program Files\VirusRanger\trojan.avb
C:\Program Files\VirusRanger\UnACE.api
C:\Program Files\VirusRanger\UnARJ.api
C:\Program Files\VirusRanger\UnMSCAB.api
C:\Program Files\VirusRanger\unrar.api
C:\Program Files\VirusRanger\unzip.api
C:\Program Files\VirusRanger\updater.plb
C:\Program Files\VirusRanger\virusdos.avb
C:\Program Files\VirusRanger\VirusRanger.url
C:\Program Files\VirusRanger\virusw32.avb
C:\Program Files\VirusRanger\weekly.avb
C:\Program Files\WinAnonymous
C:\Program Files\WinAnonymous\data\brand.dat
C:\Program Files\WinAnonymous\data\sfl.dat
C:\Program Files\WinAnonymous\data\skin.skn
C:\Program Files\WinAnonymous\data\srl.dat
C:\Program Files\WinAnonymous\GDC.url
C:\Program Files\WinAnonymous\gfx\button_arrow.bmp
C:\Program Files\WinAnonymous\gfx\button_arrow2.bmp
C:\Program Files\WinAnonymous\gfx\buy.bmp
C:\Program Files\WinAnonymous\gfx\checked.bmp
C:\Program Files\WinAnonymous\gfx\custom.bmp
C:\Program Files\WinAnonymous\gfx\customcleanup.bmp
C:\Program Files\WinAnonymous\gfx\header.bmp
C:\Program Files\WinAnonymous\gfx\log.bmp
C:\Program Files\WinAnonymous\gfx\logo.bmp
C:\Program Files\WinAnonymous\gfx\register.bmp
C:\Program Files\WinAnonymous\gfx\settings.bmp
C:\Program Files\WinAnonymous\gfx\sign_green.bmp
C:\Program Files\WinAnonymous\gfx\sign_green_big.bmp
C:\Program Files\WinAnonymous\gfx\sign_red.bmp
C:\Program Files\WinAnonymous\gfx\sign_red_big.bmp
C:\Program Files\WinAnonymous\gfx\sign_yellow.bmp
C:\Program Files\WinAnonymous\gfx\splash.bmp
C:\Program Files\WinAnonymous\gfx\status_good.bmp
C:\Program Files\WinAnonymous\gfx\status_risk.bmp
C:\Program Files\WinAnonymous\gfx\support.bmp
C:\Program Files\WinAnonymous\gfx\sys_shield.bmp
C:\Program Files\WinAnonymous\gfx\sys_update.bmp
C:\Program Files\WinAnonymous\gfx\sysstatus.bmp
C:\Program Files\WinAnonymous\gfx\unchecked.bmp
C:\Program Files\WinAnonymous\gfx\update.bmp
C:\Program Files\WinAnonymous\lang\Arabic.lng
C:\Program Files\WinAnonymous\lang\Brazilian.lng
C:\Program Files\WinAnonymous\lang\Catalan.lng
C:\Program Files\WinAnonymous\lang\Chinese.lng
C:\Program Files\WinAnonymous\lang\Czech.lng
C:\Program Files\WinAnonymous\lang\Danish.lng
C:\Program Files\WinAnonymous\lang\Dutch.lng
C:\Program Files\WinAnonymous\lang\English.lng
C:\Program Files\WinAnonymous\lang\Finnish.lng
C:\Program Files\WinAnonymous\lang\French.lng
C:\Program Files\WinAnonymous\lang\German.lng
C:\Program Files\WinAnonymous\lang\Greek.lng
C:\Program Files\WinAnonymous\lang\Hebrew.lng
C:\Program Files\WinAnonymous\lang\Italian.lng
C:\Program Files\WinAnonymous\lang\Japanese.lng
C:\Program Files\WinAnonymous\lang\Malayan.lng
C:\Program Files\WinAnonymous\lang\Norwegian.lng
C:\Program Files\WinAnonymous\lang\Polish.lng
C:\Program Files\WinAnonymous\lang\Portuguese.lng
C:\Program Files\WinAnonymous\lang\Russian.lng
C:\Program Files\WinAnonymous\lang\Slovenian.lng
C:\Program Files\WinAnonymous\lang\Spanish.lng
C:\Program Files\WinAnonymous\lang\Swedish.lng
C:\Program Files\WinAnonymous\lang\Thai.lng
C:\Program Files\WinAnonymous\lang\Turkish.lng
C:\Program Files\WinAnonymous\License.rtf
C:\Program Files\WinAnonymous\Readme.rtf
C:\Program Files\WinAnonymous\sr.log
C:\Program Files\WinAnonymous\support.url
C:\Program Files\WinAnonymous\unins000.dat
C:\Program Files\WinAnonymous\updater.dat
C:\Program Files\WinAnonymous\ver.dat
C:\Program Files\YourPrivacyGuard
C:\Program Files\YourPrivacyGuard\data\brand.dat
C:\Program Files\YourPrivacyGuard\data\sfl.dat
C:\Program Files\YourPrivacyGuard\data\skin.skn
C:\Program Files\YourPrivacyGuard\data\srl.dat
C:\Program Files\YourPrivacyGuard\GDC.url
C:\Program Files\YourPrivacyGuard\gfx\button_arrow.bmp
C:\Program Files\YourPrivacyGuard\gfx\button_arrow2.bmp
C:\Program Files\YourPrivacyGuard\gfx\buy.bmp
C:\Program Files\YourPrivacyGuard\gfx\checked.bmp
C:\Program Files\YourPrivacyGuard\gfx\custom.bmp
C:\Program Files\YourPrivacyGuard\gfx\customcleanup.bmp
C:\Program Files\YourPrivacyGuard\gfx\header.bmp
C:\Program Files\YourPrivacyGuard\gfx\log.bmp
C:\Program Files\YourPrivacyGuard\gfx\logo.bmp
C:\Program Files\YourPrivacyGuard\gfx\register.bmp
C:\Program Files\YourPrivacyGuard\gfx\settings.bmp
C:\Program Files\YourPrivacyGuard\gfx\sign_green.bmp
C:\Program Files\YourPrivacyGuard\gfx\sign_green_big.bmp
C:\Program Files\YourPrivacyGuard\gfx\sign_red.bmp
C:\Program Files\YourPrivacyGuard\gfx\sign_red_big.bmp
C:\Program Files\YourPrivacyGuard\gfx\sign_yellow.bmp
C:\Program Files\YourPrivacyGuard\gfx\splash.bmp
C:\Program Files\YourPrivacyGuard\gfx\status_good.bmp
C:\Program Files\YourPrivacyGuard\gfx\status_risk.bmp
C:\Program Files\YourPrivacyGuard\gfx\support.bmp
C:\Program Files\YourPrivacyGuard\gfx\sys_shield.bmp
C:\Program Files\YourPrivacyGuard\gfx\sys_update.bmp
C:\Program Files\YourPrivacyGuard\gfx\sysstatus.bmp
C:\Program Files\YourPrivacyGuard\gfx\unchecked.bmp
C:\Program Files\YourPrivacyGuard\gfx\update.bmp
C:\Program Files\YourPrivacyGuard\lang\Arabic.lng
C:\Program Files\YourPrivacyGuard\lang\Brazilian.lng
C:\Program Files\YourPrivacyGuard\lang\Catalan.lng
C:\Program Files\YourPrivacyGuard\lang\Chinese.lng
C:\Program Files\YourPrivacyGuard\lang\Czech.lng
C:\Program Files\YourPrivacyGuard\lang\Danish.lng
C:\Program Files\YourPrivacyGuard\lang\Dutch.lng
C:\Program Files\YourPrivacyGuard\lang\English.lng
C:\Program Files\YourPrivacyGuard\lang\Finnish.lng
C:\Program Files\YourPrivacyGuard\lang\French.lng
C:\Program Files\YourPrivacyGuard\lang\German.lng
C:\Program Files\YourPrivacyGuard\lang\Greek.lng
C:\Program Files\YourPrivacyGuard\lang\Hebrew.lng
C:\Program Files\YourPrivacyGuard\lang\Italian.lng
C:\Program Files\YourPrivacyGuard\lang\Japanese.lng
C:\Program Files\YourPrivacyGuard\lang\Malayan.lng
C:\Program Files\YourPrivacyGuard\lang\Norwegian.lng
C:\Program Files\YourPrivacyGuard\lang\Polish.lng
C:\Program Files\YourPrivacyGuard\lang\Portuguese.lng
C:\Program Files\YourPrivacyGuard\lang\Russian.lng
C:\Program Files\YourPrivacyGuard\lang\Slovenian.lng
C:\Program Files\YourPrivacyGuard\lang\Spanish.lng
C:\Program Files\YourPrivacyGuard\lang\Swedish.lng
C:\Program Files\YourPrivacyGuard\lang\Thai.lng
C:\Program Files\YourPrivacyGuard\lang\Turkish.lng
C:\Program Files\YourPrivacyGuard\License.rtf
C:\Program Files\YourPrivacyGuard\Readme.rtf
C:\Program Files\YourPrivacyGuard\sr.log
C:\Program Files\YourPrivacyGuard\support.url
C:\Program Files\YourPrivacyGuard\unins000.dat
C:\Program Files\YourPrivacyGuard\updater.dat
C:\Program Files\YourPrivacyGuard\ver.dat

.
((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-15 16:11 . 2007-12-15 16:11 570 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-13 17:05 . 2007-12-13 17:05 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-13 17:04 . 2007-12-13 17:05 <DIR> d-------- C:\d2ec9a89d3edd10f3c8e47
2007-12-13 17:01 . 2007-12-13 17:02 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-13 17:01 . 2007-12-13 17:04 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-12 16:34 . 2007-12-15 17:11 221,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 16:34 . 2007-12-15 17:10 3,620 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 16:30 . 2007-12-12 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-12 16:29 . 2007-12-15 17:13 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-12 15:35 . 2007-12-12 15:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 15:33 . 2007-12-15 16:18 <DIR> d-------- C:\HJT
2007-12-12 15:27 . 2007-12-13 17:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-11 14:18 . 2007-12-11 14:18 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Grisoft
2007-12-11 14:17 . 2007-12-11 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-11 14:17 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-11 14:02 . 2007-12-11 14:02 <DIR> d-------- C:\Program Files\CCleaner
2007-11-17 22:38 . 2007-12-11 13:23 285 --a------ C:\WINDOWS\system32\MRT.INI

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 17:12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 17:15:22 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-15 16:27
C:\ComboFix3.txt ... 2007-12-12 15:28
.
2007-11-18 04:38:55 --- E O F ---

keng53140
Junior Member

Date Joined Apr 2007
Total Posts : 68

Posted 12-16-2007 12:18 (GMT +1)