Aurora Help Badly needed! Thank you!

Question

Michelle1070 0 Newbie Poster

18 Years Ago

I got this spyware/virus a few days ago and I think I may have more than just that. I've tried so many things to try to remove it. Here is my Hijack This log. Thank you so much!

Logfile of HijackThis v1.99.1
Scan saved at 1:46:54 PM, on 6/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\hjharl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Documents and Settings\mmilligan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nso18A.dll (file missing)
O2 - BHO: (no name) - {D2BB2846-00CB-8CF0-8C1E-E0B4A08AF596} - C:\WINDOWS\FYI\ecxacawryf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\pcdlib32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105540045194
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.116/view22/View22RTE.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_229/webolr/OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

windows-virus

3 Contributors
22 Replies
613 Views
3 Days Discussion Span
Latest Post 18 Years Ago Latest Post by DMR

All 22 Replies

dlh6213 27 Posting Maven

18 Years Ago

Hi Michelle, welcome to DaniWeb :D

First, right-click in an open area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

I don't see the typical entries in your log for Aurora, but maybe you've partially fixed it. Just in case, do this...

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode.

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nso18A.dll (file missing)
O2 - BHO: (no name) - {D2BB2846-00CB-8CF0-8C1E-E0B4A08AF596} - C:\WINDOWS\FYI\ecxacawryf.dll (file missing)
O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\pcdlib32.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1105540045194
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhe...n7/dlhelper.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.116/view22/View22RTE.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/m...OCX/FlashAX.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

If these entries aren't related to your ISP, have HJT fix them as well--
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local

Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\vbrundll.dll
C:\WINDOWS\System32\nso18A.dll
C:\WINDOWS\FYI\ecxacawryf.dll
C:\WINDOWS\pcdlib32.exe
C:\WINDOWS\svcproc.exe

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with hijackthis, and post a new log along with the Ewido log.

dlh6213 27 Posting Maven

18 Years Ago

It looks like you got most of it cleaned up now, but just to make sure...

Download rkfiles.zip from:
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot into Safe Mode.

Double-click rkfiles.bat
It will scan for a while, so please be patient.
Wait for the DOS window to close, and then reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with HJT, and post a new log along with the results of the rkfiles scan. And let us know if you're still having problems.

DMR 152 Wombat At Large

18 Years Ago

1. rkfiles doesn't give you any feedback when it creates its log, it just makes a log file in your main C:\ folder called "log.txt". Open the log.txt file in Notepad and copy the contents into a post here.

2. svchost.exe is a valid Windows system file which manages other groups of Windows components. Because of that, it isn't unusual to see multiple instances of svchost running, or to see one instance of it spike your CPU usage.
Update.exe could be legit, but it's a common filename and could be part of your adware infections.

3. Run HijackThis again and have it fix:

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following files:
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\hjharl.exe

- Delete the following folder entirely:
C:\Program Files\Cas

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

5. Run HijackThis again and post a new log. Also let us know what (if any) visible signs of infection may still exist.

dlh6213 27 Posting Maven

18 Years Ago

There is an updated fix for Aurora, so I think you should run it.

You will need to be disconnected from the internet during this process, so you may wish to print out these instructions.

Download the updated Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop but do NOT run it yet.

Disconnect your system from the internet and reboot into Safe Mode.

Double-click on Nailfix.cmd; your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run another full scan scan with Ewido and save the log.

Scan with hijackthis and have it fix the following entry:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run

Go to C:\WINDOWS\System32 and delete hjharl.exe

If you can't delete it, Open HijackThis again.

Click on the Config button, and then click on the Misc Tools button; click on the button labeled Delete a file on reboot...

A new window will open asking you to select the file that you would like to delete on reboot. Navigate to C:\WINDOWS\System32\hjharl.exe, click on it once, and then click on the Open button.

You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button to reboot now.

After you've rebooted (normally), search for hjharl.exe again to make sure it's gone; let us know in your next post.

Reconnect to the net and post a new hijackthis log along with the new Ewido log.

DMR 152 Wombat At Large

18 Years Ago

it's back in my Hijack This log, however it's not in my Windows\System32 Folder.

The settings you made in Safe Mode to have Explorer show hidden files and folders don't carry over when you reboot into normal mode. Repeat the steps below and see if hjharl.exe becomes visible. Let us know the result:

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Let's try this another way. You will need to print out these instructions or save them into a text file:

1. Download and install CCleaner, but do not run it yet.

2. Download The Pocket Killbox and save it someplace convenient (your desktop is fine). Again, don't run the program yet.

3. Reboot into Safe Mode again and set Explorer's view settings to show hidden files/folders.

4. Run HijackThis again and have it fix:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run

5. Disable System Restore:

- Right-click on the My Computer icon on your desktop and choose the "Properties" option.

- In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

- Click "Yes" in the resulting confirmation box. You may experience a slight delay as your change is applied; the Properties window will close automatically when the operation is complete.

6. Double-click on the Killbox to open it.

- Paste the following in the "Full path of file to delete" box:
C:\WINDOWS\System32\hjharl.exe

- Click the "Delete on reboot" button.

- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the next prompt (where you are asked if you want to acually reboot now).

- Paste the following in the "Full path of file to delete" box:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkra.exe

- Again, Click the "Delete on reboot" button. Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the next prompt.

- Close the Killbox.

7. Run CCleaner to clean up loose ends, and then empty your Recycle Bin.

8. Reboot normally, run HJT again, and post a new log.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Michelle1070 0 Newbie Poster · Answer 1 · 2005-06-21T01:04:05+00:00

I forgot to mention, this is my PC at work and I'm afraid to perform any of my duties that require me to go online and they are piling up. Again, thanks in advance!

Michelle1070 0 Newbie Poster · Answer 2 · 2005-06-21T19:16:23+00:00

First off, thank you so much for your help, I really do appreciate it. Here is my Hijack This and Ewido Log.

Logfile of HijackThis v1.99.1
Scan saved at 8:01:59 AM, on 6/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\hjharl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mmilligan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.dellnet.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.dellnet.com[/url]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Ewido Log

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          7:33:20 AM, 6/21/2005
 + Report-Checksum:     58CF6D60

 + Date of database:        6/20/2005
 + Version of scan engine:  v3.0

 + Duration:                24 min
 + Scanned Files:           103894
 + Speed:               71.76 Files/Second
 + Infected files:          2
 + Removed files:           2
 + Files put in quarantine:     2
 + Files that could not be opened:  0
 + Files that could not be cleaned: 0

 + Binder:      Yes
 + Crypter:     Yes
 + Archives:        Yes

 + Scanned items:
    C:\

 + Scan result:
    C:\Documents and Settings\mmilligan\Cookies\mmilligan@www.myaffiliateprogram[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup


::Report End

I want to mention also, that yesterday I deleted some application files myself that I thought were maybe contributing to this mess. Here are the Application Files I deleted that have the same modified date as the day I picked this thing up on my computer.

File Name                          Location

dist001.exe     C:\WINDOWS\SYSTEM32
L90112201.Stub.exe  C:\WINDOWS\SYSTEM32
PSof1.exe       C:\WINDOWS\SYSTEM32
smsca.exe       C:\WINDOWS\SYSTEM32

I'm sure I've gotten rid of some things, however, I keep getting pop-up's and icons appearing on my desktop and Favorites in IE. Today my virus checker hasn't picked these "pests" up as it was previously doing over and over and over.... (so hopefully these are gone):

wrapperouter.exe
ventura5.exe
Seedcorn4.exe
uci.exe
asms.exe
supdate.dll
Qoologic.p

Again, thanks for your help.

Michelle1070 0 Newbie Poster · Answer 3 · 2005-06-22T01:11:00+00:00

Thank you again.

When I tried the step with "rkfiles.bat" it didn't really do anything. It briefly flashed a DOS Mode window, but it flashed so fast, I couldn't read it. I did it a couple of times, with the same result each time. Therefor, I have no rkfiles log.

I did perform the other steps and here is my new Hijack This log. I am still getting icons appearing on my desktop as well as in my internet favorites. I get a pop up every now and then too.

I performed two of the suggested scans with no viruses turning up.

Logfile of HijackThis v1.99.1
Scan saved at 2:08:17 PM, on 6/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\hjharl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mmilligan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Michelle1070 0 Newbie Poster · Answer 4 · 2005-06-22T02:17:10+00:00

Also, I have something running, bogging down my computer. When I check out my task manager processes, there are one of two things running: SVCHOST.exe and/or UPDATE.exe. It's taking quite a bit of CPU Usage. Is this related to the virus??

Thanks

Michelle1070 0 Newbie Poster · Answer 5 · 2005-06-22T19:25:50+00:00

Thanks again.

Here is the RK Files Log: (there's not much to it) It doesn't take awhile to scan as you previously stated it would. It briefly flashes DOS then it's over.

C:\Documents and Settings\mmilligan\Desktop\RKfiles

Ok, the hjharl.exe file keeps coming back. When I went into Safe mode (after fixing it with Hijack this) and tried to delete it, it denied me access. So I tried running Hijack this in Safe mode to get rid of it. Once I rebooted, it was back. Then I ran Hijack This AGAIN, and it came back AGAIN. Stubborn little critter.

Here' my Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:17:35 AM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\hjharl.exe
C:\Documents and Settings\mmilligan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

It seems as though we're narrowing it down. I only get pop ups once in a great while now, so it must be the hjharl.exe file.

Thanks and I anxiously await your reply.

Michelle1070 0 Newbie Poster · Answer 6 · 2005-06-22T21:33:28+00:00

I did what you directed me to and the hjharl.exe showed up a couple more times in the Hijack This log, but not in my Windows/System32 folder. I fixed it with Hijack a couple more times and it appears to be gone now. I'm going to reboot and see if it comes back. I think we may have kicked it's rearend. I'll let you know right away.

Here's my Ewido Log:

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          10:05:44 AM, 6/22/2005
 + Report-Checksum:     9632C5E2

 + Date of database:        6/22/2005
 + Version of scan engine:  v3.0

 + Duration:                24 min
 + Scanned Files:           104879
 + Speed:               72.70 Files/Second
 + Infected files:          3
 + Removed files:           3
 + Files put in quarantine:     3
 + Files that could not be opened:  0
 + Files that could not be cleaned: 0

 + Binder:      Yes
 + Crypter:     Yes
 + Archives:        Yes

 + Scanned items:
    C:\

 + Scan result:
    C:\Documents and Settings\mmilligan\Cookies\mmilligan@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\mmilligan\Cookies\mmilligan@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\mmilligan\Cookies\mmilligan@www.myaffiliateprogram[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:17 AM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkra.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mmilligan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.dellnet.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.dellnet.com[/url]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url]http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab[/url]
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - [url]http://www.ravantivirus.com/scan/ravonline.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Thanks

Michelle1070 0 Newbie Poster · Answer 7 · 2005-06-22T22:18:05+00:00

:evil:

IT'S BACK!!

I rebooted and it's back in my Hijack This log, however it's not in my Windows\System32 Folder. I'm at a loss.

Logfile of HijackThis v1.99.1
Scan saved at 11:12:54 AM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkra.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mmilligan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Michelle1070 0 Newbie Poster · Answer 8 · 2005-06-23T03:05:59+00:00

It's not there. I've had the "Show hidden files", etc. checked in normal mode for a couple of days now. I'll try the other steps and let you know what happens.

Thanks,

DMR 152 Wombat At Large Team Colleague · Answer 9 · 2005-06-23T04:26:02+00:00

It's not there. I've had the "Show hidden files", etc. checked in normal mode for a couple of days now.

OK; just wanted to double-check.

My guess is that there is a component of the infection which has hidden from our scans so far that is "respawning" the infection. We may need to try a couple of other scans/fixes, but do the above steps first, post a new HJT log, and we'll take it from there.

dlh6213 27 Posting Maven Team Colleague · Answer 10 · 2005-06-23T20:54:17+00:00

DMR's suggestion will probably work to get rid of it, but if it doesn't, try this --

Boot with your Windows XP installation CD.

When the Setup window opens, press R "To repair a Windows XP installation using Recovery Console"

It will show all the windows installations on your hard drive. Select the number corresponding to Windows XP (probably 1), and press Enter.

Enter any required passwords.

At the command prompt type:
cd \windows\system32

Press Enter

Type:
del hjharl.exe

Press Enter

Type:
exit

The system will reboot and the file should be gone.

Michelle1070 0 Newbie Poster · Answer 11 · 2005-06-24T00:19:23+00:00

It seems to be gone. HURRAY!!!

Here's my log...

Logfile of HijackThis v1.99.1
Scan saved at 1:15:54 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mmilligan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Michelle1070 0 Newbie Poster · Answer 12 · 2005-06-24T00:52:44+00:00

IT'S BACK!!

I ran HiJack This again, just to make sure..................and it's back. I took a snapshot of some files that were created in my System32 folder around the same time my computer became infected. They look suspicious to me, but I'm not real familiar with what should actually be there and how often the "good" files are accessed or updated.

http://img184.echo.cx/img184/3860/morefilescreatedinwindowssyste.jpg

Logfile of HijackThis v1.99.1
Scan saved at 1:50:06 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hjharl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PHOTOD~1.0\EZPHOTO\EZPHOTO.EXE
C:\Documents and Settings\mmilligan\Desktop\Virus Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O17 - HKLM\Software\..\Telephony: DomainName = eti-lincoln.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eti-lincoln.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Thank you for bearing with this.

DMR 152 Wombat At Large Team Colleague · Answer 13 · 2005-06-24T02:08:18+00:00

*Groan*

Most (if not all) of the files you gave the screenie of are malicious, but don't go randomly delting things yet.

Time to probe a little deeper; the "KavSvc" entry can be a real bear to remove. Please do the following:

1. Download: "StartDreck", from here:

- Unzip to its own folder and start the program,
- Press 'Config'
- Press 'Unmark All'
- Check the following boxes only:
In this section >System/drivers
[x] Running processes
[x] list modules
[x] NT services
[x] List binaries
[x] NT kernal and FS drivers
- Press 'Ok'
- Press 'Save' and select the location to save the log file
(default is the same folder as the application)
- Close the program.

2. Download DllCompare

Run Dllcompare, click the Run Locate.com, then click the Compare button.

When done, post that log here along with the Startdreck log.

Do not reboot your system until we're done; some of the names of malicious files in those logs can change their names on reboot!!

Michelle1070 0 Newbie Poster · Answer 14 · 2005-06-24T02:50:04+00:00

Thank you again.

Here's the DLL Compare Log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\vfpodbc.dll Tue Dec 7 1999 5:00:00a A.S.. 977,680 954.77 K
________________________________________________

1,360 items found: 1,360 files (1 H/S), 0 directories.
Total of file sizes: 306,936,623 bytes 292.71 M

Administrator Account = True

--------------------End log---------------------

and the Start Dreck Lock (IT'S VERY LONG)

StartDreck (build 2.1.7 public stable) - 2005-06-23 @ 15:43:47 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as MMilligan at NO33

»Registry
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+600=\SystemRoot\System32\smss.exe
*C:\WINDOWS\System32\ntdll.dll
+664=\??\C:\WINDOWS\system32\csrss.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\CSRSRV.dll
*C:\WINDOWS\system32\basesrv.dll
*C:\WINDOWS\system32\winsrv.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\KERNEL32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\System32\sxs.dll
+688=\??\C:\WINDOWS\system32\winlogon.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\NDdeApi.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\Secur32.dll
*C:\WINDOWS\system32\WINSTA.dll
*C:\WINDOWS\system32\PROFMAP.dll
*C:\WINDOWS\system32\NETAPI32.dll
*C:\WINDOWS\system32\REGAPI.dll
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\AUTHZ.dll
*C:\WINDOWS\system32\PSAPI.DLL
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\SETUPAPI.dll
*C:\WINDOWS\System32\MSGINA.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\System32\ODBC32.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\odbcint.dll
*C:\WINDOWS\System32\SHSVCS.dll
*C:\WINDOWS\system32\sfc.dll
*C:\WINDOWS\System32\sfc_os.dll
*C:\WINDOWS\System32\WINTRUST.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\System32\WINSCARD.DLL
*C:\WINDOWS\System32\WTSAPI32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\system32\cscdll.dll
*C:\WINDOWS\system32\WlNotify.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\system32\MPR.dll
*C:\WINDOWS\System32\rsaenh.dll
*C:\WINDOWS\System32\sxs.dll
*C:\WINDOWS\system32\msv1_0.dll
*C:\WINDOWS\System32\cscui.dll
*C:\WINDOWS\System32\drprov.dll
*C:\WINDOWS\System32\ntlanman.dll
*C:\WINDOWS\System32\NETUI0.dll
*C:\WINDOWS\System32\NETUI1.dll
*C:\WINDOWS\System32\NETRAP.dll
*C:\WINDOWS\System32\SAMLIB.dll
*C:\WINDOWS\System32\davclnt.dll
*C:\WINDOWS\System32\wsock32.dll
*C:\WINDOWS\System32\iphlpapi.dll
*C:\WINDOWS\System32\icmp.dll
*C:\WINDOWS\System32\MPRAPI.dll
*C:\WINDOWS\System32\ACTIVEDS.dll
*C:\WINDOWS\System32\adsldpc.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\System32\ATL.DLL
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\rtutils.dll
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\NTMARTA.DLL
*C:\WINDOWS\System32\wdmaud.drv
*C:\WINDOWS\System32\mswsock.dll
*C:\WINDOWS\System32\msacm32.drv
*C:\WINDOWS\System32\MSACM32.dll
*C:\WINDOWS\System32\midimap.dll
*C:\WINDOWS\system32\kerberos.dll
*C:\WINDOWS\System32\cryptdll.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\System32\NTDSAPI.DLL
*C:\WINDOWS\System32\DNSAPI.dll
*C:\WINDOWS\system32\Apphelp.dll
*C:\WINDOWS\System32\wbem\wbemprox.dll
*C:\WINDOWS\System32\wbem\wbemcomn.dll
*C:\WINDOWS\System32\wbem\wbemsvc.dll
*C:\WINDOWS\System32\wbem\fastprox.dll
+732=C:\WINDOWS\system32\services.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\SCESRV.dll
*C:\WINDOWS\system32\AUTHZ.dll
*C:\WINDOWS\system32\umpnpmgr.dll
*C:\WINDOWS\system32\WINSTA.dll
*C:\WINDOWS\system32\NCObjAPI.DLL
*C:\WINDOWS\system32\secur32.dll
*C:\WINDOWS\system32\eventlog.dll
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\PSAPI.DLL
*C:\WINDOWS\system32\wtsapi32.dll
*C:\WINDOWS\system32\netapi32.dll
*C:\WINDOWS\system32\Apphelp.dll
+744=C:\WINDOWS\system32\lsass.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\LSASRV.dll
*C:\WINDOWS\system32\MPR.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\NETAPI32.dll
*C:\WINDOWS\system32\NTDSAPI.dll
*C:\WINDOWS\system32\DNSAPI.dll
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\Secur32.dll
*C:\WINDOWS\system32\SAMLIB.dll
*C:\WINDOWS\system32\SAMSRV.dll
*C:\WINDOWS\system32\cryptdll.dll
*C:\WINDOWS\system32\msprivs.dll
*C:\WINDOWS\system32\kerberos.dll
*C:\WINDOWS\system32\msv1_0.dll
*C:\WINDOWS\system32\netlogon.dll
*C:\WINDOWS\system32\w32time.dll
*C:\WINDOWS\system32\MSVCP60.dll
*C:\WINDOWS\system32\iphlpapi.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\schannel.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\wdigest.dll
*C:\WINDOWS\System32\rsaenh.dll
*C:\WINDOWS\system32\setupapi.dll
*C:\WINDOWS\system32\scecli.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\OLE32.DLL
*C:\WINDOWS\system32\shell32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\system32\mswsock.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\system32\rasadhlp.dll
*C:\WINDOWS\system32\ipsecsvc.dll
*C:\WINDOWS\system32\oakley.DLL
*C:\WINDOWS\system32\WINIPSEC.DLL
*C:\WINDOWS\system32\pstorsvc.dll
*C:\WINDOWS\system32\psbase.dll
*C:\WINDOWS\System32\dssenh.dll
+916=C:\WINDOWS\system32\svchost.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*c:\windows\system32\rpcss.dll
*C:\WINDOWS\system32\msvcrt.dll
*c:\windows\system32\Secur32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*c:\windows\system32\WS2_32.dll
*c:\windows\system32\WS2HELP.dll
*C:\WINDOWS\system32\userenv.dll
*C:\WINDOWS\System32\rsaenh.dll
*C:\WINDOWS\system32\mswsock.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\system32\DNSAPI.dll
*C:\WINDOWS\system32\iphlpapi.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\rasadhlp.dll
*C:\WINDOWS\system32\CLBCATQ.DLL
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\COMRes.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\msi.dll
*C:\WINDOWS\system32\Apphelp.dll
+1016=C:\WINDOWS\System32\svchost.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*c:\windows\system32\shsvcs.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\shell32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\WINSTA.dll
*c:\windows\system32\dhcpcsvc.dll
*c:\windows\system32\DNSAPI.dll
*c:\windows\system32\WS2_32.dll
*c:\windows\system32\WS2HELP.dll
*c:\windows\system32\iphlpapi.dll
*c:\windows\system32\Secur32.dll
*C:\WINDOWS\System32\UxTheme.dll
*C:\WINDOWS\System32\rsaenh.dll
*c:\windows\system32\wzcsvc.dll
*c:\windows\system32\rtutils.dll
*c:\windows\system32\WMI.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*c:\windows\system32\WTSAPI32.dll
*c:\windows\system32\ESENT.dll
*C:\WINDOWS\system32\WLDAP32.dll
*c:\windows\system32\NETAPI32.dll
*C:\WINDOWS\system32\mswsock.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\System32\rastls.dll
*C:\WINDOWS\System32\ATL.DLL
*C:\WINDOWS\System32\CRYPTUI.dll
*C:\WINDOWS\System32\WINTRUST.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\System32\MPRAPI.dll
*C:\WINDOWS\System32\ACTIVEDS.dll
*C:\WINDOWS\System32\adsldpc.dll
*C:\WINDOWS\System32\SAMLIB.dll
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\System32\RASAPI32.dll
*C:\WINDOWS\System32\rasman.dll
*C:\WINDOWS\System32\TAPI32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\SCHANNEL.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\System32\WinSCard.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\raschap.dll
*C:\WINDOWS\system32\msv1_0.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\system32\VERSION.dll
*c:\windows\system32\schedsvc.dll
*c:\windows\system32\NTDSAPI.dll
*C:\WINDOWS\System32\MSIDLE.DLL
*C:\WINDOWS\System32\NTMARTA.DLL
*c:\windows\system32\audiosrv.dll
*c:\windows\system32\wkssvc.dll
*c:\windows\system32\cryptsvc.dll
*c:\windows\system32\certcli.dll
*c:\windows\system32\ersvc.dll
*c:\windows\system32\dmserver.dll
*c:\windows\system32\es.dll
*c:\windows\pchealth\helpctr\binaries\pchsvc.dll
*c:\windows\system32\msgsvc.dll
*c:\windows\system32\srvsvc.dll
*c:\windows\system32\seclogon.dll
*c:\windows\system32\wbem\wmisvc.dll
*c:\windows\system32\wbem\wbemcomn.dll
*C:\WINDOWS\System32\VSSAPI.DLL
*c:\windows\system32\w32time.dll
*c:\windows\system32\MSVCP60.dll
*c:\windows\system32\trkwks.dll
*c:\windows\system32\srsvc.dll
*c:\windows\system32\POWRPROF.dll
*c:\windows\system32\sens.dll
*c:\windows\system32\wuauserv.dll
*C:\WINDOWS\System32\wuaueng.dll
*C:\WINDOWS\System32\ADVPACK.dll
*C:\WINDOWS\System32\SHFOLDER.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\System32\WINHTTP.dll
*C:\WINDOWS\System32\Cabinet.dll
*C:\WINDOWS\System32\mspatcha.dll
*C:\WINDOWS\System32\sfc.dll
*C:\WINDOWS\System32\sfc_os.dll
*c:\windows\system32\browser.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\System32\SXS.DLL
*C:\WINDOWS\system32\comsvcs.dll
*C:\WINDOWS\system32\MTXCLU.DLL
*C:\WINDOWS\system32\WSOCK32.dll
*C:\WINDOWS\system32\colbact.DLL
*C:\WINDOWS\System32\CLUSAPI.DLL
*C:\WINDOWS\System32\RESUTILS.DLL
*C:\WINDOWS\System32\mtxoci.dll
*c:\windows\system32\termsrv.dll
*c:\windows\system32\ICAAPI.dll
*c:\windows\system32\AUTHZ.dll
*c:\windows\system32\mstlsapi.dll
*C:\WINDOWS\System32\REGAPI.dll
*c:\windows\system32\netman.dll
*C:\WINDOWS\system32\NETSHELL.dll
*C:\WINDOWS\system32\credui.dll
*C:\WINDOWS\System32\upnp.dll
*C:\WINDOWS\System32\SSDPAPI.dll
*C:\WINDOWS\System32\hnetcfg.dll
*C:\WINDOWS\System32\Wbem\wbemcore.dll
*C:\WINDOWS\System32\Wbem\esscli.dll
*C:\WINDOWS\System32\Wbem\FastProx.dll
*C:\WINDOWS\System32\wbem\wmiutils.dll
*C:\WINDOWS\System32\wbem\repdrvfs.dll
*C:\WINDOWS\System32\wbem\wmiprvsd.dll
*C:\WINDOWS\System32\NCObjAPI.DLL
*C:\WINDOWS\System32\wbem\wbemess.dll
*C:\WINDOWS\System32\rasadhlp.dll
*C:\WINDOWS\System32\msi.dll
*C:\WINDOWS\System32\netcfgx.dll
*C:\WINDOWS\System32\rasmans.dll
*C:\WINDOWS\System32\WINIPSEC.DLL
*c:\windows\system32\tapisrv.dll
*c:\windows\system32\PSAPI.DLL
*C:\WINDOWS\System32\rastapi.dll
*C:\WINDOWS\System32\unimdm.tsp
*C:\WINDOWS\System32\uniplat.dll
*C:\WINDOWS\System32\unimdmat.dll
*C:\WINDOWS\System32\modemui.dll
*C:\WINDOWS\System32\kmddsp.tsp
*C:\WINDOWS\System32\ndptsp.tsp
*C:\WINDOWS\System32\ipconf.tsp
*C:\WINDOWS\System32\h323.tsp
*C:\WINDOWS\System32\hidphone.tsp
*C:\WINDOWS\System32\HID.DLL
*c:\windows\system32\qmgr.dll
*C:\WINDOWS\system32\MPR.dll
*C:\WINDOWS\System32\rasppp.dll
*C:\WINDOWS\System32\ntlsapi.dll
*C:\WINDOWS\System32\qmgrprxy.dll
*C:\WINDOWS\System32\RASDLG.dll
*C:\WINDOWS\System32\wups.dll
*C:\WINDOWS\System32\security.dll
*C:\WINDOWS\system32\kerberos.dll
*C:\WINDOWS\System32\cryptdll.dll
*C:\WINDOWS\System32\wbem\ncprov.dll
*C:\WINDOWS\System32\msxml3.dll
+1120=C:\WINDOWS\System32\svchost.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*c:\windows\system32\dnsrslvr.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*c:\windows\system32\DNSAPI.dll
*c:\windows\system32\WS2_32.dll
*c:\windows\system32\WS2HELP.dll
*c:\windows\system32\iphlpapi.dll
*C:\WINDOWS\system32\mswsock.dll
*C:\WINDOWS\System32\wshtcpip.dll
+1132=C:\WINDOWS\System32\svchost.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*c:\windows\system32\lmhsvc.dll
*C:\WINDOWS\system32\msvcrt.dll
*c:\windows\system32\iphlpapi.dll
*c:\windows\system32\WS2_32.dll
*c:\windows\system32\WS2HELP.dll
*c:\windows\system32\webclnt.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\shell32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\WINDOWS\System32\wsock32.dll
*C:\WINDOWS\System32\mswsock.dll
*C:\WINDOWS\System32\DNSAPI.dll
*C:\WINDOWS\System32\rasadhlp.dll
*c:\windows\system32\regsvc.dll
*C:\WINDOWS\System32\RASAPI32.DLL
*C:\WINDOWS\System32\rasman.dll
*C:\WINDOWS\System32\NETAPI32.dll
*C:\WINDOWS\System32\TAPI32.dll
*C:\WINDOWS\System32\rtutils.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\sensapi.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\System32\wshtcpip.dll
*c:\windows\system32\ssdpsrv.dll
*C:\WINDOWS\System32\uxtheme.dll
+1380=C:\WINDOWS\system32\spoolsv.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\SPOOLSS.DLL
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\DNSAPI.dll
*C:\WINDOWS\system32\rasadhlp.dll
*C:\WINDOWS\system32\localspl.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\Secur32.dll
*C:\WINDOWS\system32\sfc_os.dll
*C:\WINDOWS\system32\WINTRUST.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\winspool.drv
*C:\WINDOWS\system32\netapi32.dll
*C:\WINDOWS\system32\cnbjmon.dll
*C:\WINDOWS\system32\pjlmon.dll
*C:\WINDOWS\system32\tcpmon.dll
*C:\WINDOWS\system32\usbmon.dll
*C:\WINDOWS\System32\spool\PRTPROCS\W32X86\WfxPrint2000.dll
*C:\WINDOWS\System32\mswsock.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\win32spl.dll
*C:\WINDOWS\system32\NETRAP.dll
*C:\WINDOWS\system32\inetpp.dll
*C:\WINDOWS\system32\icmp.dll
*C:\WINDOWS\system32\iphlpapi.DLL
*C:\WINDOWS\system32\CLBCATQ.DLL
*C:\WINDOWS\system32\COMRes.dll
*C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpzntp04.dll
*C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpz2ku04.dll
*C:\WINDOWS\system32\shell32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\system32\SETUPAPI.dll
*C:\WINDOWS\system32\Apphelp.dll
*C:\WINDOWS\system32\winsta.dll
+1528=C:\WINDOWS\Nhksrv.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
+1552=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\MSVCRT.DLL
*C:\WINDOWS\System32\MSVCP71.dll
*C:\WINDOWS\System32\MSVCR71.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\avglog.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\Program Files\Grisoft\AVG Free\avgcfg.dll
*C:\Program Files\Grisoft\AVG Free\avgklib.dll
*C:\WINDOWS\System32\SHFOLDER.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\SensAPI.DLL
*C:\WINDOWS\System32\Secur32.dll
*C:\Program Files\Grisoft\AVG Free\avglng.dll
*C:\Program Files\Grisoft\AVG Free\avgamint.dll
*C:\WINDOWS\System32\WSOCK32.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\WINDOWS\System32\netapi32.dll
*C:\WINDOWS\System32\Wtsapi32.dll
*C:\WINDOWS\System32\WINSTA.dll
*C:\Program Files\Grisoft\AVG Free\avgamsps.dll
*C:\WINDOWS\system32\Apphelp.dll
+1584=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\MSVCRT.DLL
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\System32\Secur32.dll
+1596=C:\WINDOWS\System32\CTsvcCDA.EXE
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
+1608=C:\WINDOWS\system32\crypserv.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
+1672=C:\Program Files\ewido\security suite\ewidoctrl.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\Program Files\ewido\security suite\lang.dll
*C:\WINDOWS\System32\MSVCP71.dll
*C:\WINDOWS\System32\MSVCR71.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\WINDOWS\System32\NTMARTA.DLL
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\System32\SAMLIB.dll
+1732=c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\MSVCRT.DLL
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\psapi.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
+1776=C:\WINDOWS\System32\nvsvc32.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\System32\wtsapi32.dll
*C:\WINDOWS\System32\WINSTA.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\secur32.dll
*C:\WINDOWS\system32\msv1_0.dll
+1856=C:\WINDOWS\System32\MsPMSPSv.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\MSVCRT.dll
*C:\WINDOWS\System32\NTMARTA.DLL
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\System32\SAMLIB.dll
+404=C:\WINDOWS\Explorer.EXE
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\BROWSEUI.dll
*C:\WINDOWS\System32\SHDOCVW.dll
*C:\WINDOWS\System32\UxTheme.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\system32\appHelp.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\cscui.dll
*C:\WINDOWS\System32\CSCDLL.dll
*C:\WINDOWS\System32\themeui.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\WINDOWS\System32\MSIMG32.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\System32\netapi32.dll
*C:\WINDOWS\System32\LINKINFO.dll
*C:\WINDOWS\System32\ntshrui.dll
*C:\WINDOWS\System32\ATL.DLL
*C:\WINDOWS\System32\msi.dll
*C:\WINDOWS\System32\SXS.DLL
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\system32\NETSHELL.dll
*C:\WINDOWS\system32\credui.dll
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\iphlpapi.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\urlmon.dll
*C:\WINDOWS\System32\WINSTA.dll
*C:\WINDOWS\System32\webcheck.dll
*C:\WINDOWS\System32\stobject.dll
*C:\WINDOWS\System32\BatMeter.dll
*C:\WINDOWS\System32\POWRPROF.dll
*C:\WINDOWS\System32\WTSAPI32.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\wdmaud.drv
*C:\WINDOWS\System32\msacm32.drv
*C:\WINDOWS\System32\MSACM32.dll
*C:\WINDOWS\System32\midimap.dll
*C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\LGMOUSHK.dll
*C:\WINDOWS\System32\WINTRUST.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\System32\rsaenh.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\printui.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\System32\ACTIVEDS.dll
*C:\WINDOWS\System32\adsldpc.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\System32\CFGMGR32.dll
*C:\WINDOWS\system32\MPR.dll
*C:\WINDOWS\System32\mslbui.dll
*C:\WINDOWS\System32\drprov.dll
*C:\WINDOWS\System32\ntlanman.dll
*C:\WINDOWS\System32\NETUI0.dll
*C:\WINDOWS\System32\NETUI1.dll
*C:\WINDOWS\System32\NETRAP.dll
*C:\WINDOWS\System32\SAMLIB.dll
*C:\WINDOWS\System32\davclnt.dll
*C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
*C:\WINDOWS\System32\browselc.dll
*C:\WINDOWS\System32\nvwddi.dll
*C:\WINDOWS\System32\shdoclc.dll
*C:\Program Files\Grisoft\AVG Free\avgse.dll
*C:\WINDOWS\System32\MSVCP71.dll
*C:\WINDOWS\System32\MSVCR71.dll
*C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*C:\Program Files\ewido\security suite\context.dll
*C:\Program Files\ewido\security suite\lang.dll
*C:\WINDOWS\System32\zipfldr.dll
*C:\WINDOWS\System32\sendmail.dll
*C:\WINDOWS\System32\mydocs.dll
*C:\WINDOWS\System32\iwiku.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\System32\wshext.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\Program Files\PhotoDeluxe 2.0\PdxShell.dll
*C:\Program Files\Qualcomm\Eudora\EuShlExt.dll
*C:\Program Files\ewido\security suite\shellhook.dll
*C:\WINDOWS\System32\syncui.dll
*C:\WINDOWS\System32\actxprxy.dll
*C:\WINDOWS\System32\SYNCENG.DLL
*C:\WINDOWS\System32\msadp32.acm
*C:\WINDOWS\System32\RASAPI32.DLL
*C:\WINDOWS\System32\rasman.dll
*C:\WINDOWS\System32\TAPI32.dll
*C:\WINDOWS\System32\rtutils.dll
*C:\WINDOWS\System32\sensapi.dll
*C:\WINDOWS\System32\jscript.dll
*C:\WINDOWS\System32\wsock32.dll
*C:\WINDOWS\System32\mswsock.dll
*C:\WINDOWS\System32\rasadhlp.dll
*C:\WINDOWS\System32\DNSAPI.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\system32\mscoree.dll
*C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Shfusion.dll
*C:\Program Files\Common Files\System\MAPI\1033\msmapi32.dll
*C:\WINDOWS\System32\sfc_os.dll
*C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*C:\WINDOWS\System32\olepro32.dll
*C:\Program Files\Microsoft Office\Office10\msohev.dll
+1932=C:\WINDOWS\MMKeybd.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\wdmaud.drv
*C:\WINDOWS\System32\msacm32.drv
*C:\WINDOWS\System32\MSACM32.dll
*C:\WINDOWS\System32\midimap.dll
*C:\WINDOWS\System32\hid.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\msiosd32.dll
*C:\WINDOWS\System32\netapi32.dll
*C:\WINDOWS\system32\appHelp.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\system32\urlmon.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+1836=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\CDUDFLIB.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\system32\msvcrt.dll
*C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\UDFRWLIB.dll
*C:\WINDOWS\System32\SHFOLDER.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\System32\oledlg.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\System32\OLEPRO32.DLL
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\System32\LINKINFO.dll
*C:\WINDOWS\System32\ntshrui.dll
*C:\WINDOWS\System32\ATL.DLL
*C:\WINDOWS\System32\NETAPI32.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+736=C:\WINDOWS\System32\devldr32.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\DEVCON32.DLL
*C:\WINDOWS\System32\ATL.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\SFMAN32.DLL
*C:\WINDOWS\System32\wdmaud.drv
*C:\WINDOWS\System32\msacm32.drv
*C:\WINDOWS\System32\MSACM32.dll
*C:\WINDOWS\System32\midimap.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\OLE32.DLL
+196=C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\WSOCK32.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
+336=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\OLE32.DLL
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\System32\oledlg.dll
*C:\WINDOWS\System32\OLEPRO32.DLL
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\Program Files\Common Files\Dell\EUSW\DDSM.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\qmgrprxy.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\WINDOWS\System32\RASAPI32.DLL
*C:\WINDOWS\System32\rasman.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\WINDOWS\System32\NETAPI32.dll
*C:\WINDOWS\System32\TAPI32.dll
*C:\WINDOWS\System32\rtutils.dll
*C:\WINDOWS\System32\sensapi.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\System32\wsock32.dll
*C:\WINDOWS\System32\mswsock.dll
*C:\WINDOWS\System32\rasadhlp.dll
*C:\WINDOWS\System32\DNSAPI.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\urlmon.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\System32\msxml3.dll
*C:\WINDOWS\System32\mlang.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
+2020=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\spool\drivers\w32x86\3\HPZR3204.DLL
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpzntp04.dll
*C:\WINDOWS\System32\adsldpc.dll
*C:\WINDOWS\System32\NETAPI32.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\System32\setupapi.dll
*C:\WINDOWS\System32\mslbui.dll
*C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\LGMOUSHK.dll
+432=C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EVENTEX.dll
*C:\WINDOWS\System32\COMNCTR.dll
*C:\WINDOWS\System32\LOGILANG.dll
*C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\MFC42.DLL
*C:\WINDOWS\system32\MSVCRT.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\Program Files\Logitech\MouseWare\SYSTEM\ccresrce.dll
*C:\Program Files\Logitech\MouseWare\SYSTEM\ccustom.dll
*C:\Program Files\Logitech\MouseWare\SYSTEM\ccresglb.dll
*C:\Program Files\Logitech\MouseWare\SYSTEM\ccstmglb.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\Program Files\Logitech\MouseWare\System\devices.dll
*C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\ccmsghk.dll
*C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\LGMOUSHK.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+556=C:\WINDOWS\System32\hphmon03.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\CFGMGR32.dll
*C:\WINDOWS\System32\setupapi.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\System32\HPHipr09.dll
+800=C:\Program Files\QuickTime\qttask.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+932=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\AvgAbout.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\AvgCtrl.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\MFC71.DLL
*C:\WINDOWS\System32\MSVCR71.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\MSVFW32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\MSVCP71.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\MPR.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTest.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTMgr.dll
*C:\WINDOWS\System32\SHFOLDER.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTRes.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\AvgSet.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\PROGRA~1\Grisoft\AVGFRE~1\avglog.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\Program Files\Grisoft\AVG Free\avgcfg.dll
*C:\Program Files\Grisoft\AVG Free\avgklib.dll
*C:\Program Files\Grisoft\AVG Free\avglng.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\Program Files\Grisoft\AVG Free\avgf.dll
*C:\Program Files\Grisoft\AVG Free\AVGRES.DLL
*C:\Program Files\Grisoft\AVG Free\avgcckrn.dll
*C:\Program Files\Grisoft\AVG Free\avgvault.dll
*C:\Program Files\Grisoft\AVG Free\avgscan.dll
*C:\Program Files\Grisoft\AVG Free\avgunarc.dll
*C:\Program Files\Grisoft\AVG Free\avgrep.dll
*C:\PROGRA~1\Qualcomm\Eudora\Plugins\avgeud32.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+652=C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\OLE32.DLL
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
+984=C:\WINDOWS\System32\rundll32.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\nvwddi.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\system32\appHelp.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\System32\nvshell.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+876=C:\WINDOWS\System32\RUNDLL32.EXE
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\System32\NVMCTRAY.DLL
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\mslbui.dll
*C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\LGMOUSHK.dll
*C:\WINDOWS\System32\netapi32.dll
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\system32\appHelp.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\system32\urlmon.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+1100=C:\WINDOWS\System32\ctfmon.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\System32\MSUTB.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\system32\ole32.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+440=C:\Program Files\Netropa\OSD.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\wdmaud.drv
*C:\WINDOWS\System32\msacm32.drv
*C:\WINDOWS\System32\MSACM32.dll
*C:\WINDOWS\System32\midimap.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+1520=C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBUChannel.dll
*C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\stlport_vc746.dll
*C:\WINDOWS\System32\MSVCP71.dll
*C:\WINDOWS\System32\MSVCR71.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\OLE32.DLL
*C:\WINDOWS\System32\MFC71.DLL
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\System32\InetClnt.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\System32\oledlg.dll
*C:\WINDOWS\System32\WINTRUST.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\SensAPI.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\MSCTF.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\System32\NTMARTA.DLL
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\System32\SAMLIB.dll
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\WINDOWS\System32\SXS.DLL
*C:\WINDOWS\System32\RASAPI32.DLL
*C:\WINDOWS\System32\rasman.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\WINDOWS\System32\NETAPI32.dll
*C:\WINDOWS\System32\TAPI32.dll
*C:\WINDOWS\System32\rtutils.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\System32\msi.dll
*C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgRequestMgr.dll
*C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgrps.dll
*C:\WINDOWS\System32\wsock32.dll
*C:\WINDOWS\System32\mswsock.dll
*C:\WINDOWS\System32\rasadhlp.dll
*C:\WINDOWS\System32\DNSAPI.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\system32\urlmon.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\System32\msxml3.dll
*C:\WINDOWS\System32\npnkrye.dll
+2000=C:\Program Files\WinZip\WZQKPICK.EXE
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\hhctrl.ocx
*C:\WINDOWS\System32\mslbui.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
+2524=C:\WINDOWS\System32\wuauclt.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\System32\ATL.DLL
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\COMCTL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\wuaucpl.cpl
*C:\WINDOWS\System32\SHFOLDER.dll
*C:\WINDOWS\System32\wuaueng.dll
*C:\WINDOWS\System32\ADVPACK.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\WINDOWS\System32\ESENT.dll
*C:\WINDOWS\System32\WTSAPI32.dll
*C:\WINDOWS\System32\WINSTA.dll
*C:\WINDOWS\System32\WINSPOOL.DRV
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\System32\WINHTTP.dll
*C:\WINDOWS\System32\WINTRUST.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\System32\Cabinet.dll
*C:\WINDOWS\System32\mspatcha.dll
*C:\WINDOWS\System32\sfc.dll
*C:\WINDOWS\System32\sfc_os.dll
*C:\WINDOWS\System32\MSIMG32.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\System32\wups.dll
*C:\WINDOWS\System32\wucltui.dll
+3164=C:\WINDOWS\System32\hjharl.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\shlwapi.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\OLE32.DLL
*C:\WINDOWS\System32\iphlpapi.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\WINDOWS\system32\shell32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\serwvdrv.dll
*C:\WINDOWS\System32\umdmxfrm.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\System32\Secur32.dll
*C:\WINDOWS\System32\RASAPI32.DLL
*C:\WINDOWS\System32\rasman.dll
*C:\WINDOWS\System32\NETAPI32.dll
*C:\WINDOWS\System32\TAPI32.dll
*C:\WINDOWS\System32\rtutils.dll
*C:\WINDOWS\System32\sensapi.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\Apphelp.dll
+4020=C:\WINDOWS\System32\svchost.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*c:\windows\system32\wiaservc.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\OLE32.DLL
*C:\WINDOWS\system32\SHLWAPI.dll
*c:\windows\system32\CFGMGR32.dll
*C:\WINDOWS\System32\setupapi.dll
*C:\WINDOWS\system32\USERENV.dll
*c:\windows\system32\mscms.dll
*c:\windows\system32\WINSPOOL.DRV
*c:\windows\system32\WINSTA.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*C:\WINDOWS\System32\actxprxy.dll
*C:\WINDOWS\System32\sti.dll
+1328=C:\WINDOWS\System32\HPHipm09.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\System32\WSOCK32.dll
*C:\WINDOWS\System32\WS2_32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\System32\WS2HELP.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\System32\NTMARTA.DLL
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\System32\SAMLIB.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\HPHidr09.dll
+2276=C:\WINDOWS\system32\ntvdm.exe
*C:\WINDOWS\System32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\NTVDMD.DLL
*C:\WINDOWS\system32\WOW32.dll
*C:\WINDOWS\system32\appHelp.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1643_x-ww_7c3a9bc6\comctl32.dll
*C:\WINDOWS\system32\tsappcmp.dll
*C:\WINDOWS\System32\uxtheme.dll
*C:\WINDOWS\System32\nView.dll
*C:\WINDOWS\System32\PSAPI.DLL
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\SYSTEM32\serwvdrv.dll
*C:\WINDOWS\SYSTEM32\umdmxfrm.dll
*C:\WINDOWS\System32\MSCTF.dll
*C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
*C:\WINDOWS\PANICNT.dll
*C:\WINDOWS\System32\nvwddi.dll
*C:\WINDOWS\System32\npnkrye.dll
*C:\WINDOWS\system32\imagehlp.dll
*C:\WINDOWS\system32\wininet.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\System32\mslbui.dll
*C:\

DMR 152 Wombat At Large Team Colleague · Answer 15 · 2005-06-24T03:18:22+00:00

OK- the dllcompare log is clean, but it will take me a bit of time to snuffle through all of those Startdreck entries; please hang in there.

Michelle1070 0 Newbie Poster · Answer 16 · 2005-06-24T03:20:26+00:00

I will be leaving work in about 40 minutes. Should I just leave my computer on tonight so as to not give the files a chance to 'transform' into another file? Am I compromising our network here at work in any way?

Thank you.

DMR 152 Wombat At Large Team Colleague · Answer 17 · 2005-06-24T04:24:36+00:00

Should I just leave my computer on tonight so as to not give the files a chance to 'transform' into another file?

If possible, yes.

Am I compromising our network here at work in any way?

Possibly; spyware and adware infections do not spread over networks, but viruses/trojans/worms obviously do. However, if your machine is infected by network-spread infected, chances are very good that you're not the only one (or the first one) who's been hit.

Aurora Help Badly needed! Thank you!

Recommended Answers Collapse Answers

All 22 Replies

Recommended Answers