Link to home
Start Free TrialLog in
Avatar of curtb3
curtb3

asked on

xaamp.exe and flrs.exe

When I boot my home computer, I am suddenly receiving messages from my Security Software (Panda Internet Security 2007) that indicates that these to files are malicious code and will be blocked.

Does anyone know what these files are and the purpose that they serve. They reside in the windows/prefetch folder. I've renamed them (.pf to .old) but they return upon reboot.

Thank you,

Curt
Avatar of indianguru2
indianguru2
Flag of India image
Download Hijackthis and paste the Log that is generated from it

http://www.majorgeeks.com/download5554.html
ASKER CERTIFIED SOLUTION
Avatar of Member_2_49692
Member_2_49692
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of curtb3
curtb3

ASKER

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:04 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\r_server.exe
C:\WiRNS\WiRNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WiRNS\WiRNSMon.exe
C:\WINDOWS\system32\xaamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\flrs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
D:\Downloads\Experts\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WiRNSMon] C:\WiRNS\WiRNSMon.exe
O4 - HKLM\..\Run: [Microsoft] xaamp.exe
O4 - HKLM\..\Run: [Windows Network] flrs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\RunServices: [Microsoft] xaamp.exe
O4 - HKLM\..\RunServices: [Windows Network] flrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Network] flrs.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201284257204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201285357390
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
O23 - Service: WiRNS (WiRNS.exe) - rbolen70,Glenn1963 - C:\WiRNS\WiRNS.exe

--
End of file - 7134 bytes
Avatar of indianguru2
indianguru2
Flag of India image
remove all these entries using Hijackthis by selecting and click on the Fix Checked Button.
it might ask you to restart.
Restart and then run hijackthis and post the log


O4 - HKLM\..\Run: [WiRNSMon] C:\WiRNS\WiRNSMon.exe
O4 - HKLM\..\Run: [Microsoft] xaamp.exe
O4 - HKLM\..\Run: [Windows Network] flrs.exe
O4 - HKLM\..\RunServices: [Microsoft] xaamp.exe
O4 - HKLM\..\RunServices: [Windows Network] flrs.exe
Avatar of curtb3
curtb3

ASKER

I was working on this remotely from work and lost my net connection.

O4 - HKLM\..\Run: [WiRNSMon] C:\WiRNS\WiRNSMon.exe
O4 - HKLM\..\Run: [Microsoft] xaamp.exe
O4 - HKLM\..\Run: [Windows Network] flrs.exe
O4 - HKLM\..\RunServices: [Microsoft] xaamp.exe
O4 - HKLM\..\RunServices: [Windows Network] flrs.exe

I kept WIRNS (I'm familiar with this program, but I added an additional line that referenced FLRS that was just below it.

As soon as I have my connection back, I'll repost.

Thank you.
Avatar of Member_2_49692
Member_2_49692
also this one needs to be removed
O4 - HKCU\..\Run: [Windows Network] flrs.exe

also check add/remove programs for any odd entries in addition to the procedures above.
Avatar of curtb3
curtb3

ASKER

Thanks, Brian

That was the extra line that I mentioned.

I appear to be offline indefinitely, so I may have to wait until I get home later this afternoon to continue.

Thank you both, and I will resume following your advice just as soon as I am able.

Curt
Avatar of curtb3
curtb3

ASKER

ComboFix 08-01-31.3 - Curt 2008-01-30 22:43:53.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1550 [GMT -5:00]
Running from: C:\Documents and Settings\Curt\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-31  )))))))))))))))))))))))))))))))
.

2008-01-29 23:12 . 2008-01-29 23:12      <DIR>      d--------      C:\Program Files\IrfanView
2008-01-28 15:37 . 2008-01-28 15:37      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\ATI
2008-01-28 15:37 . 2008-01-28 15:37      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ATI
2008-01-28 15:36 . 2008-01-28 15:36      0      --a------      C:\WINDOWS\ativpsrm.bin
2008-01-28 15:32 . 2008-01-28 15:33      <DIR>      d--------      C:\Program Files\ATI Technologies
2008-01-28 14:19 . 2008-01-28 14:20      <DIR>      d--------      C:\Program Files\VIA
2008-01-28 14:15 . 2005-05-26 17:49      60,928      --a------      C:\WINDOWS\system32\drivers\viamraid.sys
2008-01-28 11:19 . 2008-01-28 11:19      <DIR>      d--------      C:\Documents and Settings\Curt\ReplayPhotoCache
2008-01-28 09:37 . 2008-01-28 09:37      <DIR>      d--------      C:\WINDOWS\Sun
2008-01-28 09:37 . 2008-01-28 09:37      <DIR>      d--------      C:\Program Files\Java
2008-01-28 09:37 . 2007-09-24 23:31      69,632      --a------      C:\WINDOWS\system32\javacpl.cpl
2008-01-28 09:07 . 2008-01-28 09:53      <DIR>      d--------      C:\dvarchive
2008-01-28 08:56 . 2008-01-28 08:56      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-28 08:11 . 2008-01-28 08:11      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\Uniblue
2008-01-28 05:46 . 2005-04-08 22:14      2,823      --a------      C:\WINDOWS\system32\crazy.ini
2008-01-28 05:46 . 2006-06-15 09:51      110      --a------      C:\WINDOWS\system32\start.bat
2008-01-28 05:46 . 2005-03-27 22:38      39      --a------      C:\WINDOWS\system32\iass.bat
2008-01-27 22:49 . 2008-01-27 22:49      <DIR>      d--------      C:\Program Files\PCPitstop
2008-01-27 22:49 . 2008-01-30 18:27      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-01-27 16:20 . 2008-01-27 16:20      <DIR>      d--------      C:\Program Files\TechTracker
2008-01-27 16:20 . 2008-01-27 20:09      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\VersionTracker Pro
2008-01-27 15:00 . 2008-01-27 15:00      <DIR>      d--------      C:\WINDOWS\Internet Logs
2008-01-27 14:52 . 2008-01-27 15:33      8      --a------      C:\WINDOWS\system32\success
2008-01-27 14:51 . 2008-01-27 14:51      <DIR>      d--------      C:\Program Files\USBancorp
2008-01-26 13:24 . 2008-01-26 13:24      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\vlc
2008-01-26 13:23 . 2008-01-26 13:23      <DIR>      d--------      C:\Program Files\VideoLAN
2008-01-26 11:27 . 2008-01-26 11:27      <DIR>      d--------      C:\Program Files\Common Files\Java
2008-01-26 10:39 . 2007-07-30 19:19      271,224      --a------      C:\WINDOWS\system32\mucltui.dll
2008-01-26 10:39 . 2007-07-30 19:19      30,072      --a------      C:\WINDOWS\system32\mucltui.dll.mui
2008-01-25 23:10 . 2008-01-30 22:20      <DIR>      d--------      C:\WiRNS
2008-01-25 22:59 . 2008-01-25 22:59      <DIR>      d--------      C:\Program Files\Common Files\Adobe
2008-01-25 16:42 . 2008-01-30 18:34      30,264      --a------      C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      30,264      --a------      C:\WINDOWS\system32\BMXState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      27,816      --a------      C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      27,816      --a------      C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      11,564      --a------      C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      1,080      --a------      C:\WINDOWS\system32\settingsbkup.sfm
2008-01-25 16:42 . 2008-01-30 18:34      1,080      --a------      C:\WINDOWS\system32\settings.sfm
2008-01-25 16:41 . 2008-01-30 18:33      3,162,278      --a------      C:\WINDOWS\{00000000-00000000-0000000B-00001102-00000004-00511102}.BAK
2008-01-25 16:40 . 2008-01-25 16:43      <DIR>      d--------      C:\WINDOWS\system32\Defaults
2008-01-25 16:40 . 2000-12-05 09:11      4,174,814      ---------      C:\WINDOWS\system32\CT4MGM.SF2
2008-01-25 16:40 . 2008-01-30 18:33      3,162,278      --a------      C:\WINDOWS\{00000000-00000000-0000000B-00001102-00000004-00511102}.CDF
2008-01-25 16:39 . 2008-01-25 16:41      <DIR>      d--------      C:\Program Files\Creative
2008-01-25 16:39 . 2006-08-11 15:14      86,446      --a------      C:\WINDOWS\system32\instwdm.ini
2008-01-25 16:39 . 2006-08-11 14:56      3,072      --a------      C:\WINDOWS\CTXFIRES.DLL
2008-01-25 16:39 . 2006-08-11 14:32      191      --a------      C:\WINDOWS\system32\ctzapxx.ini
2008-01-25 16:30 . 2008-01-30 17:37      8,627      --a------      C:\WINDOWS\system32\PAV_FOG.OPC
2008-01-25 16:23 . 2008-01-30 22:37      261,920      --a------      C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-01-25 16:23 . 2008-01-30 22:37      1,204      --a------      C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-01-25 16:20 . 2008-01-25 16:20      <DIR>      d--------      C:\Program Files\Panda Software
2008-01-25 16:20 . 2008-01-25 16:20      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Backup
2008-01-25 16:19 . 2008-01-25 16:19      <DIR>      d--------      C:\Program Files\Common Files\Panda Software
2008-01-25 16:19 . 2007-02-19 07:21      170,800      --a------      C:\WINDOWS\system32\drivers\PavProc.sys
2008-01-25 16:19 . 2007-03-12 10:27      31,104      --a------      C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-01-25 15:09 . 2008-01-25 15:09      <DIR>      d--------      C:\Program Files\Symantec
2008-01-25 15:09 . 2008-01-28 15:33      <DIR>      d--h-----      C:\Program Files\InstallShield Installation Information
2008-01-25 15:08 . 2008-01-25 16:19      <DIR>      d--------      C:\Program Files\Common Files\InstallShield
2008-01-25 14:59 . 2008-01-25 14:59      <DIR>      d--------      C:\Program Files\Radmin
2008-01-25 14:59 . 2008-01-25 14:59      <DIR>      d--------      C:\Program Files\MSXML 6.0
2008-01-25 14:59 . 2001-07-24 10:15      241,664      --a------      C:\WINDOWS\system32\r_server.exe
2008-01-25 14:59 . 2000-07-10 07:06      90,112      --a------      C:\WINDOWS\system32\admdll.dll
2008-01-25 14:59 . 2000-07-08 01:29      29,408      --a------      C:\WINDOWS\system32\raddrv.dll
2008-01-25 14:52 . 2008-01-25 14:52      <DIR>      d--------      C:\Program Files\Microsoft Silverlight
2008-01-25 14:51 . 2008-01-25 14:51      <DIR>      d--------      C:\Program Files\MSBuild
2008-01-25 14:48 . 2008-01-25 15:02      <DIR>      d--------      C:\WINDOWS\system32\XPSViewer
2008-01-25 14:48 . 2008-01-25 14:48      <DIR>      d--------      C:\Program Files\Reference Assemblies
2008-01-25 14:47 . 2006-06-29 13:07      14,048      ---------      C:\WINDOWS\system32\spmsg2.dll
2008-01-25 14:45 . 2008-01-25 14:45      <DIR>      d--------      C:\Program Files\Windows Media Connect 2
2008-01-25 14:45 . 2006-10-04 09:06      1,197,294      -----c---      C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-25 14:45 . 2006-10-04 09:06      764,868      -----c---      C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-25 14:45 . 2006-10-04 09:06      217,118      -----c---      C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-25 14:44 . 2008-01-25 14:44      <DIR>      d--------      C:\WINDOWS\system32\LogFiles
2008-01-25 14:44 . 2008-01-25 14:44      <DIR>      d--------      C:\WINDOWS\system32\drivers\UMDF
2008-01-25 14:29 . 2007-10-10 18:55      6,065,664      -----c---      C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-25 14:29 . 2007-06-30 22:31      2,455,488      -----c---      C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-25 14:29 . 2007-06-30 22:36      991,232      -----c---      C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-25 14:29 . 2007-10-10 18:55      459,264      -----c---      C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-25 14:29 . 2007-10-10 18:55      383,488      -----c---      C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-25 14:29 . 2007-10-10 18:55      267,776      -----c---      C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-25 14:29 . 2007-10-10 18:55      63,488      -----c---      C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-25 14:29 . 2007-10-10 18:55      52,224      -----c---      C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-25 14:29 . 2007-10-10 05:59      13,824      -----c---      C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-25 14:26 . 2007-08-13 18:54      33,792      --a--c---      C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-25 14:16 . 2008-01-25 16:39      <DIR>      d--------      C:\WINDOWS\system32\data
2008-01-25 14:16 . 2008-01-25 14:16      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\Creative
2008-01-25 14:16 . 2008-01-25 14:16      409,600      --a------      C:\WINDOWS\system32\wrap_oal.dll
2008-01-25 14:16 . 2008-01-25 14:16      114,688      --a------      C:\WINDOWS\system32\OpenAL32.dll
2008-01-25 14:01 . 2007-07-09 08:09      584,192      -----c---      C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-25 13:49 . 2008-01-25 14:56      <DIR>      d--h-----      C:\WINDOWS\$hf_mig$
2008-01-25 13:42 . 2008-01-25 13:42      <DIR>      d--------      C:\WINDOWS\provisioning
2008-01-25 13:42 . 2008-01-25 13:42      <DIR>      d--------      C:\WINDOWS\peernet
2008-01-25 13:42 . 2008-01-25 13:47      316,640      --a------      C:\WINDOWS\WMSysPr9.prx
2008-01-25 13:41 . 2008-01-25 13:41      <DIR>      d--------      C:\WINDOWS\ServicePackFiles
2008-01-25 13:38 . 2006-10-16 16:10      23,856      --a------      C:\WINDOWS\system32\spupdsvc.exe
2008-01-25 13:37 . 2008-01-25 13:37      <DIR>      d--------      C:\WINDOWS\EHome
2008-01-25 13:32 . 2007-12-20 21:47      3,120,640      --a------      C:\WINDOWS\system32\ati3duag.dll
2008-01-25 13:24 . 2008-01-25 13:24      <DIR>      d--h-----      C:\WINDOWS\system32\GroupPolicy
2008-01-25 13:21 . 2007-04-09 13:23      28,040      --a------      C:\WINDOWS\system32\mdimon.dll
2008-01-25 13:21 . 2008-01-25 13:21      376      --a------      C:\WINDOWS\ODBC.INI
2008-01-25 13:20 . 2008-01-25 13:20      <DIR>      d--------      C:\Program Files\Microsoft.NET

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 03:37      261,920      ----a-w      C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-01-31 03:37      1,204      ----a-w      C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-01-25 17:59      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-12-21 03:53      2,843,136      ----a-w      C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-21 03:08      272,384      ----a-w      C:\WINDOWS\system32\ati2dvag.dll
2007-12-21 03:02      307,200      ----a-w      C:\WINDOWS\system32\atiiiexx.dll
2007-12-21 02:59      43,520      ----a-w      C:\WINDOWS\system32\ati2edxx.dll
2007-12-21 02:59      26,112      ----a-w      C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-21 02:59      147,456      ----a-w      C:\WINDOWS\system32\atipdlxx.dll
2007-12-21 02:59      122,880      ----a-w      C:\WINDOWS\system32\Oemdspif.dll
2007-12-21 02:58      122,880      ----a-w      C:\WINDOWS\system32\ati2evxx.dll
2007-12-21 02:57      512,000      ----a-w      C:\WINDOWS\system32\ati2evxx.exe
2007-12-21 02:56      53,248      ----a-w      C:\WINDOWS\system32\ATIDDC.DLL
2007-12-21 02:36      1,661,696      ----a-w      C:\WINDOWS\system32\ativvaxx.dll
2007-12-21 02:20      5,435,392      ----a-w      C:\WINDOWS\system32\atioglxx.dll
2007-12-21 02:20      385,024      ----a-w      C:\WINDOWS\system32\atikvmag.dll
2007-12-21 02:18      17,408      ----a-w      C:\WINDOWS\system32\atitvo32.dll
2007-12-21 02:17      49,152      ----a-w      C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-21 02:11      499,712      ----a-w      C:\WINDOWS\system32\ati2cqag.dll
2007-12-21 02:05      593,920      ------w      C:\WINDOWS\system32\ati2sgag.exe
2007-11-07 09:26      721,920      ----a-w      C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43      1,287,680      ----a-w      C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40      222,720      ----a-w      C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47      96,760      ----a-w      C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47      84,480      ----a-w      C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47      282,112      ----a-w      C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47      158,720      ----a-w      C:\WINDOWS\system32\mscorier.dll
2007-10-11 14:55      88,576      ----a-w      C:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55      579,584      ----a-w      C:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55      11,776      ----a-w      C:\WINDOWS\system32\icardres.dll
2007-10-10 23:56      824,832      ----a-w      C:\WINDOWS\system32\wininet.dll
2007-10-09 18:03      779,800      ----a-w      C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03      73,752      ----a-w      C:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03      493,080      ----a-w      C:\WINDOWS\system32\evr.dll
2007-10-09 18:03      350,744      ----a-w      C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03      33,304      ----a-w      C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03      161,304      ----a-w      C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03      106,520      ----a-w      C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03      1,986,072      ----a-w      C:\WINDOWS\system32\milcore.dll
2007-10-09 17:58      16,896      ----a-w      C:\WINDOWS\system32\tswpfwrp.exe
2007-06-13 10:23      1,351,255      --sh--r      C:\WINDOWS\system32\flrs.exe
2007-06-13 10:23      325,751      --sh--r      C:\WINDOWS\system32\xaamp.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2007-04-27 20:44 628272]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2007-04-17 18:29 27696]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"WiRNSMon"="C:\WiRNS\WiRNSMon.exe" [2008-01-30 18:18 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-05-26 17:49]
R1 AmdPPM;AMD HwPState Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 21:46]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-04-02 19:43]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-04-02 19:43]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-03-12 17:45]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-04-02 19:43]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-04-17 17:42]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-03-12 10:27]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-04-02 19:43]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-04-02 19:43]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2006-10-27 13:27]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-02-19 07:21]
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2001-07-24 10:15]
R2 WiRNS.exe;WiRNS;C:\WiRNS\WiRNS.exe [2008-01-30 18:18]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 22:44:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 22:45:03
.
2008-01-25 20:48:21      --- E O F ---  
Avatar of curtb3
curtb3

ASKER

Thank you, Brian.

I thought that your recommendations were a bit much, at first, but they got the job done.
Avatar of Member_2_49692
Member_2_49692
So it is working fine now ?
Avatar of curtb3
curtb3

ASKER

So far, so good!
The files are no longer there, nor are they reappearing upon reboot.
I'm not certain which program got it, but you've given me the tools to self-diagnose going forward.

Thanks again.

Curt

Avatar of Member_2_49692
Member_2_49692
your welcome :)