PDA

View Full Version : Win Anti Spy Ware



iamthetboz
2007-08-01, 07:06
My computer has been infected with Winantispyware. I cannot get rid of it. Please help. When I try to reboot, the computer restarts half way through and the only mode I can actually get booted is 'Safe Mode with Networking'. I've tried to uninstall all the associated programs but I'm not sure if its working or not. I still can't get it to boot in regular mode. I did get hijackthis to run in safe mode. I've attached that file. I'm not sure what else to do. Please help.

iamthetboz
2007-08-01, 15:33
Logfile of HijackThis v1.99.1
Scan saved at 10:26:57 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [vhilotgA] C:\WINDOWS\vhilotgA.exe
O4 - HKLM\..\Run: [{CF-F4-40-02-ZN}] C:\windows\system32\modsregq.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinpndt.exe SKY009
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [SysDAFS.exe] C:\WINDOWS\system32\SysDAFS.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win19.tmp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [RemoveInstallPath] cmd.exe C:\WINDOWS\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\WinPop" > nul
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbelle.com/download_helper/Nyoko.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex/virtools/CacheManager.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vhilotg.exe (file missing)

pskelley
2007-08-01, 15:51
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I'll try to help, but you have major problems. Please read this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_01\ <<< Java is badly out of date and likely the reason you are infected. Download the newest version and uninstall all old versions in Add Remove Programs.

You have trojans on board like this one:
c:\windows\system32\ldcore.dll
http://www.sophos.com/security/analyses/trojdloadraqg.html

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vhilotg.exe
Windows Overlay Components X (Random).exe Reported as the Trojan-Dropper.Win32.Agent.tb TROJAN! by Kaspersky Anti-Virus. Note: This trojan file is located in the Windows or Winnt folder. For more information on Trojan Droppers Click_Here

and many more infections, I am showing you this so you will know your security has been badly compromised, you may want to consider this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

At the very least you should pull the plug on this computer unless you have to be online during troubleshooting. If you wish to continue with the cleanup, then we will start like this:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

iamthetboz
2007-08-02, 05:01
That is the only mode I can get the computer to boot up in. Should I follow all your instructions in that mode?

Thanks,
-Tboz

pskelley
2007-08-02, 12:49
Give it a try and see what happens.

Thanks

iamthetboz
2007-08-05, 01:36
So since I can only boot into Safe Mode with Networking, I am unable to uninstall Java. I'm trying to get into Normal mode but so far no good. Any ideas?

Thanks,
-Tboz

pskelley
2007-08-05, 02:01
Let's face facts, you have major issues and I am not sure malware is all of them. The fact you were running a very outdated version of Java may or may not be the reason you are infected, you are so let's try to deal with it. I would say you can wait to update Java, I am interested in if you were able to run combofix. If so, please post that combofix log and a new HJT log.

Here is one thing you can try that might get you out of safe mode:
How to get out of safe mode from the system configuration utility
If you use the system configuration utility to get into safe mMode you'll need to use it to get back out too.

Choose Start > Programs > Accessories > System Tools > System Information.

Choose Tools > System Configuration Utility.
On the General tab, Select Normal Startup -- Load Device Drivers and Software.
Click OK then restart Windows by clicking Yes in the System Settings Change dialog box.
Let me know if it works, and post those logs so I can see what we are up against.

Thanks

Thanks

iamthetboz
2007-08-05, 21:02
This is pretty bad huh? Well now I cannot get the computer to boot in any mode. Is my best bet to just reinstall Windows? If I do that is there any way I can get some of the files off my hard drive? Mainly pictures, resumes, etc. All the music is still in the Ipod so I can probably load it from there. Am I totally screwed or is there a way to save some of my stuff?

By the way, thanks for all your help. I was close to throwing the computer out the window last night. Still might happen but hopefully it won't come to that. Please let me know what you think my best course of action is.

Thanks,
-Tboz

pskelley
2007-08-05, 22:07
I can't make your decisions for you, but If I was in the position you are in I would reformat the computer. Here are several good links with information.

http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Hope that helps

iamthetboz
2007-08-06, 01:23
I was able to boot from my cdrom copy of Windows where I could run repair xp. That allowed me to get into DOS. From there I moved some drivers around which allowed me to get back into 'Safe Mode with Networking'. I ran the combofix which seems to have fixed some things. I can now get into Normal Mode. I've attached the combofix log and HJT log below. I feel like we've finally made some progress. At the very least, I should be able to get my files off the hard drive.

Please let me know what to do next. Thanks for all your guidance so far.

-Tboz

iamthetboz
2007-08-06, 01:24
ComboFix 07-08-04.3 - "Administrator" 2007-08-05 16:48:47.1 [GMT -5:00] - NTFS [SAFE MODE]
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\LOCALS~1\APPLIC~1\install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\NETWOR~1\APPLIC~1\install.dat
C:\DOCUME~1\SaraS\APPLIC~1\..\err.log>>d-delA.cf
C:\DOCUME~1\SaraS\APPLIC~1\.rdr.ini
C:\DOCUME~1\SaraS\APPLIC~1\install.dat
C:\DOCUME~1\SaraS\APPLIC~1\Starware
C:\DOCUME~1\SaraS\APPLIC~1\Starware\Manager\ManagerOptions.xml
C:\DOCUME~1\SaraS\APPLIC~1\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~1\m?iexec.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\MSN\vixyl83122.dll
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\WINDOWS\83122.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\crosof~1.net
C:\WINDOWS\csrss.exe
C:\WINDOWS\desktop.html
C:\WINDOWS\mgrs.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu27.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\spooldr.exe
C:\WINDOWS\system32\awtqrqn.dll
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\b06FdUe\b06FdUe1083.exe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\dllh8jkd1q1.exe
C:\WINDOWS\system32\dllh8jkd1q2.exe
C:\WINDOWS\system32\dllh8jkd1q5.exe
C:\WINDOWS\system32\dllh8jkd1q6.exe
C:\WINDOWS\system32\dllh8jkd1q7.exe
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\drivers\asc3550u.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\exahqsno.exe
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\jkkjkig.dll
C:\WINDOWS\system32\khfghif.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\loftketd.dll
C:\WINDOWS\system32\mjejyysf.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\spooldr.sys
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\urqonnn.dll
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winfqk32.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wuulyhu.dll
C:\WINDOWS\system32\wvuvssp.dll
C:\WINDOWS\system32\X1
C:\WINDOWS\system32\X1\kmhp83122.exe
C:\WINDOWS\system32\X11
C:\WINDOWS\system32\X11\z553.exe
C:\WINDOWS\system32\X3
C:\WINDOWS\system32\X3\wr731.exe
C:\WINDOWS\system32\X7
C:\WINDOWS\system32\X9
C:\WINDOWS\system32\yabxy.dll
C:\WINDOWS\system32\yxbay.bak1
C:\WINDOWS\system32\yxbay.bak2
C:\WINDOWS\system32\yxbay.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm
C:\WINDOWS\wr.txt
C:\windows\xpupdate.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_APIMON
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_QIE28
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\ApiMon
-------\Net Agent
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))


2007-08-05 16:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 16:46 1,408,582 --a------ C:\ComboFix.exe
2007-08-04 18:08 <DIR> d-------- C:\WINDOWS\system32\drivers\bak
2007-08-04 17:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-31 22:45 93,696 --a------ C:\WINDOWS\system32\drvsat.dll
2007-07-31 22:45 <DIR> d-------- C:\DOCUME~1\SaraS\APPLIC~1\?ymbols
2007-07-31 22:30 125,504 --a--c--- C:\WINDOWS\system32\bhipvpus.dll
2007-07-31 19:44 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-31 16:30 168,960 --a------ C:\WINDOWS\system32\drivers\Qie28.sys
2007-07-31 16:17 168,960 --a------ C:\WINDOWS\system32\drivers\Xrx49.sys
2007-07-31 16:17 168,960 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2007-07-31 16:11 9,769 --a------ C:\WINDOWS\gsvjy0578.exe
2007-07-28 16:03 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-07-28 16:03 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-07-28 16:03 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-07-28 16:03 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-07-28 16:03 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-07-28 16:03 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-07-24 12:06 <DIR> d-------- C:\DOCUME~1\Tyler\APPLIC~1\MySpace
2007-07-05 00:06 294,912 --a------ C:\WINDOWS\Walgreens PhotoShow.scr
2007-07-05 00:06 <DIR> d-------- C:\DOCUME~1\SaraS\APPLIC~1\Simple Star
2007-07-05 00:06 <DIR> d-------- C:\Demo Album
2007-07-05 00:05 <DIR> d-------- C:\Program Files\Walgreens


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 17:04 375168 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-05 17:04 375168 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-31 22:26 --------- d-------- C:\Program Files\Yahoo!
2007-07-31 21:37 --------- d-------- C:\Program Files\MySpace
2007-07-31 16:16 --------- d-------- C:\Program Files\Windows NT
2007-07-31 01:54 13993410 -r-hs---- C:\AVG6DB_F.DAT
2007-07-28 21:34 --------- d-------- C:\Program Files\MSN Messenger
2007-07-28 04:06 135 --a------ C:\Program Files\page.html
2007-07-26 20:23 --------- d-------- C:\Program Files\OpenOffice.org1.1.1
2007-07-07 15:35 2983 --a------ C:\WINDOWS\mozver.dat
2007-06-25 08:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 08:53 53248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-06 03:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-03 20:21 8326 --a------ C:\WINDOWS\extend.dat
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-03-06 22:15 1201917 --a------ C:\Program Files\wrar37b4.exe
2007-03-06 22:14 25755448 --a------ C:\Program Files\wmp11-windowsxp-x86-enu.exe
2007-03-06 20:06 6006304 --a------ C:\Program Files\Firefox Setup 2.0.0.2.exe
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-06-08 02:02 2048 --a------ C:\Program Files\func.exe
2006-01-22 14:25 112729 --a------ C:\Program Files\cddrv224.zip
2006-01-22 14:06 7180311 --a------ C:\Program Files\HandBrake-0.7.0-GUIAndCLI-20060115.zip
2001-09-27 18:51 44779 --a------ C:\Program Files\NLDS1XXW.INF
2001-08-27 16:40 940606 --a------ C:\Program Files\data1.cab
2001-08-27 16:40 526 --a------ C:\Program Files\layout.bin
2001-08-27 16:40 36731 --a------ C:\Program Files\data1.hdr
2001-08-27 16:40 296 --a------ C:\Program Files\Setup.ini
2001-08-27 16:40 1409627 --a------ C:\Program Files\data2.cab
2001-08-24 05:44 2632 --a------ C:\Program Files\YDSXGDK.INF
2001-06-13 09:41 142209 --a------ C:\Program Files\setup.inx
2000-11-14 02:05 131072 --a------ C:\Program Files\dsuninst.exe
2000-10-30 13:00 141 --a------ C:\Program Files\setup.inf
2000-05-16 15:36 139264 --a------ C:\Program Files\Setup.exe
2000-05-14 19:17 335626 --a------ C:\Program Files\ikernel.ex_
2000-04-01 22:00 1073 --a------ C:\Program Files\YDSXGDK.CAT
2000-04-01 22:00 1073 --a------ C:\Program Files\YDSDEV.CAT
1999-04-02 12:16 2417445 --a------ C:\Program Files\Dsxgwave.tbl

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
359,808 2005-05-25 19:04:02 C:\WINDOWS\$hf_mig$\KB893066\SP2GDR\tcpip.sys
359,936 2005-05-25 19:07:12 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
339,968 2005-05-25 19:41:10 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
332,928 2002-08-29 06:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys.000
359,040 2004-08-04 06:14:40 C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
332,928 2002-08-29 06:58:12 C:\WINDOWS\$NtUninstallKB893066_0$\tcpip.sys
359,808 2005-05-25 19:04:02 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
359,040 2004-08-04 06:14:40 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
340,480 2006-01-13 01:13:17 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP1QFE\tcpip.sys
359,808 2006-01-13 02:28:14 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2GDR\tcpip.sys
360,448 2006-01-13 17:07:08 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2QFE\tcpip.sys
375,168 2007-08-05 22:05:19 C:\WINDOWS\system32\dllcache\tcpip.sys
375,168 2007-08-05 22:05:21 C:\WINDOWS\system32\drivers\tcpip.sys
375,168 2007-08-04 22:52:01 C:\WINDOWS\system32\drivers\bak\tcpip.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_CC"="C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe" [2004-05-18 06:00]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"AtiPTA"="atiptaxx.exe" [2001-09-26 22:39 C:\WINDOWS\system32\atiptaxx.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 19:01]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"NBInstall"="C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe" [2007-07-31 11:32]
"vhilotgA"="C:\WINDOWS\vhilotgA.exe" []
"{CF-F4-40-02-ZN}"="C:\windows\system32\modsregq.exe" []
"g4356cbvy63"="C:\WINDOWS\g4356cbvy63" []
"SysDAFS.exe"="C:\WINDOWS\system32\SysDAFS.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-11-07 16:49]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2005-05-19 16:59]
"Scna"="C:\WINDOWS\CROSOF~1.NET\wowexec.exe" []
"Ownejdr"="C:\Program Files\Common Files\??pPatch\m?iexec.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"RemoveInstallPath"=cmd.exe C:\WINDOWS\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\WinPop" > nul

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6fc94ea-c64a-11da-9c33-005022491f7c}]
AutoRun\command- E:\JDLightning\Windows\JDLightning.exe


Contents of the 'Scheduled Tasks' folder
2007-07-30 15:57:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 17:04:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\wdfmzrx.exe [1968] 0x82FA6C10
C:\WINDOWS\wdfmzrx.exe [336] 0x82DFFAD0


scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\wdfmzrx.exe
C:\WINDOWS\system32\wdfmzrx.exe
**************************************************************************

Completion time: 2007-08-05 17:08:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-05 17:06

--- E O F ---

iamthetboz
2007-08-06, 01:25
Logfile of HijackThis v1.99.1
Scan saved at 17:13, on 2007-08-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wdfmzrx.exe
C:\WINDOWS\wdfmzrx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [vhilotgA] C:\WINDOWS\vhilotgA.exe
O4 - HKLM\..\Run: [{CF-F4-40-02-ZN}] C:\windows\system32\modsregq.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [SysDAFS.exe] C:\WINDOWS\system32\SysDAFS.exe
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Scna] "C:\WINDOWS\CROSOF~1.NET\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [Ownejdr] "C:\Program Files\Common Files\??pPatch\m?iexec.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinpndt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm035MGUS
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbelle.com/download_helper/Nyoko.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex/virtools/CacheManager.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

pskelley
2007-08-06, 02:27
Thanks for posting your information, we still have a ways to go as you see by the combofix report, but combofix did remove a load of junk. Let's see what we can clean with HJT, but I would like to see your uninstall list, like this:

First I need to show you this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_01\ <<< BADLY outdated Java and likely the reason you are infected. As soon as possible, you need to download the newest version and uninstall all old versions in Add Remove Programs.


1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [vhilotgA] C:\WINDOWS\vhilotgA.exe
O4 - HKLM\..\Run: [{CF-F4-40-02-ZN}] C:\windows\system32\modsregq.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [SysDAFS.exe] C:\WINDOWS\system32\SysDAFS.exe
O4 - HKCU\..\Run: [Scna] "C:\WINDOWS\CROSOF~1.NET\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [Ownejdr] "C:\Program Files\Common Files\??pPatch\m?iexec.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinpndt.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035MGUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab G
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://miniclip.com/puzzlepirates/mi...GameLoader.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbelle.com/download_helper/Nyoko.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex...cheManager.CAB

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\CROSOF~1.NET\ <<< delete that folder

C:\WINDOWS\g4356cbvy63 <<< delete that file

C:\WINDOWS\vhilotgA.exe <<< delete that file

C:\WINDOWS\wdfmzrx.exe <<< delete that file

C:\DOCUMENTS & SETTINGS~1\SaraS\LOCALSETTINGS~1\Temp\ <<< delete the contents of that folder in red (not the folder)

C:\Program Files\Common Files\??pPatch\ <<< delete that folder

C:\WINDOWS\system32\dwdsregt.exe <<< delete that file

C:\windows\system32\modsregq.exe <<< delete that file

C:\WINDOWS\system32\SysDAFS.exe <<< delete that file

C:\WINDOWS\system32\twinpndt.exe <<< delete that file

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log , your uninstall list and let me know how we are doing.

Thanks

iamthetboz
2007-08-06, 03:08
I had just updated Java from 1.4.2_01 to 1.6.0_02 after the last post. Attached is the unistall list from HJT. I'm still working on the other stuff.

Thanks,
-Tboz


Adobe Common File Installer
Adobe Dimensions 3.0
Adobe Flash Player 9 ActiveX
Adobe Help Center 2.0
Adobe PageMaker 7.0
Adobe Photoshop Album 2.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Adobe Streamline 4.0
Ahead Nero - Burning Rom
AOL Instant Messenger
Apple Software Update
ArcSoft PhotoStudio 5.5
ATI Display Driver
Avery Wizard 1.1 for Microsoft Word 97
AVG 6.0 Anti-Virus - FREE Edition
Azureus
BitTorrent 3.4.2
Canon MP Navigator 3.0
Canon MP600
Canon MP600 User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint
CardRd81
CCScore
CR2
DesignPro 5.0 Media Edition
Desktop Weather by The Weather Channel
DiscWizard for Windows
Easy-WebPrint
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
ImageMixer VCD/DVD2 for OLYMPUS
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
Java(TM) 6 Update 2
Kodak EasyShare software
KSU
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash Player 8
Macromedia Shockwave Player
Memories Disc Creator 2.0
Mozilla Firefox (2.0.0.2)
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Netscape Browser (remove only)
Notifier
OLYMPUS Master
Opera
OTOY
OTtBP
OTtBPSDK
overland
Palm Desktop
PCDADDIN
PCDHELP
powerOne Personal v2.1.1 for Handhelds
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
ScanSoft OmniPage SE 4.0
SFR
SFR2
SHASTA
SimCity 3000
SKIN0001
SKINXSDK
TaxCut Deluxe 2005
The Sims Deluxe Edition
TypingMaster TypingTest
Viewpoint Media Player
VPRINTOL
Walgreens PhotoShow Express
Weather Services
WeatherBug
Windows Overlay Components
Winferno Security Scan
WinRAR archiver
WinZip
WIRELESS
YAMAHA DS-XG WDM

pskelley
2007-08-06, 03:33
Please complete the last instructions before you start these:

Uninstall list:

AVG 6.0 Anti-Virus - FREE Edition <<< Obsolete
http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5

Viewpoint Media Player
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

That's all I see but I do not know all of your programs. You should look and investigate anything you do not know and uninstall anything you no longer use.

This is a problem from the combofix log:
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)

I have only run into one of these and we had to replace it manually. When you are ready, you can try System File Checker.
Here are two tutorials if you are not familiar with SFC.
http://dwightblackburn.com/winxp/
http://www.updatexp.com/scannow-sfc.html
If SFC finds a missing or corrupted Windows file (which this is) it should replace the infected file with one that is either stored on the computer or on the CD if none is stored on the computer.
We have to make sure that infected file is replaced, we can not run without it.

Combofix has pointed out these files as problems:
C:\WINDOWS\wdfmzrx.exe <<< this one is one the list to delete

C:\WINDOWS\system32\wdfmzrx.exe <<< this one we must scan to find out if it is good or bad (note it is in the System32 folder)
using this scanner: http://www.virustotal.com/
If it scans bad, delete it.

Thanks

iamthetboz
2007-08-06, 03:35
I tried to delete all those files and folders but none of them were there. The temp file was the only one that had stuff I could delete but a handful of them gave an error about permissions. Should I just go ahead and run the ATF-Cleaner anyway?

-Tboz

pskelley
2007-08-06, 03:39
Yes, just do your best, sometimes I remove them twice (better than missing them) HJT will kill them so they are gone later. Finish the instructions, post a new HJT log and let me know how the computer is running. I am down for the night when I send this post.

Thanks

iamthetboz
2007-08-06, 05:25
I had some issues with that infected tcpip.sys file. I couldn't get SCF to run correctly because of the version of XP that I have on cd is not the same as the one installed on my machine. I tried copying over the i386 folder from the cd and pointing the SourcePath, but had some issues accessing the files from the cd. So I didn't do anything with that file. But here is the current HJT log. I haven't connected online from that computer yet. Do you think it is safe to do that yet?

Thanks,
-Tboz



Logfile of HijackThis v1.99.1
Scan saved at 21:19, on 2007-08-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

pskelley
2007-08-06, 13:32
Thanks for returning your information, let me say first that the HJT log appears to be clean of malware.

The next thing I would want to know is where is the CD for the Operating System that is on your computer?

Next I would like you to use one or more of these free online scanners to be positive we have an infected file:
C:\WINDOWS\system32\drivers\tcpip.sys <<< file to scan
Scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Post that information.

Next look to see if you have this folder on the computer: C:\I386

Thanks

iamthetboz
2007-08-06, 18:23
I tried all three of those virus scan sites and each one went to 'cannot find server' when I submitted the file. So then I thought I'd email it to the www.virustotal.com site but my hotmail account did the same thing when I tried to attach the file. So then I thought I'd copy the file to a thumb drive and scan it from another computer. But I couldn't copy it and got the message 'The process cannot access this file because another process has locked a portion of the file'. Does this mean anything to you?

Thanks,
-Tboz

iamthetboz
2007-08-06, 18:24
Oh yeah, also C:/i386 is NOT on the computer.

pskelley
2007-08-06, 18:52
Nope, lots of information at Google though:
http://www.google.com/search?hl=en&q=%27The+process+cannot+access+this+file+because+another+process+has+locked+a+portion+of+the+file%27&btnG=Google+Search

I just clicked on all three of those links and have access to all?
http://www.virustotal.com/ >>> Upload a file
You understand you have to browse with Windows Explorer to the location of the file:
C:\WINDOWS\system32\drivers\tcpip.sys and when it is in the upload box, you click on "Send Files" correct?
It only takes a few moments to get a report. If the file is infected you have a problem. No CD and no C:/i386 <<< backups.

Try using Start > Search > All Files and Folders and search for tcpip.sys to see if it is anywhere else on your OS.
(make sure all files and folders are unhidden)
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

C:\WINDOWS\system32\dllcache\tcpip.sys <<< it is possible a copy of that file is there. If so, then you can right click it and copy, they right click it and paste it to here:
C:\WINDOWS\system32\drivers\ <<< At that point you should get a message about the files being there and do you want to replace it and the answer would be yes.
DO NOT cut and move that file from where it is!!

Hope I am explaining this OK, you are taking me way out of my malware removal area.

You understand the problem you have if that file is infected and you don't have one to replace it with, and you don't have the CD to reinstall windows, YES?

One option I can think of would be to ask a freind with the same OS to lend the CD or allow you to make a copy of the file. I also found this information but it is new to me:

http://www.google.com/search?hl=en&q=download+tcpip.sys&btnG=Search

Thanks

iamthetboz
2007-08-06, 18:55
Yes I browsed to the file and try to upload for the scan using IE. But got the same result from all three sites. I think the file is causing the problem. I'll try to find it in other locations like you say.

Thanks,
-Tboz

iamthetboz
2007-08-06, 19:26
I found it in a couple other places but I can't copy and paste into the drivers folder. It gives me that 'another process has locked a portion of the file' message. I'm thinking maybe I should just get my files that I want off the hard drive and reinstall windows. Get a clean start with a copy of XP that I physically have. The only thing I was worried about is losing files. But I can get them now. What do you think? I know you won't make decisions for me, but what would you do in this situation?

Thanks,
-Tboz

pskelley
2007-08-06, 20:36
Whoa...if this was my computer, I would have reformatted day ago. See if this information helps you:
http://support.microsoft.com/kb/308421

Thanks

iamthetboz
2007-08-07, 04:26
Well that worked! Once I changed the security on that file I was able to scan it on all three sites and they all passed as non-infected. Should I run combofix again?

Thanks,
-Tyler

P.S. I think I'll reformat eventually but I'm kind of dealing with a time crunch. Getting married in two weeks and having brain surgery in three!

iamthetboz
2007-08-07, 06:23
I ran combofix again. Here is the log report. Let me know what you think.

-Tboz


ComboFix 07-08-04.3 - "SaraS" 2007-08-06 20:27:47.2 CScript Error: Can't find script engine "VBScript" for script "C:\ComboFix\timezone.vbs". - NTFS
CScript Error: Can't find script engine "VBScript" for script "C:\ComboFix\osid.vbs".


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\SaraS\APPLIC~1.\ymbols~1
C:\DOCUME~1\SaraS\Desktop\internet.lnk


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-05 20:38 <DIR> d-------- C:\i386
2007-08-05 20:27 14,336 --a--c--- C:\WINDOWS\system32\dllcache\iisreset.exe
2007-08-05 16:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 16:46 1,408,582 --a------ C:\ComboFix.exe
2007-08-04 17:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-31 22:45 93,696 --a------ C:\WINDOWS\system32\drvsat.dll
2007-07-31 22:30 125,504 --a--c--- C:\WINDOWS\system32\bhipvpus.dll
2007-07-31 19:44 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-31 16:30 168,960 --a------ C:\WINDOWS\system32\drivers\Qie28.sys
2007-07-31 16:17 7,968 --a------ C:\WINDOWS\system32\wdfmzrx.exe
2007-07-31 16:17 43,526 --a------ C:\WINDOWS\wdfmzrx.exe
2007-07-31 16:17 168,960 --a------ C:\WINDOWS\system32\drivers\Xrx49.sys
2007-07-31 16:17 168,960 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2007-07-31 16:11 9,769 --a------ C:\WINDOWS\gsvjy0578.exe
2007-07-28 16:03 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-07-28 16:03 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-07-28 16:03 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-07-28 16:03 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-07-28 16:03 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-07-28 16:03 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-07-24 12:06 <DIR> d-------- C:\DOCUME~1\Tyler\APPLIC~1\MySpace


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 21:08 375168 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-05 19:49 --------- d-------- C:\DOCUME~1\SaraS\APPLIC~1\Aim
2007-07-31 16:16 --------- d-------- C:\Program Files\Windows NT
2007-07-28 21:34 --------- d-------- C:\Program Files\MSN Messenger
2007-07-28 04:06 135 --a------ C:\Program Files\page.html
2007-07-26 20:23 --------- d-------- C:\Program Files\OpenOffice.org1.1.1
2007-07-26 15:32 --------- d-------- C:\DOCUME~1\SaraS\APPLIC~1\Azureus
2007-07-07 15:35 2983 --a------ C:\WINDOWS\mozver.dat
2007-07-07 14:52 --------- d-------- C:\DOCUME~1\SaraS\APPLIC~1\Canon
2007-07-05 00:07 --------- d-------- C:\DOCUME~1\SaraS\APPLIC~1\Walgreens
2007-07-05 00:06 --------- d-------- C:\DOCUME~1\SaraS\APPLIC~1\Simple Star
2007-07-05 00:05 --------- d-------- C:\Program Files\Walgreens
2007-06-25 08:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 08:53 53248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-06 03:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-03 20:21 8326 --a------ C:\WINDOWS\extend.dat
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-03-06 22:15 1201917 --a------ C:\Program Files\wrar37b4.exe
2007-03-06 22:14 25755448 --a------ C:\Program Files\wmp11-windowsxp-x86-enu.exe
2007-03-06 20:06 6006304 --a------ C:\Program Files\Firefox Setup 2.0.0.2.exe
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-06-08 02:02 2048 --a------ C:\Program Files\func.exe
2006-01-22 14:25 112729 --a------ C:\Program Files\cddrv224.zip
2006-01-22 14:06 7180311 --a------ C:\Program Files\HandBrake-0.7.0-GUIAndCLI-20060115.zip
2001-09-27 18:51 44779 --a------ C:\Program Files\NLDS1XXW.INF
2001-08-27 16:40 940606 --a------ C:\Program Files\data1.cab
2001-08-27 16:40 526 --a------ C:\Program Files\layout.bin
2001-08-27 16:40 36731 --a------ C:\Program Files\data1.hdr
2001-08-27 16:40 296 --a------ C:\Program Files\Setup.ini
2001-08-27 16:40 1409627 --a------ C:\Program Files\data2.cab
2001-08-24 05:44 2632 --a------ C:\Program Files\YDSXGDK.INF
2001-06-13 09:41 142209 --a------ C:\Program Files\setup.inx
2000-11-14 02:05 131072 --a------ C:\Program Files\dsuninst.exe
2000-10-30 13:00 141 --a------ C:\Program Files\setup.inf
2000-05-16 15:36 139264 --a------ C:\Program Files\Setup.exe
2000-05-14 19:17 335626 --a------ C:\Program Files\ikernel.ex_
2000-04-01 22:00 1073 --a------ C:\Program Files\YDSXGDK.CAT
2000-04-01 22:00 1073 --a------ C:\Program Files\YDSDEV.CAT
1999-04-02 12:16 2417445 --a------ C:\Program Files\Dsxgwave.tbl


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"AtiPTA"="atiptaxx.exe" [2001-09-26 22:39 C:\WINDOWS\system32\atiptaxx.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 19:01]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2005-05-19 16:59]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6fc94ea-c64a-11da-9c33-005022491f7c}]
AutoRun\command- E:\JDLightning\Windows\JDLightning.exe


Contents of the 'Scheduled Tasks' folder
2007-08-06 15:57:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 20:33:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-06 20:35:52
C:\ComboFix-quarantined-files.txt ... 2007-08-06 20:34
C:\ComboFix2.txt ... 2007-08-05 17:08

--- E O F ---

pskelley
2007-08-07, 12:34
Let's run one good scan to make sure nothing is hidden. combofix is not longer reporting that files as infected. If it is, this scan will find it.

Make sure the tools we used, combofix, etc. are deleted, especially C:\qoobox as the quarantined items will be found by the scan.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

iamthetboz
2007-08-08, 05:01
Seems to be a lot more in there then we thought. Any way to clear these without reformatting?

Thanks,
-Tboz


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-08-07 16:48
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 353504
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 131121
Number of viruses found: 32
Number of infected objects: 182
Number of suspicious objects: 28
Duration of the scan process: 03:16:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\catchme.zip/ldcore.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\bot924B.tmp Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\bot9B0B.tmp Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\~tmp143 Infected: Trojan-Clicker.Win32.Agent.jp skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\bot97C5.tmp Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\bot9A20.tmp Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\~tmp143 Infected: Trojan-Clicker.Win32.Agent.jp skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SaraS\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ckrause@greatermadisonchamber.com][Date Wed, 2 Jun 2004 01:15:24 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ckrause@greatermadisonchamber.com][Date Wed, 2 Jun 2004 01:15:24 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ckrause@greatermadisonchamber.com][Date Wed, 2 Jun 2004 01:15:24 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From tcandibar@newman.newman-grt.oscar.aol.com][Date Wed, 2 Jun 2004 16:37:04 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From tcandibar@newman.newman-grt.oscar.aol.com][Date Wed, 2 Jun 2004 16:37:04 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From tcandibar@newman.newman-grt.oscar.aol.com][Date Wed, 2 Jun 2004 16:37:04 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From charitykirchberg@hotmail.com][Date Wed, 2 Jun 2004 16:46:03 -0500]/UNNAMED/message.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From charitykirchberg@hotmail.com][Date Wed, 2 Jun 2004 16:46:03 -0500]/UNNAMED/message.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From charitykirchberg@hotmail.com][Date Wed, 2 Jun 2004 16:46:03 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From friend@provide.net][Date Wed, 2 Jun 2004 00:32:19 -0500]/UNNAMED/your_document.doc.pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From friend@provide.net][Date Wed, 2 Jun 2004 00:32:19 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ramcgarry@ebnet.org][Date Tue, 1 Jun 2004 19:08:56 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ramcgarry@ebnet.org][Date Tue, 1 Jun 2004 19:08:56 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ramcgarry@ebnet.org][Date Tue, 1 Jun 2004 19:08:56 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From geoff@roseandcrown.com.au][Date Tue, 1 Jun 2004 19:10:48 -0500]/UNNAMED/attach_sassysls.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From geoff@roseandcrown.com.au][Date Tue, 1 Jun 2004 19:10:48 -0500]/UNNAMED/attach_sassysls.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From geoff@roseandcrown.com.au][Date Tue, 1 Jun 2004 19:10:48 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From jdunnum@chorus.net][Date Mon, 31 May 2004 15:13:26 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From jdunnum@chorus.net][Date Mon, 31 May 2004 15:13:26 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From jdunnum@chorus.net][Date Mon, 31 May 2004 15:13:26 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mailadmin@projectcashmail.com][Date Mon, 31 May 2004 19:13:51 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mailadmin@projectcashmail.com][Date Mon, 31 May 2004 19:13:51 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mailadmin@projectcashmail.com][Date Mon, 31 May 2004 19:13:51 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From opercentangel5868@hotmail.com][Date Mon, 31 May 2004 20:56:24 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From opercentangel5868@hotmail.com][Date Mon, 31 May 2004 20:56:24 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From opercentangel5868@hotmail.com][Date Mon, 31 May 2004 20:56:24 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From bmkrbachhuber@aol.com][Date Mon, 31 May 2004 22:29:18 -0500]/UNNAMED/details.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From bmkrbachhuber@aol.com][Date Mon, 31 May 2004 22:29:18 -0500]/UNNAMED/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From bmkrbachhuber@aol.com][Date Mon, 31 May 2004 22:29:18 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From Joseph Emerson <jcemerson@uspower.net>][Date Sun, 20 Jun 2004 22:08:31 -0400 (EDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From Joseph Emerson <jcemerson@uspower.net>][Date Sun, 20 Jun 2004 22:08:31 -0400 (EDT)]/UNNAMED/astrolistfinala.txt.exe Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From Joseph Emerson <jcemerson@uspower.net>][Date Sun, 20 Jun 2004 22:08:31 -0400 (EDT)]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From 1058383340336@mailserver2.iexpect.com][Date Sat, 12 Jun 2004 14:44:40 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From 1058383340336@mailserver2.iexpect.com][Date Sat, 12 Jun 2004 14:44:40 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ome118883@vtarget.com][Date Sat, 12 Jun 2004 23:20:38 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ome118883@vtarget.com][Date Sat, 12 Jun 2004 23:20:38 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From jschemb@optonline.net][Date Thu, 10 Jun 2004 13:05:30 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From jschemb@optonline.net][Date Thu, 10 Jun 2004 13:05:30 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From jschemb@optonline.net][Date Thu, 10 Jun 2004 13:05:30 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped

iamthetboz
2007-08-08, 05:01
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From otto__humanize31@web39f.gl.okayml.net][Date Fri, 4 Jun 2004 07:57:09 -0500]/UNNAMED/data.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From otto__humanize31@web39f.gl.okayml.net][Date Fri, 4 Jun 2004 07:57:09 -0500]/UNNAMED/data.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From otto__humanize31@web39f.gl.okayml.net][Date Fri, 4 Jun 2004 07:57:09 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From lnapiwocki@cuna.com][Date Fri, 4 Jun 2004 08:03:40 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From lnapiwocki@cuna.com][Date Fri, 4 Jun 2004 08:03:40 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From lnapiwocki@cuna.com][Date Fri, 4 Jun 2004 08:03:40 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From lnapiwocki@cuna.com][Date Fri, 4 Jun 2004 08:03:40 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From Mail Delivery Subsystem <MAILER-DAEMON@voyager.net>][Date Fri, 4 Jun 2004 09:16:35 -0400 (EDT)]/UNNAMED/[From c68.190.87.50.mad.wi.charter.com [68.190.87.50]]/UNNAMED/[From sassysls@charter.net][Date Fri, 4 Jun 2004 08:16:33 -0500]/message.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From Mail Delivery Subsystem <MAILER-DAEMON@voyager.net>][Date Fri, 4 Jun 2004 09:16:35 -0400 (EDT)]/UNNAMED/[From c68.190.87.50.mad.wi.charter.com [68.190.87.50]]/UNNAMED/[From sassysls@charter.net][Date Fri, 4 Jun 2004 08:16:33 -0500]/message.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From Mail Delivery Subsystem <MAILER-DAEMON@voyager.net>][Date Fri, 4 Jun 2004 09:16:35 -0400 (EDT)]/UNNAMED/[From c68.190.87.50.mad.wi.charter.com [68.190.87.50]]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From Mail Delivery Subsystem <MAILER-DAEMON@voyager.net>][Date Fri, 4 Jun 2004 09:16:35 -0400 (EDT)]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From par@acronet.net][Date Fri, 4 Jun 2004 15:01:21 -0500]/UNNAMED/report01.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From par@acronet.net][Date Fri, 4 Jun 2004 15:01:21 -0500]/UNNAMED/report01.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From par@acronet.net][Date Fri, 4 Jun 2004 15:01:21 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From pinkeepunk@mediaone.net][Date Fri, 4 Jun 2004 16:17:18 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From pinkeepunk@mediaone.net][Date Fri, 4 Jun 2004 16:17:18 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From pinkeepunk@mediaone.net][Date Fri, 4 Jun 2004 16:17:18 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From pinkeepunk@mediaone.net][Date Fri, 4 Jun 2004 16:17:18 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mahle54@aol.com][Date Sat, 5 Jun 2004 00:59:52 -0500]/UNNAMED/id04009.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mahle54@aol.com][Date Sat, 5 Jun 2004 00:59:52 -0500]/UNNAMED/id04009.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mahle54@aol.com][Date Sat, 5 Jun 2004 00:59:52 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mgi-support@tech.angel.co.jp][Date Sat, 5 Jun 2004 08:13:31 -0500]/UNNAMED/msg.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mgi-support@tech.angel.co.jp][Date Sat, 5 Jun 2004 08:13:31 -0500]/UNNAMED/msg.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From mgi-support@tech.angel.co.jp][Date Sat, 5 Jun 2004 08:13:31 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From nater_everson@hotmail.com][Date Thu, 3 Jun 2004 05:07:26 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From nater_everson@hotmail.com][Date Thu, 3 Jun 2004 05:07:26 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From nater_everson@hotmail.com][Date Thu, 3 Jun 2004 05:07:26 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From nater_everson@hotmail.com][Date Thu, 3 Jun 2004 05:07:26 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ktpanda@hotmail.com][Date Thu, 3 Jun 2004 17:21:27 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ktpanda@hotmail.com][Date Thu, 3 Jun 2004 17:21:27 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ktpanda@hotmail.com][Date Thu, 3 Jun 2004 17:21:27 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From ktpanda@hotmail.com][Date Thu, 3 Jun 2004 17:21:27 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From kristen_reader25@hotmail.com][Date Thu, 3 Jun 2004 17:21:32 -0500]/UNNAMED/doc01.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From kristen_reader25@hotmail.com][Date Thu, 3 Jun 2004 17:21:32 -0500]/UNNAMED/doc01.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From kristen_reader25@hotmail.com][Date Thu, 3 Jun 2004 17:21:32 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 46, suspicious - 28 skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Temp\me_8Wd1QZtzTjIX5eS Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Temp\me_FFdgP1v7YbMWy9y Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Temp\me_fKBydkdap2KyiEx Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Temp\me_LMEfHDvvbClhoAe Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Temp\me_Zvz36jchpvarqgs Object is locked skipped
C:\Documents and Settings\SaraS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SaraS\ntuser.dat Object is locked skipped
C:\Documents and Settings\SaraS\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\codec_setup.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bxn skipped
C:\Program Files\codec_setup.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bxn skipped
C:\Program Files\codec_setup.exe NSIS: infected - 2 skipped
C:\Program Files\func.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\cache.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped

iamthetboz
2007-08-08, 05:03
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343043.exe Infected: Trojan.Win32.Pakes.bn skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343044.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343049.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343050.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343051.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343056.exe Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343057.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343059.exe Infected: Email-Worm.Win32.Zhelatin.gd skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343060.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0343061.exe Infected: Email-Worm.Win32.Zhelatin.ge skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344048.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344050.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344051.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344055.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344056.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344058.exe Infected: Trojan.Win32.Pakes.bn skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344059.exe Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344060.exe Infected: Email-Worm.Win32.Zhelatin.gd skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344061.exe Infected: Email-Worm.Win32.Zhelatin.ge skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344062.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344065.exe Infected: Email-Worm.Win32.Zhelatin.ge skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344066.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344071.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0344072.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345042.exe Infected: Trojan.Win32.Pakes.bn skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345043.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345044.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345045.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345048.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345051.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345053.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345054.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345055.exe Infected: Email-Worm.Win32.Zhelatin.ge skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345056.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345057.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345058.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345063.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345064.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345066.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0345095.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0346043.exe Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0346045.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0347046.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0347047.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0347048.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0347055.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0349046.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0349047.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0349048.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0350046.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0350047.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0350048.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0352046.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0352047.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0352048.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0353046.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0353047.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0353048.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0353049.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0353050.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0354056.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0354057.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0354058.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0355056.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0355057.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0355058.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356056.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356057.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356058.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356061.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356062.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356063.exe Infected: Email-Worm.Win32.Zhelatin.gd skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356064.exe Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356065.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356066.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356067.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356068.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356069.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356070.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356071.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356074.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356074.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356075.sys Infected: Rootkit.Win32.Agent.dp skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356076.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356077.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356085.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356088.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356089.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356090.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356091.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356093.dll Infected: Trojan-Clicker.Win32.Small.cf skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356094.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356096.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356101.exe Infected: Trojan-Downloader.Win32.Alphabet.p skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356106.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356115.exe Infected: Email-Worm.Win32.Zhelatin.gg skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356116.sys Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356117.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356118.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP556\A0356119.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP558\A0357111.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP558\A0357112.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP558\A0357113.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0358111.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0358112.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0358115.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0359115.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0359116.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0359117.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0360113.exe Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0360114.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0360116.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0361134.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0361135.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP559\A0361136.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP560\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

iamthetboz
2007-08-08, 05:03
C:\WINDOWS\gsvjy0578.exe Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\tcpip.sys Infected: Trojan.Win32.Patched.ad skipped
C:\WINDOWS\system32\drivers\Qie28.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\system32\drivers\symavc32.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\system32\drivers\Xrx49.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\system32\drvsat.dll Infected: Trojan.Win32.Agent.qt skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wdfmzrx.exe Infected: Packed.Win32.Tibs.ap skipped
C:\WINDOWS\wdfmzrx.exe Infected: Email-Worm.Win32.Zhelatin.ge skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{0D88D122-87C1-4F73-8FBD-BC817F24E4EA}\RP560\change.log Object is locked skipped

Scan process completed.

pskelley
2007-08-08, 13:23
Yeah, you are storing a lot of infected junk? Why?

I can post links to lots of scanners which may or may not find the junk Kaspersky has if you wish, you can reformat if you wish or you can clean the junk off your computer. Before I spend a lot of my time, why don't you look closely at what Kaspersky has located and tell me what you what to do.

(I just posted one of these, there are many as you can see if you look)
C:\Documents and Settings\SaraS\Local Settings\Application Data\Identities\{88D752F8-A13E-4CFD-98FA-A4F6E011A4A7}\Microsoft\Outlook Express\Deleted Items.dbx/[From charitykirchberg@hotmail.com][Date Wed, 2 Jun 2004 16:46:03 -0500]/UNNAMED/message.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
That infected item appears to have been setting in the Outlook Express Deleted Items.dbx since Wed, 2 Jun 2004 16:46:03

C:\Documents and Settings\LocalService\Local Settings\Temp\bot9B0B.tmp Infected: Trojan-Proxy.Win32.Xorpix.be skipped
you have a load of infected junk stored in your TEMP folders which should be cleaned on a regular basis.

C:\System Volume Information\_restore
Your System Restore files are badly infected, but this can not harm you unless you do a System Restore. These can be cleaned with no problem.

C:\WINDOWS\gsvjy0578.exe <<< and a few are just leftover infected files that the tools are missing, but Kaspersky did not, they can be deleted manually.

C:\WINDOWS\system32\dllcache\tcpip.sys Infected: Trojan.Win32.Patched.ad skipped
C:\WINDOWS\system32\drivers\Qie28.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\system32\drivers\symavc32.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\system32\drivers\Xrx49.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\system32\drvsat.dll Infected: Trojan.Win32.Agent.qt skipped

Once again you can see the infected tcpip.sys file, without having a clean copy or the Operating System CD I am not sure how to advise you more than I already have.

C:\WINDOWS\system32\wdfmzrx.exe Infected: Packed.Win32.Tibs.ap skipped
C:\WINDOWS\wdfmzrx.exe Infected: Email-Worm.Win32.Zhelatin.ge skipped

Thanks

iamthetboz
2007-08-10, 08:46
You are right. Tons of infected junk. Tons of plain old junk for that matter. This is my fiancee's computer and she has never even thought about organizing it or cleaning it up. Most likely not even aware of any of this stuff. So anyway, I've copied the files off that she wanted and am reformatting to get a fresh, clean start. I'll be monitoring her computer close from now on. I had no idea it was this bad.

Thank you for all your help. I would not have been able to get to this point without you.

-Tboz

pskelley
2007-08-10, 13:20
That is exactly what I would do if it were my computer, and a reformat is not a bad thing. I have an eight year old Compaq with Win98SE on it that runs like new. I don't take it out of the garage often. Here is information that may help her avoid problems in the future:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

iamthetboz
2007-08-10, 15:58
Good morning,

Those are great articles and will definitely help us stay clean moving forward. I have a bit of an issue unrelated to malware. I reformated Windows last night and everything went fine. This morning I tried to change the resolution apparently too high. Or maybe the driver wasn't updated or something. Anyway, the computer start booting up but then brings up the message 'Attention Out the Range H:72.00kHz V:72.00 Hz'. I booted into safe mode and deleted the account where I tried to change the resolution but it still won't get past the bootup screen before giving the frozen up attention message. Any ideas? Sorry to bug you with this. You have done enough already but I'm stuck here.

Thanks again,
-Tboz

pskelley
2007-08-10, 16:10
Out of my area but I would say to use your Google: http://www.google.com/
make sure you enter the error message exactly as it occurs, word for word.

Since I am returning nothing I will guess the message it not verbatim, Google returns much information 99.9% of the time when it is. Look at this:
http://www.sharpened.net/helpcenter/answer.php?15

Let me know what you find, with more information I would have a better idea of what help forum to suggest also.

Thanks

iamthetboz
2007-08-10, 16:14
Unfortunately, that is verbatim. Most of what I saw in google is related to gaming. I guess I could always reformat again. It just takes so long.

Thanks,
-Tboz

pskelley
2007-08-18, 03:29
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.