View Full Version : VirtuMonde and other malware problems
Hi there. I have major spyware problems on a computer and I need help desperately since no matter how many times I run Spybot or Ad-Aware, I can't seem to remove it.
I did have VirtuMonde and I ran Symantec Virtumonde Removal Tool 1.0.3, but I don't know if it's completely gone. I still get IE popups at random even when I'm using Firefox.
I've ran Kaspersky and HiJackThis and I have the logs.
Here is the HiJack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:58 AM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\TB7A7B.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\HijackThis\Another Name.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B324D0F-D31B-49BA-80B0-B5E534AB901D} - (no file)
O2 - BHO: (no name) - {3AF8D4E3-73C8-4FC1-973C-3C0C1C730B84} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6c8bc864-db40-466d-84df-20d57ce29900} - C:\WINDOWS\System32\ufkqlos.dll (file missing)
O2 - BHO: (no name) - {6D1BE497-DE9E-4E98-9E85-D0A6097E98CF} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\fcxsxlck.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: (no name) - {B6B28553-BA10-48E8-B3C9-615CD85D5111} - C:\Program Files\Online Services\hotehyso4444.dll
O2 - BHO: (no name) - {BAA7863C-158A-48EC-B42E-5DBA340DB774} - C:\WINDOWS\System32\awtsq.dll
O2 - BHO: (no name) - {C46AC196-CB61-4880-AD09-3A5BF63E64A6} - C:\Program Files\Online Services\hotehyso83122.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [c480d110] rundll32.exe "C:\WINDOWS\system32\xccrjxab.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA498] command /c del "C:\WINDOWS\SYSTEM32\cwfpslzj.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7995] command /c del "C:\Documents and Settings\worcparalegal\Local Settings\Temp\cmdinst.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2210] cmd /c del "C:\Documents and Settings\worcparalegal\Local Settings\Temp\cmdinst.exe"
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.stamps.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://amabileburkly01:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amabileburkly.local
O17 - HKLM\Software\..\Telephony: DomainName = amabileburkly.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amabileburkly.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = amabileburkly.local
O20 - Winlogon Notify: qomlihe - qomlihe.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.smilesbywire.com/SittingImages/P697/01/090/009/P69701090_009_104_042006.jpg
--
End of file - 8563 bytes
Also please ask me for the Kaspersky log and I will provide, since it is a bit long. This is the basic info I got from it:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 24, 2007 8:43:44 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/10/2007
Kaspersky Anti-Virus database records: 443501
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Q:\
Scan Statistics:
Total number of scanned objects: 78849
Number of viruses found: 43
Number of infected objects: 223
Thanks so much!
-Stephanie :)
Hi LawTech
No, it isn't.
Symantec tool is outdated and not very good one.
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
Okay, thanks for giving me some help. I disabled TeaTimer, ran Vundofix, and Combofix. There is definitely still something still on the computer because there is a program with a yellow triangle warning that is down in the taskbar, that keeps saying: Click here! you have TrojanSPM/LX. Also it generates about 3 popups to "clean" my computer of this virus. I, of course, will not click on any of these, but they're there.
Here's the Vundofix and combofix logs:
VundoFix V6.5.10
Checking Java version...
Scan started at 12:54:25 PM 10/24/2007
Listing files found while scanning....
C:\WINDOWS\System32\fcxsxlck.dll
C:\WINDOWS\System32\qomlihe.dll
Beginning removal...
Performing Repairs to the registry.
Done!
ComboFix 07-10-23.1 - worcparalegal 2007-10-24 13:42:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.42 [GMT -4:00]
Running from: C:\Documents and Settings\worcparalegal\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\WORCPA~1\APPLIC~1\Install.dat
C:\DOCUME~1\WORCPA~1\Desktop\Live Safety Center.lnk
C:\DOCUME~1\WORCPA~1\Desktop\Online Security Guide.lnk
C:\DOCUME~1\WORCPA~1\FAVORI~1\Online Security Guide.lnk
C:\DOCUME~1\worcparalegal\ResErrors.log
C:\Documents and Settings\worcparalegal\Application Data\Install.dat
C:\Documents and Settings\worcparalegal\Desktop\Live Safety Center.lnk
C:\Documents and Settings\worcparalegal\Desktop\Online Security Guide.lnk
C:\Documents and Settings\worcparalegal\Favorites\Online Security Guide.lnk
C:\Program Files\Insider
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\Online Services\hotehyso4444.dll
C:\Program Files\Online Services\hotehyso83122.dll
C:\Program Files\TTC.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\b111.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_005075_.tmp.dll
C:\WINDOWS\system32\_005078_.tmp.dll
C:\WINDOWS\system32\_005081_.tmp.dll
C:\WINDOWS\system32\_005253_.tmp.dll
C:\WINDOWS\system32\_005254_.tmp.dll
C:\WINDOWS\system32\_005255_.tmp.dll
C:\WINDOWS\system32\_005256_.tmp.dll
C:\WINDOWS\system32\_005263_.tmp.dll
C:\WINDOWS\system32\_005264_.tmp.dll
C:\WINDOWS\system32\_005265_.tmp.dll
C:\WINDOWS\system32\_005266_.tmp.dll
C:\WINDOWS\system32\_005268_.tmp.dll
C:\WINDOWS\system32\_005269_.tmp.dll
C:\WINDOWS\system32\_005272_.tmp.dll
C:\WINDOWS\system32\_005273_.tmp.dll
C:\WINDOWS\system32\_005275_.tmp.dll
C:\WINDOWS\system32\_005276_.tmp.dll
C:\WINDOWS\system32\_005277_.tmp.dll
C:\WINDOWS\system32\_005279_.tmp.dll
C:\WINDOWS\system32\_005280_.tmp.dll
C:\WINDOWS\system32\_005282_.tmp.dll
C:\WINDOWS\system32\_005286_.tmp.dll
C:\WINDOWS\system32\_005287_.tmp.dll
C:\WINDOWS\system32\_005289_.tmp.dll
C:\WINDOWS\system32\_005290_.tmp.dll
C:\WINDOWS\system32\_005291_.tmp.dll
C:\WINDOWS\system32\_005292_.tmp.dll
C:\WINDOWS\system32\_005294_.tmp.dll
C:\WINDOWS\system32\_005295_.tmp.dll
C:\WINDOWS\system32\_005296_.tmp.dll
C:\WINDOWS\system32\_005297_.tmp.dll
C:\WINDOWS\system32\_005298_.tmp.dll
C:\WINDOWS\system32\_005301_.tmp.dll
C:\WINDOWS\system32\_005303_.tmp.dll
C:\WINDOWS\system32\_005304_.tmp.dll
C:\WINDOWS\system32\_005305_.tmp.dll
C:\WINDOWS\system32\_005309_.tmp.dll
C:\WINDOWS\system32\_005311_.tmp.dll
C:\WINDOWS\system32\aifzhkzo.dllbox
C:\WINDOWS\System32\awtsq.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\emaigrdu.ini
C:\WINDOWS\system32\mkmswkga.dllbox
C:\WINDOWS\system32\opkliifq.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\qstwa.bak1
C:\WINDOWS\SYSTEM32\qstwa.bak2
C:\WINDOWS\SYSTEM32\qstwa.ini
C:\WINDOWS\SYSTEM32\qstwa.ini2
C:\WINDOWS\SYSTEM32\qstwa.tmp
C:\WINDOWS\system32\udrgiame.dll
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\xtsytumq.dllbox
C:\WINDOWS\TTC-4444.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.
2007-10-24 13:29 340,032 --a------ C:\WINDOWS\SYSTEM32\mkmswkga.dll
2007-10-24 13:28 340,032 --a------ C:\WINDOWS\SYSTEM32\firramaf.dll
2007-10-24 13:26 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 13:20 84,544 --a------ C:\WINDOWS\SYSTEM32\mtmnllox.dll
2007-10-24 13:03 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-10-24 12:54 <DIR> d-------- C:\VundoFix Backups
2007-10-23 17:33 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-10-23 17:33 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-10-23 17:33 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-10-23 17:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-23 15:06 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-23 15:06 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-23 15:06 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-23 15:06 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-23 15:06 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-23 15:06 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-23 15:05 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-23 15:05 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-10-23 15:03 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-10-23 14:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-10-23 13:29 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-23 12:55 84,544 --a------ C:\WINDOWS\SYSTEM32\feylsjuc.dll
2007-10-23 09:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-23 08:46 84,544 --a------ C:\WINDOWS\SYSTEM32\cnydbvuw.dll
2007-10-22 15:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 13:31 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-10-22 13:06 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-22 13:06 <DIR> d-------- C:\WINDOWS\peernet
2007-10-19 15:29 <DIR> d-------- C:\Program Files\CCleaner
2007-10-19 15:05 <DIR> d-------- C:\Documents and Settings\worcparalegal\Application Data\Talkback
2007-10-19 15:05 <DIR> d-------- C:\DOCUME~1\WORCPA~1\APPLIC~1\Talkback
2007-10-17 09:13 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-10-17 09:13 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-10-15 10:22 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-10-12 11:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\que1
2007-10-12 11:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\kat1
2007-10-12 11:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\ipd2
2007-10-12 11:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\hap1
2007-10-12 11:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\comms2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 20:02 --------- d-----w C:\Program Files\Trend Micro
2007-10-19 20:49 --------- d-----w C:\Program Files\Google
2007-10-19 20:38 --------- d-----w C:\Program Files\AIM
2007-10-19 20:38 --------- d-----w C:\Documents and Settings\worcparalegal\Application Data\Aim
2007-10-19 20:38 --------- d-----w C:\DOCUME~1\WORCPA~1\APPLIC~1\Aim
2007-10-19 19:58 --------- d-----w C:\Program Files\Yahoo!
2007-10-02 15:19 --------- d-----w C:\Documents and Settings\worcparalegal\Application Data\AdobeUM
2007-10-02 15:19 --------- d-----w C:\DOCUME~1\WORCPA~1\APPLIC~1\AdobeUM
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 19:34 3,584,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-13 22:54 413,696 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2007-08-13 22:54 413,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2007-08-13 22:54 191,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS\SYSTEM32\msls31.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msls31.dll
2007-08-13 22:45 78,336 ----a-w C:\WINDOWS\SYSTEM32\ieencode.dll
2007-08-13 22:45 78,336 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieencode.dll
2007-08-13 22:44 69,120 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-08-13 22:44 40,960 ----a-w C:\WINDOWS\SYSTEM32\licmgr10.dll
2007-08-13 22:44 40,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\licmgr10.dll
2007-08-13 22:42 17,408 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\corpol.dll
2007-08-13 22:39 92,672 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-08-13 22:39 71,680 ----a-w C:\WINDOWS\SYSTEM32\admparse.dll
2007-08-13 22:39 71,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\admparse.dll
2007-08-13 22:39 55,296 ----a-w C:\WINDOWS\SYSTEM32\iesetup.dll
2007-08-13 22:39 55,296 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iesetup.dll
2007-08-13 22:38 491,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-08-13 22:36 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-13 22:36 36,352 ----a-w C:\WINDOWS\SYSTEM32\imgutil.dll
2007-08-13 22:36 36,352 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\imgutil.dll
2007-08-13 22:35 346,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-08-13 22:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\mshta.exe
2007-08-13 22:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshta.exe
2007-08-13 22:18 60,416 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\hmmapi.dll
2007-08-13 22:01 48,128 ----a-w C:\WINDOWS\SYSTEM32\mshtmler.dll
2007-08-13 22:01 48,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmler.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B324D0F-D31B-49BA-80B0-B5E534AB901D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AF8D4E3-73C8-4FC1-973C-3C0C1C730B84}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c8bc864-db40-466d-84df-20d57ce29900}]
C:\WINDOWS\System32\ufkqlos.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D1BE497-DE9E-4E98-9E85-D0A6097E98CF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7217EBFB-1A21-4639-90E5-AE735E530472}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89910767-FD9B-47C1-8AB0-BA82ABF2D2C2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-24 13:29 340032 --a------ C:\WINDOWS\system32\mkmswkga.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6B28553-BA10-48E8-B3C9-615CD85D5111}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAA7863C-158A-48EC-B42E-5DBA340DB774}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46AC196-CB61-4880-AD09-3A5BF63E64A6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mkmswkga.dll [2007-10-24 13:29 340032]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mkmswkga.dll [2007-10-24 13:29 340032]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-16 01:22]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 03:56]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-03-29 08:10]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"c480d110"="C:\WINDOWS\system32\mtmnllox.dll" [2007-10-24 13:20]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" []
"ISMPack7"="C:\Program Files\ISM2\ISMPack7.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA498"=command /c del "C:\WINDOWS\SYSTEM32\cwfpslzj.dllbox"
"SpybotDeletingA7995"=command /c del "C:\Documents and Settings\worcparalegal\Local Settings\Temp\cmdinst.exe"
"SpybotDeletingC2210"=cmd /c del "C:\Documents and Settings\worcparalegal\Local Settings\Temp\cmdinst.exe"
"AOLRebootNeeded"=regsvr32.exe /s
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mkmswkga]
mkmswkga.dll 2007-10-24 13:29 340032 C:\WINDOWS\SYSTEM32\mkmswkga.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlihe]
qomlihe.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\awtsq.dll
"Notification Packages"= scecli scecli
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 14:12:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-24 14:25:25 - machine was rebooted
.
--- E O F ---
I will post the HiJackThis log next since it is too long. Thanks so much!
And here is the latest HijackThis log. The popups have increased a lot. Also, that program in my taskbar has put 2 icons on my desktop: One that says "Online Security Guide" and also "Live Safety Center" I haven't clicked on them, but just to let you know if they mean something. Thanks, and please let me know what to do after this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37, on 2007-10-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\PS2BE4.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Another Name.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B324D0F-D31B-49BA-80B0-B5E534AB901D} - (no file)
O2 - BHO: (no name) - {3AF8D4E3-73C8-4FC1-973C-3C0C1C730B84} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6c8bc864-db40-466d-84df-20d57ce29900} - C:\WINDOWS\System32\ufkqlos.dll (file missing)
O2 - BHO: (no name) - {6D1BE497-DE9E-4E98-9E85-D0A6097E98CF} - (no file)
O2 - BHO: (no name) - {7217EBFB-1A21-4639-90E5-AE735E530472} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mkmswkga.dll
O2 - BHO: (no name) - {BAA7863C-158A-48EC-B42E-5DBA340DB774} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mkmswkga.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [c480d110] rundll32.exe "C:\WINDOWS\system32\mtmnllox.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA498] command /c del "C:\WINDOWS\SYSTEM32\cwfpslzj.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7995] command /c del "C:\Documents and Settings\worcparalegal\Local Settings\Temp\cmdinst.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2210] cmd /c del "C:\Documents and Settings\worcparalegal\Local Settings\Temp\cmdinst.exe"
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.stamps.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://amabileburkly01:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amabileburkly.local
O17 - HKLM\Software\..\Telephony: DomainName = amabileburkly.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amabileburkly.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = amabileburkly.local
O20 - Winlogon Notify: mkmswkga - C:\WINDOWS\SYSTEM32\mkmswkga.dll
O20 - Winlogon Notify: qomlihe - qomlihe.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.smilesbywire.com/SittingImages/P697/01/090/009/P69701090_009_104_042006.jpg
--
End of file - 8222 bytes
Hi
Yes, we aren't done yet.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\mkmswkga.dll
C:\WINDOWS\SYSTEM32\firramaf.dll
C:\WINDOWS\SYSTEM32\mtmnllox.dll
C:\WINDOWS\SYSTEM32\feylsjuc.dll
C:\WINDOWS\SYSTEM32\cnydbvuw.dll
Folder::
C:\WINDOWS\SYSTEM32\que1
C:\WINDOWS\SYSTEM32\kat1
C:\WINDOWS\SYSTEM32\ipd2
C:\WINDOWS\SYSTEM32\hap1
C:\WINDOWS\SYSTEM32\comms2
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B324D0F-D31B-49BA-80B0-B5E534AB901D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AF8D4E3-73C8-4FC1-973C-3C0C1C730B84}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c8bc864-db40-466d-84df-20d57ce29900}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D1BE497-DE9E-4E98-9E85-D0A6097E98CF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7217EBFB-1A21-4639-90E5-AE735E530472}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89910767-FD9B-47C1-8AB0-BA82ABF2D2C2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]l
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6B28553-BA10-48E8-B3C9-615CD85D5111}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAA7863C-158A-48EC-B42E-5DBA340DB774}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46AC196-CB61-4880-AD09-3A5BF63E64A6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c480d110"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISMPack6"=-
"ISMPack7"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA498"=-
"SpybotDeletingA7995"=-
"SpybotDeletingC2210"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mkmswkga]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlihe]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log
Alright, did what you said. I think it might have worked this time. The system is moving much faster!
Here's the Combofix log:
ComboFix 07-10-23.1 - worcparalegal 2007-10-25 9:14:31.2 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\worcparalegal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\worcparalegal\Desktop\CFScript.txt
FILE::
C:\WINDOWS\SYSTEM32\cnydbvuw.dll
C:\WINDOWS\SYSTEM32\feylsjuc.dll
C:\WINDOWS\SYSTEM32\firramaf.dll
C:\WINDOWS\SYSTEM32\mkmswkga.dll
C:\WINDOWS\SYSTEM32\mtmnllox.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\WORCPA~1\Desktop\Live Safety Center.lnk
C:\DOCUME~1\WORCPA~1\Desktop\Online Security Guide.lnk
C:\DOCUME~1\WORCPA~1\FAVORI~1\Online Security Guide.lnk
C:\Documents and Settings\worcparalegal\Desktop\Live Safety Center.lnk
C:\Documents and Settings\worcparalegal\Desktop\Online Security Guide.lnk
C:\Documents and Settings\worcparalegal\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\cnydbvuw.dll
C:\WINDOWS\SYSTEM32\comms2
C:\WINDOWS\SYSTEM32\feylsjuc.dll
C:\WINDOWS\SYSTEM32\firramaf.dll
C:\WINDOWS\SYSTEM32\hap1
C:\WINDOWS\SYSTEM32\ipd2
C:\WINDOWS\SYSTEM32\kat1
C:\WINDOWS\SYSTEM32\kat1\IKtzudll2.exe
C:\WINDOWS\SYSTEM32\mkmswkga.dll
C:\WINDOWS\system32\mkmswkga.dllbox
C:\WINDOWS\SYSTEM32\mtmnllox.dll
C:\WINDOWS\SYSTEM32\que1
C:\WINDOWS\SYSTEM32\que1\aded83122.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.
2007-10-24 13:26 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 13:03 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-10-24 12:54 <DIR> d-------- C:\VundoFix Backups
2007-10-23 17:33 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-10-23 17:33 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-10-23 17:33 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-10-23 17:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-23 15:06 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-23 15:06 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-23 15:06 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-23 15:06 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-23 15:06 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-23 15:06 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-23 15:05 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-23 15:05 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-10-23 15:03 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-10-23 14:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-10-23 13:29 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-23 09:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 15:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 13:31 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-10-22 13:06 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-22 13:06 <DIR> d-------- C:\WINDOWS\peernet
2007-10-19 15:29 <DIR> d-------- C:\Program Files\CCleaner
2007-10-19 15:05 <DIR> d-------- C:\Documents and Settings\worcparalegal\Application Data\Talkback
2007-10-19 15:05 <DIR> d-------- C:\DOCUME~1\WORCPA~1\APPLIC~1\Talkback
2007-10-17 09:13 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-10-17 09:13 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-10-15 10:22 10,752 --a------ C:\WINDOWS\DCEBoot.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 20:02 --------- d-----w C:\Program Files\Trend Micro
2007-10-19 20:49 --------- d-----w C:\Program Files\Google
2007-10-19 20:38 --------- d-----w C:\Program Files\AIM
2007-10-19 20:38 --------- d-----w C:\Documents and Settings\worcparalegal\Application Data\Aim
2007-10-19 20:38 --------- d-----w C:\DOCUME~1\WORCPA~1\APPLIC~1\Aim
2007-10-19 19:58 --------- d-----w C:\Program Files\Yahoo!
2007-10-02 15:19 --------- d-----w C:\Documents and Settings\worcparalegal\Application Data\AdobeUM
2007-10-02 15:19 --------- d-----w C:\DOCUME~1\WORCPA~1\APPLIC~1\AdobeUM
.
((((((((((((((((((((((((((((( snapshot@2007-10-24_14.21.27.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-25 13:25:13 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6d4.dat
+ 2007-03-29 12:10:02 214,712 ----a-w C:\WINDOWS\Temp\SB7F4A.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D1BE497-DE9E-4E98-9E85-D0A6097E98CF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-16 01:22]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 03:56]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-03-29 08:10]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 09:31:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-25 9:35:53 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-24 14:25
.
--- E O F ---
and here's the latest hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:40, on 2007-10-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\TEMP\SB7F4A.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Another Name.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D1BE497-DE9E-4E98-9E85-D0A6097E98CF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.stamps.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://amabileburkly01:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amabileburkly.local
O17 - HKLM\Software\..\Telephony: DomainName = amabileburkly.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amabileburkly.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.smilesbywire.com/SittingImages/P697/01/090/009/P69701090_009_104_042006.jpg
--
End of file - 6778 bytes
Hi
Looking much better :)
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
It looks like there's still some problems. Spybot said that amon:sad:g other advertising cookies I had, I still had the registry value of Virtumonde.generic. Here are the 2 logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:46 AM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\IM5A3A.EXE
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\Another Name.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D1BE497-DE9E-4E98-9E85-D0A6097E98CF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-1047\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-1047\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-1047\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-1070\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-2697\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'dorothy.desil')
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2350920385-1629795875-2991971496-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.stamps.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://amabileburkly01:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193334058855
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amabileburkly.local
O17 - HKLM\Software\..\Telephony: DomainName = amabileburkly.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amabileburkly.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.smilesbywire.com/SittingImages/P697/01/090/009/P69701090_009_104_042006.jpg
--
End of file - 8466 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
October 26, 2007 8:55:39 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/10/2007
Kaspersky Anti-Virus database records: 446338
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Q:\
Scan Statistics:
Total number of scanned objects: 65250
Number of viruses found: 43
Number of infected objects: 252
Number of suspicious objects: 2
Duration of the scan process: 01:49:11
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4d11d046ed97286fce8db15a038c1cdd_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\dorothy.desil\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\dorothy.desil\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\worcparalegal\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\History\History.IE5\MSHist012007102520071026\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Temp\jar_cache14518.tmp Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\ntuser.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\1.dllb Infected: Trojan-Downloader.Win32.Tibs.gc skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\5.dllb Infected: Trojan-Downloader.Win32.Tibs.gc skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1].zip/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1].zip ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1].zip CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1]_d4.VIR/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1]_d4.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1]_d4.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1]_dc.VIR/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1]_dc.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\8154ff2675af1b6e0677560871425153[1]_dc.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122.exe NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122.exe CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1].exe NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1].exe CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1]_104.VIR/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1]_104.VIR NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1]_104.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1]_118.VIR/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1]_118.VIR NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122[1]_118.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122_100.VIR/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122_100.VIR NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122_100.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122_134.VIR/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122_134.VIR NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\83122_134.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035691.exe Infected: Trojan-Proxy.Win32.Delf.ca skipped
Rest of Kaspersky log will be posted next.
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035692.exe Infected: Trojan-Downloader.Win32.Tiny.ew skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035694.exe Infected: Trojan-Downloader.Win32.Small.eci skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035699.exe Infected: Trojan-Downloader.Win32.Small.eci skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035707.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035708.exe Infected: Email-Worm.Win32.Banwarum.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035709.exe Infected: Packed.Win32.Tibs skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035710.exe Infected: Trojan.Win32.Pakes skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035711.exe Infected: Trojan-Downloader.Win32.Small.dht skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035712.exe Infected: Packed.Win32.Tibs skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035713.exe Infected: Trojan-Downloader.Win32.Tibs.jj skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035714.exe Infected: Trojan-Downloader.Win32.Tibs.jj skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058779.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ace skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058793.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058811.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058823.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058824.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058843.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058872.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058984.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058985.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058987.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058988.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058989.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058990.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058991.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058992.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0058993.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0059268.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0059269.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0059898.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0059920.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0062930.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0062938.exe Infected: Trojan-Downloader.Win32.Small.fxy skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1].zip CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1]_d4.VIR/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1]_d4.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1]_d4.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1]_f0.VIR/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1]_f0.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[1]_f0.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2].zip ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2].zip CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2]_e8.VIR/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2]_e8.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2]_e8.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2]_f8.VIR/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2]_f8.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\a8f5a020e4b833865a1034489887c8b9[2]_f8.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\adir_6a4.VIR Infected: Email-Worm.Win32.Banwarum.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\adir_cc.VIR Infected: Email-Worm.Win32.Banwarum.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\aifzhkzo.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\aywhogoc.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe.bin/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe.bin ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe.bin CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe_cc.VIR/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe_cc.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe_cc.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe_e0.VIR/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe_e0.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b103.exe_e0.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe.bin/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe.bin ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe.bin CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VI0/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VI0 ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VI0 CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VI1/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VI1 ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VI1 CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VIR/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_ec.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_f8.VIR/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_f8.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b122.exe_f8.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe.bin/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe.bin ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe.bin CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe_e4.VIR/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe_e4.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe_e4.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe_ec.VIR/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe_ec.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b138.exe_ec.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\b147.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\bdlkuesu.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\behcryps.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1].zip/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1].zip ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1].zip CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1]_a0.VIR/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1]_a0.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1]_a0.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1]_ec.VIR/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1]_ec.VIR ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\c1f5cc94a30f082054f3a00e6655462d[1]_ec.VIR CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\cwfpslzj.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\cwfpslzj_1d0.VIR Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\cwfpslzj_698.VIR Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\cwfpslzj_990.VIR Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\cwfpslzj_d8.VIR Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\denhdafm.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\desktop.html Infected: not-virus:Hoax.Win32.Renos.cy skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\dnwldr132.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\fcxsxlck.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\fusbfvhc.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\gepj[1]_138.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\Hammer.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\iroxevch.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\javainstaller.jar-4514e5ea-5f3865e9.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\javainstaller.jar-4514e5ea-5f3865e9.zip ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\javainstaller.jar-4514e5ea-5f3865e9.zip CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\lkjh[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\lkjh[1]_c24.VIR Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\lkjh[1]_d74.VI0 Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\lkjh[1]_d74.VIR Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\mnbkuwuy.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\mudvnlec.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\ndsqusdx.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\phiyagmi.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\pmbtinvv.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\qvxt34.game Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\rdtjhsci.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\sacginns.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\search[1].jpg Infected: Trojan-Downloader.Win32.Tibs.gc skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tesvjgtn.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tibs[1].jpg Infected: Trojan-Downloader.Win32.Tibs.gc skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra1000106.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra572.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra[1].exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra[1].zip/tsitra.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra[1].zip ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra[1].zip CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra[1]_ec.VIR Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\tsitra[1]_fc.VIR Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\ugcw.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\UnInstall.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\v3x1_3f8.VIR Infected: Trojan.Win32.Agent.oh skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\v4x3.ga2me Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\v5x2.g3ame Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\v5x4.ga2me Infected: Trojan-Downloader.Win32.Small.dzd skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\v5x4_378.VIR Infected: Trojan-Downloader.Win32.Small.dzd skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\v6xt4.game Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\valera[1]_114.VIR Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vasya[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vasya[1]_134.VI0 Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vasya[1]_134.VIR Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vasya[1]_188.VIR Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vasya[1]_1e8.VIR Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\VSS55EIF.03K Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\VSS56SQ7.001 Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\VSS57T07.03N Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vx1t3.game Infected: Trojan-Downloader.Win32.Small.cpt skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\wr12drver.exe Infected: Trojan-Downloader.Win32.Small.fxy skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\wxdswoci.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\xpre.exe Infected: Trojan-Downloader.Win32.VB.axa skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\xrun.exe Infected: Trojan-Downloader.Win32.Agent.brq skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\zgame4[1]_220.VIR Infected: Trojan-Downloader.Win32.Small.dzd skipped
C:\qoobox\Quarantine\C\Program Files\ISM2\cringupd.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\qoobox\Quarantine\C\Program Files\ISM2\cringupd.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\Program Files\ISM2\ISMPack7.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\hotehyso4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\hotehyso83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\Program Files\TTC.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\firramaf.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\mkmswkga.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\que1\aded83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\que1\aded83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\vMW02a\vMW02a1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bkw skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\catchme2007-10-25_ 93020.79.zip/mkmswkga.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\catchme2007-10-25_ 93020.79.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0058944.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0058944.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0059302.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0059303.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0059316.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP936\A0059906.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP936\A0059906.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP968\A0064147.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP968\A0064147.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064157.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064157.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064475.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064528.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064528.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064598.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064599.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064668.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064668.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064727.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064727.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064730.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064730.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064830.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064831.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064832.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064837.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064837.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064839.exe Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064840.exe Infected: Trojan-Downloader.Win32.VB.bkw skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064843.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064843.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064975.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064975.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064978.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064983.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064986.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP976\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\CSC\00000002 Object is locked skipped
C:\WINDOWS\CSC\00000003 Object is locked skipped
C:\WINDOWS\CSC\d1\00000190 Object is locked skipped
C:\WINDOWS\CSC\d1\00002458 Object is locked skipped
C:\WINDOWS\CSC\d2\00000101 Object is locked skipped
C:\WINDOWS\CSC\d5\000001CC Object is locked skipped
C:\WINDOWS\CSC\d6\00002485 Object is locked skipped
C:\WINDOWS\CSC\d7\0000017E Object is locked skipped
C:\WINDOWS\CSC\d8\00002457 Object is locked skipped
C:\WINDOWS\CSC\d8\0000247F Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{929DF61B-4505-447C-84E7-0685FD27B24A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\TmEncryptTemp.000 Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\SYSTEM32\TmEncryptTemp.001 Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\WINDOWS\SYSTEM32\TmEncryptTemp.002 Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\WINDOWS\SYSTEM32\TmEncryptTemp.003 Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\WINDOWS\SYSTEM32\TmEncryptTemp.004 Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\WINDOWS\SYSTEM32\TmEncryptTemp.005 Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_678.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
Tracking cookies are not dangerous but those registry keys need to go, that's why post spybot report, please
Empty these folders:
C:\Program Files\Trend Micro\OfficeScan Client\Suspect
C:\qoobox\Quarantine\
Delete these:
C:\WINDOWS\SYSTEM32\TmEncryptTemp.000
C:\WINDOWS\SYSTEM32\TmEncryptTemp.001
C:\WINDOWS\SYSTEM32\TmEncryptTemp.002
C:\WINDOWS\SYSTEM32\TmEncryptTemp.003
C:\WINDOWS\SYSTEM32\TmEncryptTemp.004
C:\WINDOWS\SYSTEM32\TmEncryptTemp.005
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
- spybot report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
October 30, 2007 8:31:41 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/10/2007
Kaspersky Anti-Virus database records: 448425
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Q:\
Scan Statistics:
Total number of scanned objects: 66273
Number of viruses found: 32
Number of infected objects: 108
Number of suspicious objects: 2
Duration of the scan process: 01:40:04
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4d11d046ed97286fce8db15a038c1cdd_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\worcparalegal\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Temp\jar_cache1523.tmp Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Temp\~DF84FC.tmp Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Temp\~DF951A.tmp Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\ntuser.dat Object is locked skipped
C:\Documents and Settings\worcparalegal\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\A0035692.exe Infected: Trojan-Downloader.Win32.Tiny.ew skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0058944.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0058944.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0059302.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0059303.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP935\A0059316.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP936\A0059906.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP936\A0059906.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP968\A0064147.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP968\A0064147.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064157.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064157.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064475.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064528.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP969\A0064528.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064598.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064599.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064668.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064668.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064727.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064727.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064730.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP970\A0064730.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064828.exe Infected: Trojan-Downloader.Win32.Agent.epl skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064830.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064831.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064832.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064837.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064837.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064839.exe Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064840.exe Infected: Trojan-Downloader.Win32.VB.bkw skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064843.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\A0064843.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP971\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064975.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064975.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064978.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064983.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP972\A0064986.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065635.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065636.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065638.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065639.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065640.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065641.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065642.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065643.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065644.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065646.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065647.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065648.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065649.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065651.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065652.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065654.exe Infected: Trojan-Proxy.Win32.Delf.ca skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065655.exe Infected: Trojan-Downloader.Win32.Small.fxy skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065656.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065657.exe Infected: Trojan-Downloader.Win32.VB.axa skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065658.exe Infected: Trojan-Downloader.Win32.Agent.brq skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065660.exe Infected: Trojan-Downloader.Win32.Small.eci skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065661.exe Infected: Trojan-Downloader.Win32.Small.eci skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065662.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065663.exe Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065664.exe Infected: Packed.Win32.Tibs skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065665.exe Infected: Trojan.Win32.Pakes skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065666.exe Infected: Trojan-Downloader.Win32.Small.dht skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065667.exe Infected: Packed.Win32.Tibs skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065668.exe Infected: Trojan-Downloader.Win32.Tibs.jj skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065669.exe Infected: Trojan-Downloader.Win32.Tibs.jj skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065670.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ace skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065671.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065674.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065675.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065676.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065679.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065680.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065683.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065684.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065686.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065687.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065688.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065689.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065690.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065691.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065692.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065695.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065696.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065697.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065698.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065699.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065700.exe Infected: Trojan-Downloader.Win32.Small.fxy skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065701.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065702.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065703.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065703.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065703.exe CryptFF.b: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065704.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065705.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065706.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065707.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065707.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065707.exe CryptFF.b: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065708.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065710.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065711.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065713.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\A0065714.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP979\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\CSC\00000002 Object is locked skipped
C:\WINDOWS\CSC\00000003 Object is locked skipped
C:\WINDOWS\CSC\d1\000001B0 Object is locked skipped
C:\WINDOWS\CSC\d1\00002458 Object is locked skipped
C:\WINDOWS\CSC\d4\0000018B Object is locked skipped
C:\WINDOWS\CSC\d4\000001AB Object is locked skipped
C:\WINDOWS\CSC\d5\000001DC Object is locked skipped
C:\WINDOWS\CSC\d6\00002485 Object is locked skipped
C:\WINDOWS\CSC\d7\0000017E Object is locked skipped
C:\WINDOWS\CSC\d8\00002457 Object is locked skipped
C:\WINDOWS\CSC\d8\0000247F Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5A091F55-C591-4BB8-A5BF-3546F168053B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6b0.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Sorry for not responding sooner, but I was away from the computer all weekend and had to run the Kaspersky scan overnight, so I could do work. Here's the Hijack this log, and I will try to post the Spybot log within the next hour or two. FYI: I did install Comodo Firewall a few days ago, but have been allowing things in the meantime, so that it will not interfere with results! Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:10 AM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\TEMP\MZ9317.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Another Name.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D1BE497-DE9E-4E98-9E85-D0A6097E98CF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-1047\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-1047\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1247831667-651766000-619646970-1047\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.stamps.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://amabileburkly01:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://amabileburkly01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193334058855
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amabileburkly.local
O17 - HKLM\Software\..\Telephony: DomainName = amabileburkly.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amabileburkly.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.smilesbywire.com/SittingImages/P697/01/090/009/P69701090_009_104_042006.jpg
--
End of file - 8126 bytes
Hi
Ok, I'll be waiting that spybot report :)
This is interesting, Spybot said, "Congratulation! No immediate threats were found." I think this is because when I restarted my computer, I got this popup from the firewall saying that this program javaw.exe was trying to run. This would happen all the time with my Windows firewall too. I decided to stop it from running because it appeared to be making my computer very slow.
The last time I ran Spybot, I asked it to remove Virtumonde, but was unsure if it did it. Maybe it did, b/c I don't see it.
Well, let me know if everything is gone now, because it seems to be, but Kaspersky said I still have viruses. I did what you told me regarding deleting all those items. Thanks.
Hi
Logs look good.
All viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
:bigthumb:It looks like everything is clean and speedy. Thanks for all your help! I really appreciate it.
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can remove all tools we used.
Remove MS Java and install Sun Java, see (http://www.helpwithwindows.com/WindowsXP/howto-21.html)
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.