Help2Go
Free Computer Help.
Powered by Volunteers.
- Home
- Tutorials
- Computer Help
- Spyware Help
- All Forums


- Home
- Forums Home
- Tutorials
- Get Computer Help
- Spyware Help
- Help2Go Detective
- SuperAntiSpyware
- Software Picks
- Newsletter
- Testimonials
- Donate
- Search Tutorials
- Search Forums


Home

These forums have moved!

Click here to view the new, updated Help2Go

Trojan Issue
   Help2Go Forum Index -> Spyware Help
View previous topic :: View next topic  
Author Message
GMan2385
Member


Joined: 13 Oct 2005
Posts: 21
Points: 0
Posted: Mon 01/21/2008 8:33pm [Post #1]
Hello H2G mods. It's been a good long time since I needed any assistance, but recently I've been having an issue, it's only been the past 2 days now.

I recently upgraded my computer that I built nearly 5 years ago. New MoBo, new processor, graphics card etc.

I had to re-install My windows as it appears my harddisk that contains all of my windows info has recently been deemed "BAD" by Partition Magic 8. After the clean install thing were working ok, so I went about regaining all of my lost program associations and whatnot. I had to download Adobe Reader since I had simply run the installation off their site the last time I installed it. Much to my surprise, very shortly after installing it I started getting pop up warnings from AVG that I have a Trojan. I just ran a third scan after the errors continued to happen despite two scans and reboots. Now upon Windows Startup, my AIM no longer loads and I get two error messages, one stating that Windows cannot open "ddccb.exe" in the system32 folder, and the other stating the same for "shell.exe," located in the same folder.

Here's my HJT log from the scan I just performed. I ran it through the Detective, but the only recommendations were to remove three system tray tools (Nvidia, and Winamp Agent [which actually showed up twice]) that I regularly use, so I didn't remove them, plus, I know what those are and trust them.

Logfile of HijackThis v1.99.1
Scan saved at 5:13:58 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
F:\Winamp\winampa.exe
F:\Program files\Adobe\Reader\Reader_sl.exe
C:\WINDOWS\system32\8B85898A90899.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
H:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Grisoft\AVG7\avgwb.dat
F:\HJT\HijackThis.exe

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F3 - REG:win.ini: load=C:\WINDOWS\System32\ddccb.exe
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] F:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program files\Adobe\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [181216171D161E1] 8B85898A90899.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] F:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: .protected
O4 - Global Startup: .protected
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies \System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co ntrols/en/x86/client/muweb_site.cab?1200950970686
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Any help will be greatly appreciated. also I have another slightly unrelated question, but thought that I might as well ask and if I need to I can repost the question in another section. I added a 500GB Maxtor SATA Drive before I went about upgrading my computer, but once I got my Windows installation back up and running I went to access the drive and it says it is unformatted (though I KNOW I formatted it prior to the upgrade to have 3 partitions, all NTFS) it was used to hold a backup image I had made of my Windows Drive in case I ran into issues, which I seem to have, and I was has hoping to use the Image to restore my programs to their previous functionality. Now, when I tried to re-format the drive nothing works, not Partition Magic, Not Maxtor's "MaxBlast5" software, not even Windows will format it. Any help on this issue will also be greatly appreciated.

Thanks again for the help!

_Greg
 
This post has: 0 recommendations

Back to top
Basementgeek
Supreme Guru


Joined: 01 Jan 2003
Posts: 12000
Points: 1188

blank.gif
Posted: Mon 01/21/2008 11:19pm [Post #2]
So far I see a vundo problem and a smitfraud infection. I also see that you are running a old version of HJT program.

Delete your current HJT folder.

Read and follow the directions here and post a new HJT when done.

http://www.help2go.com/Tutorials/Protect_Your_PC/Get_Ri d_of_Spyware%2C_Adware%2C_and_Web_Browser_Hijackers.htm l

BG

P.S.

On your other problem, if it is the same PC, wait until we are done here.
Our policy has been once a HJT log has been submitted other help in the forums will be suspended.
_________________
Member of ASAP 2006
 
This post has: 0 recommendations

Back to top
GMan2385
Member


Joined: 13 Oct 2005
Posts: 21
Points: 0
Posted: Tue 01/22/2008 6:53am [Post #3]
Ok, so throughout the day as I was cleaning my apartment to move in the next week I went about doing everything that's listed on the linked page.

Here's the ActiveScan Log:


Incident Status Location

Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs
Adware:Adware/CommAd Not disinfected C:\WINDOWS\R3JlZ29yeSBIaWxs\laL5tZ6Vym1KuqUP.vbs
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\5tr3jco0.default\COOKIES. TXT[.enhance.com/]
Possible Virus. Not disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\UE.EXE
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\WVDWLRGX.EXE
Virus:Trj/Downloader.SAX Disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\XRUN.EXE
Virus:Trj/Downloader.PLF Disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\SNAPSNET.EXE
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\gamadril20071203[1]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@doubleclick[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@atdmt[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adrevolver[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@casalemedia[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@findwhat[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@ad.yieldmanager[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@fastclick[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@statse.webtrendslive[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@apmebf[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@overture[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@burstnet[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@tribalfusion[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@advertising[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@questionmarket[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@statcounter[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.com.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[server.iad.liveperson.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[statse.webtrendslive.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[server.iad.liveperson.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.fastclick.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.apmebf.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.zedo.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.apmebf.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.zedo.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.zedo.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.realmedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.trafficmp.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[ad.yieldmanager.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.adserver.easyad.info/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.questionmarket.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.ads.pointroll.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.statcounter.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.azjmp.com/]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.findwhat.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[www.burstbeacon.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.casalemedia.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.xiti.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.gostats.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.adrevolver.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.spylog.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.serving-sys.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.bluestreak.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[counter.hitslink.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.clickbank.net/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES. TXT[.ads.addynamix.com/]
Adware:Adware/DnsInsider Not disinfected C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
Spyware:Spyware/7r7t Not disinfected D:\New Music\Hot Fuss\Hot Fuss.exe

And here's My latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:07 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
F:\Winamp\winampa.exe
F:\Program files\Adobe\Reader\Reader_sl.exe
C:\WINDOWS\system32\8B85898A90899.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AIM6\aim6.exe
H:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F3 - REG:win.ini: load=C:\WINDOWS\System32\ddccb.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {90FD3ECD-48E5-421C-A995-A5EBBD3F4F86} - C:\WINDOWS\System32\seclogo.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] F:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program files\Adobe\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [181216171D161E1] 8B85898A90899.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] F:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co ntrols/en/x86/client/muweb_site.cab?1200950970686
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst. cab
O20 - Winlogon Notify: pmnkjhg - pmnkjhg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9286 bytes


Thanks again for all the help, You folks were the first place I thought of coming back to when this issue started up. You're an amazing help for those of us who like to work on our own computers but don't know everything we probably should.
 
This post has: 0 recommendations

Back to top
steamwiz
Supreme Guru


Joined: 12 Sep 2003
Posts: 14022
Points: 2332
Location: Yorkshire U.K.
http://www.help2go.com/co
Posted: Tue 01/22/2008 2:53pm [Post #4]
Hi

The vundo trojan you have is one of the newest versions & not that easy to get rid of, apart from that you have several other trojans/infections ... I'm surprised this is a relatively new insalled o/s

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

THEN ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-com bofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

------------------------------------------------------- -------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

------------------------------------------------------- -------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Please remember to post :-

1. C:\rapport.txt file
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)

steam
_________________
Look here for Ways to keep your computer safe

M'SOFT MVP -Windows Security 2004/8 .member ASAP - UNITE
 
This post has: 0 recommendations

Back to top
GMan2385
Member


Joined: 13 Oct 2005
Posts: 21
Points: 0
Posted: Wed 01/23/2008 3:35am [Post #5]
Alrighty, well, I followed all the directions listed by SteamWiz...

However, I never had a logfile pop up nor was there one in the C drive where it said it would be. It also never re-set my clock settings. I do have the Rapport log and SuperAntiSpyware log though, and I ran a HJT scan after waiting 18 minutes for ComboFix after the window had closed itself. here are the other logs.

Super Anti Spyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2008 at 11:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3386
Trace Rules Database Version: 1380

Scan type : Complete Scan
Total Scan Time : 01:16:53

Memory items scanned : 560
Memory threats detected : 0
Registry items scanned : 4035
Registry threats detected : 18
File items scanned : 75276
File threats detected : 109

Adware.Tracking Cookie
C:\Documents and Settings\Gregory Hill\Cookies\gregory_hill@tacoda[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory_hill@revsci[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@html[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adultobserver[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@gomyron[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@advertising[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory_hill@atwola[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@indiads[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@doubleclick[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@209.9.174[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@secure.systemerrorfixer[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@interclick[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@go[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adecn[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@clean.systemerrorfixer[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@www.pcantiviruspro[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adprofile[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@ads.traderonline[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@2o7[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@mediatraffic[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@ads3.blastro[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@a[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@2676[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@10181[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@systemerrorfixer[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@2676[3].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@specificclick[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@doubleclick[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@eas.apm.emediate[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@clicksfeed[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@webtraffic20[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@da-tracking[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@findwhat[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adsby.zwoops[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@thezirius[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@208.122.40[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@nextag[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@roiservice[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@208.122.40[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@questionmarket[1].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adlegend[2].txt
C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@pandasoftware.112.2o7[1].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK _MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERV ICE\0000#DeviceDesc

Trojan.Unknown Origin
C:\WINDOWS\R3JLZ29YESBIAWXS\LAL5TZ6VYM1KUQUP.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5195BF5A-8D86-4ECD-8BFA-E325D4ED5E 7D}\RP20\A0004331.VBS

Trojan.Downloader-NoName
C:\DOCUMENTS AND SETTINGS\GREGORY HILL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\90OE5IP5\SPOOLSV[1].EXE

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\MZKK\MZKKD\CLASS-BARREL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5195BF5A-8D86-4ECD-8BFA-E325D4ED5E 7D}\RP20\A0004333.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ctxad-574[1].sig
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\ctxad-574[1].0005
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\ctxad-574[1].0002
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\ctxad-574[1].0004
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\ctxad-574[1].0006
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ack[3].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ctxad-574[1].0003
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\checkin[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\close[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ack[2].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\1x1[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\tsupdate2[1].php
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\ack[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\ctxad-574[1].0000
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\ctxad-574[1].0001
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\background[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\crypt[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\index[2].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\2250lkxrlxlu[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\2676dwzvwngd[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\managers[2].js
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\resize[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\spacer[3].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\ajax[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\CAMV2ZUL.htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\errorhandler[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\get_lic_new[2].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\doorway-door[1].exe
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\index3[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\_ld[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\second[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\landing[2]
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\get_lic_new[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\get_lic_new[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\style813[1].css
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\stats[2].jpg
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\crypt[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\errorhandler[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\solution[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\styler[1].css
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\main.shadow.top[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\icon.arrow[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\middle_left[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\CANI033X.php
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\page.screenshot[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ajax[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\main.shadow.btm[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\scan.bg[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\CAG16VWD.htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\managers[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\middle_right[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\button.download[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\arrow[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\scan.bar[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\window[1].js
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\8[1].htm
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\family[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\ballon[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\bg[2].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\alert[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\main[1].gif
C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\scan.txt[1].gif


Rapport.txt:

SmitFraudFix v2.274

Scan done at 22:29:14.64, Tue 01/22/2008
Run from C:\Documents and Settings\Gregory Hill\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Winamp\winampa.exe
C:\WINDOWS\system32\8B85898A90899.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AIM6\aim6.exe
H:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Winamp\winamp.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

#AAW 10.18.250.4 download.microsoft.com
#AAW 10.18.250.4 downloads.microsoft.com
#AAW 10.18.250.4 go.microsoft.com
#AAW 10.18.250.4 microsoft.com
#AAW 10.18.250.4 msdn.microsoft.com
#AAW 10.18.250.4 office.microsoft.com
#AAW 10.18.250.4 support.microsoft.com
#AAW 10.18.250.4 windowsupdate.microsoft.com
#AAW 10.18.250.4 www.microsoft.com
#AAW 10.18.250.4 pandasoftware.com
#AAW 10.18.250.4 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gregory Hill


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gregory Hill\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GREGOR~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Helper\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.190.192.35
DNS Server Search Order: 66.214.48.27

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9327A6A2-AC67-4714-B 834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9327A6A2-AC67-4714-B 834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9327A6A2-AC67-4714-B 834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9327A6A2-AC67-4714-B 834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Newest HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:30, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
F:\Winamp\winampa.exe
C:\WINDOWS\system32\8B85898A90899.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
F:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] F:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program files\Adobe\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [181216171D161E1] 8B85898A90899.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] F:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co ntrols/en/x86/client/muweb_site.cab?1200950970686
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst. cab
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnkjhg - pmnkjhg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8765 bytes
 
This post has: 0 recommendations

Back to top
steamwiz
Supreme Guru


Joined: 12 Sep 2003
Posts: 14022
Points: 2332
Location: Yorkshire U.K.
http://www.help2go.com/co
Posted: Wed 01/23/2008 5:40pm [Post #6]
If it never re-set the clock settings, then it didn't complete, possibly because it needed to reboot, but some configuration on your computer wouldn't let it ...

Please try and run Combofix in safemode ...
_________________
Look here for Ways to keep your computer safe

M'SOFT MVP -Windows Security 2004/8 .member ASAP - UNITE
 
This post has: 0 recommendations

Back to top
GMan2385
Member


Joined: 13 Oct 2005
Posts: 21
Points: 0
Posted: Wed 01/23/2008 7:39pm [Post #7]
Alright, so I tried to boot into safe mode and run ComboFix again, but the same thing happened. this morning before I went to work I double checked that all of my anti-virus/adware/firewall programs were shut off and ran Combo fix again to see if it might finish,but I noticed it went to stage 38 then said it was completeing the scan and creating the report, but the same thing happened, even in safe mode, no report popped up, nor was there one saved at C:\ComboFix.txt. could there possibly be another problem?
 
This post has: 0 recommendations

Back to top
steamwiz
Supreme Guru


Joined: 12 Sep 2003
Posts: 14022
Points: 2332
Location: Yorkshire U.K.
http://www.help2go.com/co
Posted: Thu 01/24/2008 12:45pm [Post #8]
Hi

Find the C:\Combofix folder & open it ... post the contents of any text (.txt) files you see in there ...

steam
_________________
Look here for Ways to keep your computer safe

M'SOFT MVP -Windows Security 2004/8 .member ASAP - UNITE
 
This post has: 0 recommendations

Back to top
steamwiz
Supreme Guru


Joined: 12 Sep 2003
Posts: 14022
Points: 2332
Location: Yorkshire U.K.
http://www.help2go.com/co
Posted: Thu 01/24/2008 3:34pm [Post #9]
Please delete your Combofix.exe file & download a new version from the same link...

A new version was uploaded an hour ago which should allow you to produce a log, & reset the time etc,

steam
_________________
Look here for Ways to keep your computer safe

M'SOFT MVP -Windows Security 2004/8 .member ASAP - UNITE
 
This post has: 0 recommendations

Back to top
GMan2385
Member


Joined: 13 Oct 2005
Posts: 21
Points: 0
Posted: Thu 01/24/2008 7:32pm [Post #10]
Ok, I deleted the old ComboFix.exe file and downloaded the new one. It did reset the clock settings and posted a log for me. Here's the Combo Fix log as well as a New HJT log.

ComboFix 08-01-23.1C - Gregory Hill 2008-01-24 16:29:07.9 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1562 [GMT -8:00]
Running from: C:\Documents and Settings\Gregory Hill\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Gregory Hill\Application Data\RACLE~1
C:\Documents and Settings\Gregory Hill\Application Data\WNSXS~1
C:\Program Files\Helper
C:\Program Files\Temporary
C:\WINDOWS\appatc~1
C:\WINDOWS\system32\bccdd.ini
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\drivers\uqaqnmhj.dat
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\seclogo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ERLWGTRG
-------\LEGACY_NTNDIS
-------\erlwgtrg


















((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-23 16:33 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 16:33 . 2008-01-21 16:17 211 --a------ C:\Boot.bak
2008-01-23 00:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:29 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-22 22:29 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-22 22:29 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-22 22:29 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-22 22:29 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-22 22:29 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-22 22:29 . 2008-01-22 22:29 3,398 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-22 07:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-22 07:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll. mui
2008-01-22 03:40 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\cus tsat.dll
2008-01-22 03:06 . 2007-07-09 05:09 584,192 --------- C:\WINDOWS\system32\dllcache\rp crt4.dll
2008-01-22 03:00 . 2008-01-22 03:00 d--h----- C:\WINDOWS\$hf_mig$
2008-01-22 02:41 . 2008-01-22 02:41 d-------- C:\Program Files\Windows Defender
2008-01-22 02:08 . 2008-01-22 03:21 147 --a------ C:\WINDOWS\wininit.ini
2008-01-21 22:03 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-01-21 21:39 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTH OOK.SYS
2008-01-21 21:37 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\tvatm rneaarv.sys
2008-01-21 21:33 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmc omm.sys
2008-01-21 21:26 . 2008-01-21 21:26 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-21 21:26 . 2008-01-21 21:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-21 21:26 . 2008-01-21 21:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-21 21:26 . 2008-01-21 21:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-21 21:18 . 2008-01-21 21:19 d-------- C:\WINDOWS\system32\nGpxx01
2008-01-21 21:18 . 2008-01-21 21:19 d-------- C:\Temp\cXzz9
2008-01-21 21:18 . 2008-01-21 21:19 d-------- C:\Temp
2008-01-21 17:06 . 2006-07-12 01:20 139,264 -ra------ C:\WINDOWS\system32\JMRaidAPI.d ll
2008-01-21 16:47 . 2008-01-21 16:47 d-------- C:\Program Files\Common Files\Maxtor
2008-01-21 16:47 . 2008-01-21 16:47 392,320 --a------ C:\WINDOWS\system32\drivers\tim ntr.sys
2008-01-21 16:47 . 2008-01-21 16:47 120,992 --a------ C:\WINDOWS\system32\drivers\sna pman.sys
2008-01-21 16:47 . 2008-01-21 16:47 32,768 --a------ C:\WINDOWS\system32\drivers\tifs filt.sys
2008-01-21 16:16 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-21 16:15 . 2008-01-21 16:15 d-------- C:\WINDOWS\provisioning
2008-01-21 16:15 . 2008-01-21 16:15 d-------- C:\WINDOWS\peernet
2008-01-21 16:14 . 2008-01-21 16:14 d-------- C:\WINDOWS\ServicePackFiles
2008-01-21 16:10 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-21 16:08 . 2008-01-21 16:08 d-------- C:\WINDOWS\EHome
2008-01-21 15:36 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-01-21 15:35 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-01-21 15:35 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-01-21 15:20 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-21 15:20 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dl l
2008-01-21 15:20 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-21 15:20 . 2004-08-03 23:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-01-21 15:20 . 2007-03-08 07:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-01-21 15:16 . 2004-08-03 23:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-01-21 15:12 . 2008-01-21 15:12 d--h----- C:\WINDOWS\$xpsp1hfm$
2008-01-21 15:12 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-01-21 14:46 . 2004-08-03 21:58 23,040 --a------ C:\WINDOWS\system32\drivers\mouc lass.sys
2008-01-21 14:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouh id.sys
2008-01-21 14:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mou hid.sys
2008-01-21 14:45 . 2008-01-21 14:45 d-------- C:\Program Files\Logitech
2008-01-21 14:45 . 2008-01-21 14:45 d-------- C:\Program Files\Common Files\Logitech
2008-01-21 14:38 . 2008-01-21 14:38 716,272 --a------ C:\WINDOWS\system32\drivers\spt d.sys
2008-01-21 13:38 . 2008-01-21 13:38 d-------- C:\WINDOWS\Sun
2008-01-21 13:29 . 2008-01-21 13:29 d-------- C:\WINDOWS\system32\bits
2008-01-20 19:30 . 2008-01-20 19:30 d-------- C:\Program Files\AOL Search
2008-01-20 17:35 . 2008-01-20 17:35 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 17:33 . 2008-01-20 17:33 dr-h----- C:\$VAULT$.AVG
2008-01-20 17:32 . 2008-01-20 17:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-20 17:32 . 2008-01-20 17:32 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-20 16:47 . 2004-08-03 23:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dl l
2008-01-20 16:47 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-20 16:47 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-20 16:47 . 2004-08-03 23:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-01-20 16:47 . 2004-08-03 23:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-01-20 16:44 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-01-20 16:44 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-01-20 16:44 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-20 16:44 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-01-20 16:44 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dl l
2008-01-20 16:44 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.ex e
2008-01-20 16:44 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-01-20 04:50 . 2008-01-20 04:50 d-------- C:\WINDOWS\mzkk
2008-01-20 04:50 . 2008-01-20 04:50 d-------- C:\Program Files\Common Files\mzkk
2008-01-20 04:35 . 2008-01-20 04:35 d-------- C:\WINDOWS\system32\E6E0E4E5EBE4E
2008-01-20 04:35 . 2007-12-14 04:40 120,832 --a------ C:\WINDOWS\system32\8B85898A908 99.exe
2008-01-20 03:39 . 2008-01-20 03:39 d--hs---- C:\WINDOWS\R3JlZ29yeSBIaWxs
2008-01-19 03:39 . 2008-01-19 03:39 4,286 --a------ C:\WINDOWS\system32\everybodybets .32x32.4.ico
2008-01-19 03:15 . 2008-01-19 03:15 d-------- C:\Program Files\Dot1XCfg
2008-01-18 15:52 . 2008-01-18 15:52 d-------- C:\Program Files\Common Files\Adobe
2008-01-12 01:05 . 2008-01-12 01:05 d---s---- C:\WINDOWS\system32\Microsoft
2008-01-12 01:05 . 2008-01-12 01:05 d-------- C:\Program Files\QuickTime
2008-01-12 01:05 . 2008-01-12 01:05 d-------- C:\Program Files\Apple Software Update
2008-01-11 12:08 . 2008-01-11 12:08 d-------- C:\Program Files\Combined Community Codec Pack
2008-01-10 22:39 . 2008-01-10 22:39 d-------- C:\Program Files\Viewpoint
2008-01-10 22:39 . 2008-01-10 22:39 d-------- C:\Program Files\Common Files\AOL
2008-01-10 22:39 . 2008-01-10 22:39 d-------- C:\Program Files\AIM6
2008-01-10 22:38 . 2008-01-22 02:22 1,398 --ah----- C:\IPH.PH
2008-01-10 22:36 . 2008-01-10 22:36 2,560 --a------ C:\WINDOWS\system32\bitcometres.d ll
2008-01-10 21:51 . 2008-01-10 21:51 d-------- C:\Program Files\Winamp Remote
2008-01-10 21:51 . 2008-01-21 16:33 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-01-10 21:46 . 2008-01-10 21:46 d-------- C:\Program Files\Java
2008-01-10 21:46 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-10 21:45 . 2008-01-10 21:45 d-------- C:\Program Files\Common Files\Java
2008-01-10 21:41 . 2008-01-10 21:41 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-10 16:26 . 2008-01-10 16:26 25 --a------ C:\WINDOWS\mixerdef.ini
2008-01-10 16:24 . 2006-06-14 00:47 172,416 --a------ C:\