xaamp.exe and flrs.exe

When I boot my home computer, I am suddenly receiving messages from my Security Software (Panda Internet Security 2007) that indicates that these to files are malicious code and will be blocked.

Does anyone know what these files are and the purpose that they serve. They reside in the windows/prefetch folder. I've renamed them (.pf to .old) but they return upon reboot.

Thank you,

Curt
curtb3Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

indianguru2Commented:
Download Hijackthis and paste the Log that is generated from it

http://www.majorgeeks.com/download5554.html
0
Member_2_49692Commented:
as indianguru2 recommended post a hijack this log and also do the following

Your infected with spyware /malware those are not valid windows processes or valid applications

Download  combofix.exe and save it to your desktop
Close any open browsers.
Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply along with a fresh HJT log as well
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Also run these

your going to need some anti spyware /malware utlities run too

http://security.kolla.de spybot s&d - download it install it (do not install tea timer, ) update it then run it

http://lavasoft.com - adaware - download it run it and then uninstall it
http://pack.google.com/intl/en/pack_installer_new.html?hl=en&gl=us&utm_source=en_US-et-more&utm_medium=et&utm_campaign=en_US&ciNum=11    - select to only download and install spyware doctor.

Additionally I would download and run rootkit revealer if it comes up with anything odd post it up here.
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
curtb3Author Commented:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:04 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\r_server.exe
C:\WiRNS\WiRNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WiRNS\WiRNSMon.exe
C:\WINDOWS\system32\xaamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\flrs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
D:\Downloads\Experts\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WiRNSMon] C:\WiRNS\WiRNSMon.exe
O4 - HKLM\..\Run: [Microsoft] xaamp.exe
O4 - HKLM\..\Run: [Windows Network] flrs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\RunServices: [Microsoft] xaamp.exe
O4 - HKLM\..\RunServices: [Windows Network] flrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Network] flrs.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201284257204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201285357390
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
O23 - Service: WiRNS (WiRNS.exe) - rbolen70,Glenn1963 - C:\WiRNS\WiRNS.exe

--
End of file - 7134 bytes
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

indianguru2Commented:
remove all these entries using Hijackthis by selecting and click on the Fix Checked Button.
it might ask you to restart.
Restart and then run hijackthis and post the log


O4 - HKLM\..\Run: [WiRNSMon] C:\WiRNS\WiRNSMon.exe
O4 - HKLM\..\Run: [Microsoft] xaamp.exe
O4 - HKLM\..\Run: [Windows Network] flrs.exe
O4 - HKLM\..\RunServices: [Microsoft] xaamp.exe
O4 - HKLM\..\RunServices: [Windows Network] flrs.exe
0
curtb3Author Commented:
I was working on this remotely from work and lost my net connection.

O4 - HKLM\..\Run: [WiRNSMon] C:\WiRNS\WiRNSMon.exe
O4 - HKLM\..\Run: [Microsoft] xaamp.exe
O4 - HKLM\..\Run: [Windows Network] flrs.exe
O4 - HKLM\..\RunServices: [Microsoft] xaamp.exe
O4 - HKLM\..\RunServices: [Windows Network] flrs.exe

I kept WIRNS (I'm familiar with this program, but I added an additional line that referenced FLRS that was just below it.

As soon as I have my connection back, I'll repost.

Thank you.
0
Member_2_49692Commented:
also this one needs to be removed
O4 - HKCU\..\Run: [Windows Network] flrs.exe

also check add/remove programs for any odd entries in addition to the procedures above.
0
curtb3Author Commented:
Thanks, Brian

That was the extra line that I mentioned.

I appear to be offline indefinitely, so I may have to wait until I get home later this afternoon to continue.

Thank you both, and I will resume following your advice just as soon as I am able.

Curt
0
curtb3Author Commented:
ComboFix 08-01-31.3 - Curt 2008-01-30 22:43:53.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1550 [GMT -5:00]
Running from: C:\Documents and Settings\Curt\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-31  )))))))))))))))))))))))))))))))
.

2008-01-29 23:12 . 2008-01-29 23:12      <DIR>      d--------      C:\Program Files\IrfanView
2008-01-28 15:37 . 2008-01-28 15:37      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\ATI
2008-01-28 15:37 . 2008-01-28 15:37      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ATI
2008-01-28 15:36 . 2008-01-28 15:36      0      --a------      C:\WINDOWS\ativpsrm.bin
2008-01-28 15:32 . 2008-01-28 15:33      <DIR>      d--------      C:\Program Files\ATI Technologies
2008-01-28 14:19 . 2008-01-28 14:20      <DIR>      d--------      C:\Program Files\VIA
2008-01-28 14:15 . 2005-05-26 17:49      60,928      --a------      C:\WINDOWS\system32\drivers\viamraid.sys
2008-01-28 11:19 . 2008-01-28 11:19      <DIR>      d--------      C:\Documents and Settings\Curt\ReplayPhotoCache
2008-01-28 09:37 . 2008-01-28 09:37      <DIR>      d--------      C:\WINDOWS\Sun
2008-01-28 09:37 . 2008-01-28 09:37      <DIR>      d--------      C:\Program Files\Java
2008-01-28 09:37 . 2007-09-24 23:31      69,632      --a------      C:\WINDOWS\system32\javacpl.cpl
2008-01-28 09:07 . 2008-01-28 09:53      <DIR>      d--------      C:\dvarchive
2008-01-28 08:56 . 2008-01-28 08:56      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-28 08:11 . 2008-01-28 08:11      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\Uniblue
2008-01-28 05:46 . 2005-04-08 22:14      2,823      --a------      C:\WINDOWS\system32\crazy.ini
2008-01-28 05:46 . 2006-06-15 09:51      110      --a------      C:\WINDOWS\system32\start.bat
2008-01-28 05:46 . 2005-03-27 22:38      39      --a------      C:\WINDOWS\system32\iass.bat
2008-01-27 22:49 . 2008-01-27 22:49      <DIR>      d--------      C:\Program Files\PCPitstop
2008-01-27 22:49 . 2008-01-30 18:27      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-01-27 16:20 . 2008-01-27 16:20      <DIR>      d--------      C:\Program Files\TechTracker
2008-01-27 16:20 . 2008-01-27 20:09      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\VersionTracker Pro
2008-01-27 15:00 . 2008-01-27 15:00      <DIR>      d--------      C:\WINDOWS\Internet Logs
2008-01-27 14:52 . 2008-01-27 15:33      8      --a------      C:\WINDOWS\system32\success
2008-01-27 14:51 . 2008-01-27 14:51      <DIR>      d--------      C:\Program Files\USBancorp
2008-01-26 13:24 . 2008-01-26 13:24      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\vlc
2008-01-26 13:23 . 2008-01-26 13:23      <DIR>      d--------      C:\Program Files\VideoLAN
2008-01-26 11:27 . 2008-01-26 11:27      <DIR>      d--------      C:\Program Files\Common Files\Java
2008-01-26 10:39 . 2007-07-30 19:19      271,224      --a------      C:\WINDOWS\system32\mucltui.dll
2008-01-26 10:39 . 2007-07-30 19:19      30,072      --a------      C:\WINDOWS\system32\mucltui.dll.mui
2008-01-25 23:10 . 2008-01-30 22:20      <DIR>      d--------      C:\WiRNS
2008-01-25 22:59 . 2008-01-25 22:59      <DIR>      d--------      C:\Program Files\Common Files\Adobe
2008-01-25 16:42 . 2008-01-30 18:34      30,264      --a------      C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      30,264      --a------      C:\WINDOWS\system32\BMXState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      27,816      --a------      C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      27,816      --a------      C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      11,564      --a------      C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-01-25 16:42 . 2008-01-30 18:34      1,080      --a------      C:\WINDOWS\system32\settingsbkup.sfm
2008-01-25 16:42 . 2008-01-30 18:34      1,080      --a------      C:\WINDOWS\system32\settings.sfm
2008-01-25 16:41 . 2008-01-30 18:33      3,162,278      --a------      C:\WINDOWS\{00000000-00000000-0000000B-00001102-00000004-00511102}.BAK
2008-01-25 16:40 . 2008-01-25 16:43      <DIR>      d--------      C:\WINDOWS\system32\Defaults
2008-01-25 16:40 . 2000-12-05 09:11      4,174,814      ---------      C:\WINDOWS\system32\CT4MGM.SF2
2008-01-25 16:40 . 2008-01-30 18:33      3,162,278      --a------      C:\WINDOWS\{00000000-00000000-0000000B-00001102-00000004-00511102}.CDF
2008-01-25 16:39 . 2008-01-25 16:41      <DIR>      d--------      C:\Program Files\Creative
2008-01-25 16:39 . 2006-08-11 15:14      86,446      --a------      C:\WINDOWS\system32\instwdm.ini
2008-01-25 16:39 . 2006-08-11 14:56      3,072      --a------      C:\WINDOWS\CTXFIRES.DLL
2008-01-25 16:39 . 2006-08-11 14:32      191      --a------      C:\WINDOWS\system32\ctzapxx.ini
2008-01-25 16:30 . 2008-01-30 17:37      8,627      --a------      C:\WINDOWS\system32\PAV_FOG.OPC
2008-01-25 16:23 . 2008-01-30 22:37      261,920      --a------      C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-01-25 16:23 . 2008-01-30 22:37      1,204      --a------      C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-01-25 16:20 . 2008-01-25 16:20      <DIR>      d--------      C:\Program Files\Panda Software
2008-01-25 16:20 . 2008-01-25 16:20      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Backup
2008-01-25 16:19 . 2008-01-25 16:19      <DIR>      d--------      C:\Program Files\Common Files\Panda Software
2008-01-25 16:19 . 2007-02-19 07:21      170,800      --a------      C:\WINDOWS\system32\drivers\PavProc.sys
2008-01-25 16:19 . 2007-03-12 10:27      31,104      --a------      C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-01-25 15:09 . 2008-01-25 15:09      <DIR>      d--------      C:\Program Files\Symantec
2008-01-25 15:09 . 2008-01-28 15:33      <DIR>      d--h-----      C:\Program Files\InstallShield Installation Information
2008-01-25 15:08 . 2008-01-25 16:19      <DIR>      d--------      C:\Program Files\Common Files\InstallShield
2008-01-25 14:59 . 2008-01-25 14:59      <DIR>      d--------      C:\Program Files\Radmin
2008-01-25 14:59 . 2008-01-25 14:59      <DIR>      d--------      C:\Program Files\MSXML 6.0
2008-01-25 14:59 . 2001-07-24 10:15      241,664      --a------      C:\WINDOWS\system32\r_server.exe
2008-01-25 14:59 . 2000-07-10 07:06      90,112      --a------      C:\WINDOWS\system32\admdll.dll
2008-01-25 14:59 . 2000-07-08 01:29      29,408      --a------      C:\WINDOWS\system32\raddrv.dll
2008-01-25 14:52 . 2008-01-25 14:52      <DIR>      d--------      C:\Program Files\Microsoft Silverlight
2008-01-25 14:51 . 2008-01-25 14:51      <DIR>      d--------      C:\Program Files\MSBuild
2008-01-25 14:48 . 2008-01-25 15:02      <DIR>      d--------      C:\WINDOWS\system32\XPSViewer
2008-01-25 14:48 . 2008-01-25 14:48      <DIR>      d--------      C:\Program Files\Reference Assemblies
2008-01-25 14:47 . 2006-06-29 13:07      14,048      ---------      C:\WINDOWS\system32\spmsg2.dll
2008-01-25 14:45 . 2008-01-25 14:45      <DIR>      d--------      C:\Program Files\Windows Media Connect 2
2008-01-25 14:45 . 2006-10-04 09:06      1,197,294      -----c---      C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-25 14:45 . 2006-10-04 09:06      764,868      -----c---      C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-25 14:45 . 2006-10-04 09:06      217,118      -----c---      C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-25 14:44 . 2008-01-25 14:44      <DIR>      d--------      C:\WINDOWS\system32\LogFiles
2008-01-25 14:44 . 2008-01-25 14:44      <DIR>      d--------      C:\WINDOWS\system32\drivers\UMDF
2008-01-25 14:29 . 2007-10-10 18:55      6,065,664      -----c---      C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-25 14:29 . 2007-06-30 22:31      2,455,488      -----c---      C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-25 14:29 . 2007-06-30 22:36      991,232      -----c---      C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-25 14:29 . 2007-10-10 18:55      459,264      -----c---      C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-25 14:29 . 2007-10-10 18:55      383,488      -----c---      C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-25 14:29 . 2007-10-10 18:55      267,776      -----c---      C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-25 14:29 . 2007-10-10 18:55      63,488      -----c---      C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-25 14:29 . 2007-10-10 18:55      52,224      -----c---      C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-25 14:29 . 2007-10-10 05:59      13,824      -----c---      C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-25 14:26 . 2007-08-13 18:54      33,792      --a--c---      C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-25 14:16 . 2008-01-25 16:39      <DIR>      d--------      C:\WINDOWS\system32\data
2008-01-25 14:16 . 2008-01-25 14:16      <DIR>      d--------      C:\Documents and Settings\Curt\Application Data\Creative
2008-01-25 14:16 . 2008-01-25 14:16      409,600      --a------      C:\WINDOWS\system32\wrap_oal.dll
2008-01-25 14:16 . 2008-01-25 14:16      114,688      --a------      C:\WINDOWS\system32\OpenAL32.dll
2008-01-25 14:01 . 2007-07-09 08:09      584,192      -----c---      C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-25 13:49 . 2008-01-25 14:56      <DIR>      d--h-----      C:\WINDOWS\$hf_mig$
2008-01-25 13:42 . 2008-01-25 13:42      <DIR>      d--------      C:\WINDOWS\provisioning
2008-01-25 13:42 . 2008-01-25 13:42      <DIR>      d--------      C:\WINDOWS\peernet
2008-01-25 13:42 . 2008-01-25 13:47      316,640      --a------      C:\WINDOWS\WMSysPr9.prx
2008-01-25 13:41 . 2008-01-25 13:41      <DIR>      d--------      C:\WINDOWS\ServicePackFiles
2008-01-25 13:38 . 2006-10-16 16:10      23,856      --a------      C:\WINDOWS\system32\spupdsvc.exe
2008-01-25 13:37 . 2008-01-25 13:37      <DIR>      d--------      C:\WINDOWS\EHome
2008-01-25 13:32 . 2007-12-20 21:47      3,120,640      --a------      C:\WINDOWS\system32\ati3duag.dll
2008-01-25 13:24 . 2008-01-25 13:24      <DIR>      d--h-----      C:\WINDOWS\system32\GroupPolicy
2008-01-25 13:21 . 2007-04-09 13:23      28,040      --a------      C:\WINDOWS\system32\mdimon.dll
2008-01-25 13:21 . 2008-01-25 13:21      376      --a------      C:\WINDOWS\ODBC.INI
2008-01-25 13:20 . 2008-01-25 13:20      <DIR>      d--------      C:\Program Files\Microsoft.NET

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 03:37      261,920      ----a-w      C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-01-31 03:37      1,204      ----a-w      C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-01-25 17:59      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-12-21 03:53      2,843,136      ----a-w      C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-21 03:08      272,384      ----a-w      C:\WINDOWS\system32\ati2dvag.dll
2007-12-21 03:02      307,200      ----a-w      C:\WINDOWS\system32\atiiiexx.dll
2007-12-21 02:59      43,520      ----a-w      C:\WINDOWS\system32\ati2edxx.dll
2007-12-21 02:59      26,112      ----a-w      C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-21 02:59      147,456      ----a-w      C:\WINDOWS\system32\atipdlxx.dll
2007-12-21 02:59      122,880      ----a-w      C:\WINDOWS\system32\Oemdspif.dll
2007-12-21 02:58      122,880      ----a-w      C:\WINDOWS\system32\ati2evxx.dll
2007-12-21 02:57      512,000      ----a-w      C:\WINDOWS\system32\ati2evxx.exe
2007-12-21 02:56      53,248      ----a-w      C:\WINDOWS\system32\ATIDDC.DLL
2007-12-21 02:36      1,661,696      ----a-w      C:\WINDOWS\system32\ativvaxx.dll
2007-12-21 02:20      5,435,392      ----a-w      C:\WINDOWS\system32\atioglxx.dll
2007-12-21 02:20      385,024      ----a-w      C:\WINDOWS\system32\atikvmag.dll
2007-12-21 02:18      17,408      ----a-w      C:\WINDOWS\system32\atitvo32.dll
2007-12-21 02:17      49,152      ----a-w      C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-21 02:11      499,712      ----a-w      C:\WINDOWS\system32\ati2cqag.dll
2007-12-21 02:05      593,920      ------w      C:\WINDOWS\system32\ati2sgag.exe
2007-11-07 09:26      721,920      ----a-w      C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43      1,287,680      ----a-w      C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40      222,720      ----a-w      C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47      96,760      ----a-w      C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47      84,480      ----a-w      C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47      282,112      ----a-w      C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47      158,720      ----a-w      C:\WINDOWS\system32\mscorier.dll
2007-10-11 14:55      88,576      ----a-w      C:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55      579,584      ----a-w      C:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55      11,776      ----a-w      C:\WINDOWS\system32\icardres.dll
2007-10-10 23:56      824,832      ----a-w      C:\WINDOWS\system32\wininet.dll
2007-10-09 18:03      779,800      ----a-w      C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03      73,752      ----a-w      C:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03      493,080      ----a-w      C:\WINDOWS\system32\evr.dll
2007-10-09 18:03      350,744      ----a-w      C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03      33,304      ----a-w      C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03      161,304      ----a-w      C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03      106,520      ----a-w      C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03      1,986,072      ----a-w      C:\WINDOWS\system32\milcore.dll
2007-10-09 17:58      16,896      ----a-w      C:\WINDOWS\system32\tswpfwrp.exe
2007-06-13 10:23      1,351,255      --sh--r      C:\WINDOWS\system32\flrs.exe
2007-06-13 10:23      325,751      --sh--r      C:\WINDOWS\system32\xaamp.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2007-04-27 20:44 628272]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2007-04-17 18:29 27696]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"WiRNSMon"="C:\WiRNS\WiRNSMon.exe" [2008-01-30 18:18 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-05-26 17:49]
R1 AmdPPM;AMD HwPState Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 21:46]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-04-02 19:43]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-04-02 19:43]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-03-12 17:45]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-04-02 19:43]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-04-17 17:42]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-03-12 10:27]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-04-02 19:43]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-04-02 19:43]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2006-10-27 13:27]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-02-19 07:21]
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2001-07-24 10:15]
R2 WiRNS.exe;WiRNS;C:\WiRNS\WiRNS.exe [2008-01-30 18:18]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 22:44:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 22:45:03
.
2008-01-25 20:48:21      --- E O F ---  
0
curtb3Author Commented:
Thank you, Brian.

I thought that your recommendations were a bit much, at first, but they got the job done.
0
Member_2_49692Commented:
So it is working fine now ?
0
curtb3Author Commented:
So far, so good!
The files are no longer there, nor are they reappearing upon reboot.
I'm not certain which program got it, but you've given me the tools to self-diagnose going forward.

Thanks again.

Curt

0
Member_2_49692Commented:
your welcome :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.