Plutselig fullt av tmp. filer på skrivebordet- HJT logg

Ragnarokk · 20. april 2008

Plutselig var hele skrivebordet fylt opp med filer, som jeg ikke selv kjenner til. Filnavnet er FAP32B5.tmp, med stigende tall for hver fil. Pc-cillin, spybot, cc cleaner og ad aware er kjørt uten resultat. Om jeg sletter filene manuelt, kommer de tilbake ved restarting.

HJT loggen sier følgende

Logfile of HijackThis v1.99.1

Scan saved at 14:47:20, on 19.04.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Programfiler\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Trend Micro\BM\TMBMSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

C:\Documents and Settings\Jørund\Skrivebord\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programfiler\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Programfiler\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ragnatabascosaus.spaces.msn.com//Ph...ad/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128195292531

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab

O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://eurofoto.no/activex/ImageUploader3.cab

O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp08.photoprintit.de/microsite/502...geUploader3.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Programfiler\Trend Micro\BM\TMBMSRV.exe" /service (file missing)

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

norbat · 20. april 2008

Loggen viser ingen infeksjoner. Gjorde du noe spesielt rundt tidspunktet da disse filene begynte å dukke opp?

Ragnarokk · 20. april 2008

Nei, jeg var ikke ved maskina, brukte den tidligere, alt så fint ut. Tok en pause, og da jeg kom tilbake så det sånn ut. Har ikke surfa rundt, hadde bare "standardsidene" mine liggende opp, et par stykker- en av dem VG.

Ante meg at loggen var fin, fant ikke noe spes der selv heller, men, hva pokker kan dette være da da????

Endret 20. april 2008 av Ragnarokk

norbat · 20. april 2008

Får du noe info om dem når du høyreklikker og velger egenskaper?

Se om du får åpnet en av dem i notisblokk og se om det kan gi noe mer info.

Ragnarokk · 20. april 2008

Hverken egenskaper eller notisblokk gir noen info. Notisblokka er tom, egenskaper inneholder ingenting annet enn filnavn. Hva "slags" filer lar deg ikke slette, men popper tilbake igjen ved restart da? Siden ingen program gir utslag på virus eller spyware mener jeg, hva kan det da være?

norbat · 20. april 2008

Det er temporære filer som lages av ett eller annet program du mest sannsynlig har installert. Hvilken nettleser bruker du?

Ragnarokk · 20. april 2008

Bruker Opera, og har ikke installert noe i det siste....

norbat · 20. april 2008

La oss prøve en annen logg:

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Post loggfilen fra combofix (c:\combofix.txt)

morgan_kane · 20. april 2008

hvilke programmer har du instalert?

r2d290 · 20. april 2008

hvilke programmer har du instalert?

Trådstarter sa jo "og har ikke installert noe i det siste...."

edit: endret fra "han" til "trådstarter"

Endret 20. april 2008 av r2d290

Ragnarokk · 20. april 2008

Hepp, hepp, ny logg. Er det vanlig at skjermen går i blå etter at denne er kommet opp? Må restarte for å få frem noe på skrivebordet nå, men avventer.

ComboFix 08-04-18.3 - Jørund 2008-04-20 15:07:46.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.524 [GMT 2:00]

Running from: C:\Documents and Settings\Jørund\Skrivebord\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\DOCUME~1\ALLUSE~1\START-~1\Online Security Guide.url

C:\DOCUME~1\ALLUSE~1\START-~1\Security Troubleshooting.url

C:\Programfiler\winupdates

.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))

.

2008-04-19 10:28 . 2008-04-19 10:27 691,545 --a------ C:\WINDOWS\unins000.exe

2008-04-19 10:28 . 2008-04-19 10:28 2,553 --a------ C:\WINDOWS\unins000.dat

2008-04-19 10:24 . 2008-04-20 14:58 <DIR> dr-h----- C:\Documents and Settings\Jørund\Siste

2008-04-12 22:25 . 2008-04-12 22:25 <DIR> d-------- C:\Programfiler\Sun

2008-04-12 22:25 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-04-12 22:20 . 2008-04-12 22:20 <DIR> d-------- C:\fotoknudsen

2008-04-02 11:33 . 2008-04-02 11:33 0 --a------ C:\Acr297C.tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-19 08:30 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-04-12 20:25 --------- d-----w C:\Programfiler\Java

2008-04-12 20:15 --------- d-----w C:\Programfiler\Canon

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-16 09:05 658,944 ----a-w C:\WINDOWS\system32\wininet.dll

2006-06-17 09:41 5 --sha-w C:\WINDOWS\system32\bbecbebffaa_s.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-28 21:06 15360]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

"PcSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 13:33 1388544]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35 7110656]

"nwiz"="nwiz.exe" [2005-08-02 16:35 1519616 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35 86016]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 10:08 172032]

"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"SSBkgdUpdate"="C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14 155648]

"OpwareSE4"="C:\Programfiler\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19 69632]

"UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 01:56 1398024]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-09-28 21:05 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-28 21:06 15360]

C:\DOCUME~1\ALLUSE~1\START-~1\PROGRA~1\Oppstart\

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2006-01-11 00:00:08 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

S2 BRZQVOBL;BRZQVOBL;C:\WINDOWS\system32\brzqvobl.piv []

S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys [2001-08-17 21:51]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-20 15:14:32

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background??e?r

scanning hidden files ...

scan completed successfully

hidden files: 6

**************************************************************************

.

Completion time: 2008-04-20 15:18:34

ComboFix-quarantined-files.txt 2008-04-20 13:18:26

Pre-Run: 51,543,175,168 byte ledig

Post-Run: 51,548,368,896 byte ledig

92 --- E O F --- 2008-04-12 01:00:49

Ragnarokk · 20. april 2008

hvilke programmer har du instalert?

han sa jo "og har ikke installert noe i det siste...."

And HE, is a SHE... :new_woot: :whistle:

Nei, jeg kan altså ikke huske noen senere installeringer, (senere som i siste 14 dager) det siste er vel hmm..... ja, nå som skrivebordet er gått i blått er jeg jaggu ikke sikker jeg!!

norbat · 20. april 2008

Ta en restart av PC-en og se om ikke skrivebordet blir slik det var.

Deretter:

Bruk utforsker til å slett følgende fil:

C:\WINDOWS\system32\bbecbebffaa_s.dll

Slett evt. .tmp-filene som ligger på skrivebordet

Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'.

Kjør deretter en full scan med SAS (gratisversjonen).

Ragnarokk · 20. april 2008

Finner ikke fila, ikke om jeg viser skjulte filer og mapper heller.... :hmm:

norbat · 20. april 2008

Og problemet er der fortsatt?

Ragnarokk · 20. april 2008

Jepp.... Har prøvd å søke etter fila også, men ingenting. Og, som sagt, ikke i skjulte filer og mapper.

norbat · 20. april 2008

Ok, da gjør vi følgende:

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\WINDOWS\system32\brzqvobl.piv

C:\WINDOWS\system32\bbecbebffaa_s.dll

C:\Acr297C.tmp

Driver::

BRZQVOBL

Post loggen, så tar vi en ekstra titt.

Ragnarokk · 20. april 2008

And the log is..... Ser ikke ut som vi lyktes....

ComboFix 08-04-18.3 - Jørund 2008-04-20 20:44:56.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.451 [GMT 2:00]

Running from: C:\Documents and Settings\Jørund\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Jørund\Skrivebord\CFScript.txt..txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\Acr297C.tmp

C:\WINDOWS\system32\bbecbebffaa_s.dll

C:\WINDOWS\system32\brzqvobl.piv

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Acr297C.tmp

C:\WINDOWS\system32\bbecbebffaa_s.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BRZQVOBL

-------\Service_BRZQVOBL

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))

.

2008-04-19 10:28 . 2008-04-19 10:27 691,545 --a------ C:\WINDOWS\unins000.exe

2008-04-19 10:28 . 2008-04-19 10:28 2,553 --a------ C:\WINDOWS\unins000.dat

2008-04-12 22:25 . 2008-04-12 22:25 <DIR> d-------- C:\Programfiler\Sun

2008-04-12 22:25 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-04-12 22:20 . 2008-04-12 22:20 <DIR> d-------- C:\fotoknudsen

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-19 08:30 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-04-12 20:25 --------- d-----w C:\Programfiler\Java

2008-04-12 20:15 --------- d-----w C:\Programfiler\Canon

2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-16 09:05 658,944 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((( snapshot@2008-04-20_15.17.58,68 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-20 12:40:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-20 18:50:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE